[Samba] Creation of Domain- and PDC-SID in samba

John H Terpstra jht at samba.org
Sun Dec 28 22:24:18 GMT 2003


I feel your pain, but just want to comment that I have now completed
chapter 8 of my new book "Samba-3 by Example". This chapter is called,
"Migration from NT4 to Samba-3," and in it I have documented the precise
steps for migration using LDAP ldapsam, as well as using tdbsam.

It all went pretty smoothly.

The key gotcha's I found are:

1. You must configure LDAP correctly to start off, have a clean Samba
install (never started - ie: no tdb files and no secrets.tdb file).

Note: LDAP should have only the top-level entry, plus the container
entries for People and Groups.

2. You must edit smbldap_conf.pm and smb.conf correctly, then do:
	smbpasswd -w 'LDAP_admin_password'
Note: Have "domain master = No"

3. You must do:
	net rpc getsid -S 'NT4server_name' -W 'Domain'

4. You should then join the domain as a BDC:
	net rpc join -S 'NT4server_name' -UAdministrator%'password'

5. Start Samba

6. Suck off the accounts:
	net rpc vampire -S 'NT4server_name' -UAdministrator%'password'

Of course, the choke-points are getting LDAP to accept all accounts with
both the Posix and SambaSAM entries.

Here is the output from my last Vampire:

<root> # net rpc vampire -S NT4S
Fetching DOMAIN database
Creating account: Administrator
Creating account: Guest
Creating account: NT4S$
Creating account: massive$
Creating account: barryf
Creating account: gdaison
Creating account: atrikhoffer
Creating account: hramsbotham
Creating account: fsellerby
Creating account: jrhapsody
Group members of Domain Admins:
Group members of Domain Users: NT4S$(primary),massive$(primary),
Group members of Domain Guests: nobody(primary),
Group members of rubberboot:
Group members of engineers:
Group members of accounting:
Group members of catalyst:
Group members of shipping:
Group members of receiving:
Group members of marketiod:
Group members of sales:
Fetching BUILTIN database

The errors regarding the SAM_DELTA_DOMAIN_INFO are normal because Samba
does not know how to handle that.

NT4S is the NT4 PDC, MASSIVE is my Samba-3 BDC.

I guess this does not help you, but I did want to clear the air that
Vampire is not that big a monster - at all.

John T.

On Sun, 28 Dec 2003, Craig White wrote:

> On Sun, 2003-12-28 at 09:00, Michael Gasch wrote:
> > hi
> >
> > just a question to understand
> >
> > we have a NT PDC and i successfully transfered it's data to samba 3.0
> > because we're cautious i let the NT PDC "online" (domain=evan) and
> > introduced samba with the same date in a new domain (domain=testevan)
> > for testing purposes
> >
> > to get rid of conflicts i had to change the SID of the samba server,
> > because my knowledge tells me: "a sid hast to be unique in a network"
> >
> > so i changed the sid to a value different from the evan-sid
> > okay...still, everything is working fine
> >
> > but: isn't there a tool, which creates a unique sid for my new
> > (test)domain like sidchanger for NT?
> > because i can't be sure that the sid i entered for the new domain
> > "testevan" is unique
> ---
> I've been struggling with the problem of previous NT PDC and in my case,
> trying to figure out how to keep it online while I ease the transition.
> It appears to me that the 'vampire' tools is a monster, and how you deal
> with it is left to the imagination of the admin.
> Anyway, to answer your question...
> 'net getlocalsid' will tell your your Domain SID
> 'net setlocalsid' will allow you to change it to whatever you want but
> recognize that the accounts created by the 'net rpc vampire' will all
> have the localsid (SID) set by the value that is in your new account
> script, which in my case - was the smbldap_conf.pm YMMV.
> Thus, if you want the users to use your new domain's PDC, they would
> have to have the correct SID.
> Craig

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list