Réf. : Re: [Samba] Net rpc vampire : NT_STATUS _ACCESS_DENIED

Ganael LAPLANCHE ganael.laplanche at edfgdf.fr
Tue Sep 2 09:09:59 GMT 2003

Hi all,

Thank you for your help, and sorry for my late answer.
Everything works fine by now !

Yes, you have to become a BDC to vampire the accounts ! This is why I was
getting an "Access denied" error :
I thought my Samba was a BDC, but I forgot to add "domain logon = Yes" in
my smb.conf, so Samba was a simple share server.

Here is the steps I followed to suck the accounts :

1 - smb.conf extract :

; low OS level
os level = 40
domain logons = Yes
domain master = No
local master = No

; Undocumented : this is compulsory to allow Samba to create Unix accounts
on the Samba server
; Created in two groups : samba and machines
add machine script = /usr/sbin/useradd -g machines -c "Samba Machine" -d
/dev/null -s /bin/false '%u'
add user script = /usr/sbin/useradd -g samba -c "Samba User" -d /dev/null
-s /bin/false '%u'
add group script = /usr/sbin/groupadd '%g'
add user to group script = /usr/sbin/usermod -G `/usr/bin/id -G '%u' |
/bin/sed 's/ /,/g'`,'%g' '%u'

2 - Testparm should report : ROLE_DOMAIN_BDC
3 - Add an account for the Samba machine on the NT4 station (via server
4 - Start Samba
5 - Join the domain : net rpc join -S <nt4 machine's netbios name> -w
<domain name> -U Administrator
(the samba machine should appear as a BDC on the NT4 server manager)
6 - Vampire : net rpc vampire -S <nt4 machine's netbios name) -U

Everything should be okay, except that Samba won't be able to create system
accounts for compound names and names with accents.
You'll have to modify system groups names on the NT4 server BEFORE sucking
them, with a tool such ultraadmin (http://www.doriansoft.com/ultraadmin/).

After having vampired your victims, you'll be able to see them zombiing in
your Unix box with :
System :
- getent passwd
- getent group
Samba :
- pdbedit -L
Shows the groups/users/machines accounts you've just imported.

If you try : net groupmap list
you'll see every group has correctly been mapped.

Thanks to your answers and to :

Good luck,

Envoyé par :      samba-bounces+ganael.laplanche=edf.fr at lists.samba.org

Pour : akohlsmith-samba at benshaw.com
cc :   samba at lists.samba.org
Objet :     Re: [Samba] Net rpc vampire : NT_STATUS_ACCESS_DENIED

On Fri, Aug 29, 2003 at 02:11:13PM -0400, Andrew Kohlsmith wrote:
> > Did you set the domain sid on the Samba box?  This
> > must match the NT4 domain SID if you are going
> > to be recognized as a BDC.
> I thought it wasn't possible to have samba be the BDC for an NT4 PDC??

Things change in Samba3.0. You need to join as a BDC in order
to vampire out all the account info to take over as PDC.

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list