[Samba] Smbldap tools blocks when using net rpc vampire to migrate accounts from the NT4 PDC to the SambaLdap BDC

Lionel Beard lionel.beard at oktal.fr
Tue Aug 10 15:34:30 GMT 2004 

Ioan Caltun a écrit :
> Hello,
> 
> I am trying to migrate a NT4 PDC server to a linux PDC Samba3.0+openLDAP backend
> 
>  
> 
> I have followed all the instructions in the Samba manual "The Linux Samba-openLDAP How to V.1.6.
> 
> However my efforts are in vain when I have to use net rpc. It hangs up and I' m trying to find out why...
> 
> So.. Here is what I did: 
> 
> 
> [2004/08/06 17:17:06, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
> 
>   ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512))]
> 
> [2004/08/06 17:17:06, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612)
> 
>   ldapsam_search_one_group: Problem during the LDAP search: LDAP error:(No such object)ldapsam_search_one_group: Query was: ou=Groups, (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512))
> 
> Creating unix group: 'Admins du domaine'
> 
>  
> 
>  
> 
> Here is a question... here,in the research he usees SID sambaSID=S-1-5-21-375199814-1253531362-1423778804-512
> 
> However, in smbldap.cong, the SID I obtained after 
> 
> net rpc getlocalsid -S servpdc 
> 
>  
> 
> is
> 
> SID="S-1-5-21-375199814-1253531362-1423778804"

It's normal. It appends "512" to your domain SID, which is the RID of
group "Domain Admins" (Admins du domaine).

I think your problem come from group mapping. Do you map all your
Windows groups (defined in your NT4 domain) to Unix groups with the
command "net groupmap"??
(eg, for "Domain Admins" :
net groupmap add sid=S-1-5-21-375199814-1253531362-1423778804-512
unixgroup="Admins du domaine"
with "Admins du domaine" defined in the /etc/group of your new Samba
server... NB : maybe you have to change space in "Admins du domaine" by
=20 in /etc/group = admins=20du=20domaine)


Another point. I saw you use 'smbldap-useradd -w "%u"' for add machine
script. If you won't be able to login from a Windows workstation after
the migration (with 'Workstation XX no account in domain' error),  the only
way I found to bypass this error is to remove the -w from the script
command line. Problem : by doing this, Samba put computer account in
"Users" instead of "Computers" in LDAP. A little bit annoying...
Maybe someone knows how to avoid this problem...

Regards,
Lionel Beard

More information about the samba mailing list