[Samba] NT4 Migration -> Samba 3.0.2a + LDAP

Andrew Bartlett abartlet at samba.org
Mon Feb 16 11:05:05 GMT 2004

On Mon, 2004-02-16 at 16:35, Beast wrote:
> * Andrew Bartlett <abartlet at samba.org> nulis:
> > On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote:
> > > Hi!
> > > 
> > > How can I maintain users old NT RIDs while migrating to Samba PDC when they
> > > start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000
> > > so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix.
> > > Maintaining the old RIDs is essential for migrating on-the-fly, because
> > > re-adding hundreds of computers to domain and losing local user profiles is
> > > not an option.
> The only way to achieve these requirement is to use pwdump on NT PDC.

I don't see how this is relevant.  'net rpc vampire' gets the passwords
very nicely and migrates much more than pwdump.  As I said, in
particular it gets the SIDs right.

> >From there you'll get old RID and hashes for machine+useraccount.
> Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months.
> x = unknown value, maybe 1 or 2.

The issue would no doubt be the same for 'net rpc vampire', as they read
the same password database.

> Thanks for asking, I have similar questions. Is there any (big)

>  company migrate from NT4 to samba3 (with at least 500 clients)? 
> How they migrate? build fresh domain name or using existing domain 
> name? How they avoid re-join all clients?
> Any body here using samba 3 on production with > 500 win clients?

They use 'net rpc vampire', as documented in the HOWTO.  This ensures
that the SIDs are accurate, as are the passwords.  The clients should
not be able to tell the difference (or wont care, once you get the
fundamentals right)

You need to use 'ldapsam' or 'tdbsam', you cannot use smbpasswd.  Both
backends can store arbitrary RIDs, to satisfy exactly this requirement.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040216/deabad5f/attachment.bin

More information about the samba mailing list