[Samba] NT4 Migration -> Samba 3.0.2a + LDAP

Beast indorama at rad.net.id
Mon Feb 16 12:14:10 GMT 2004 

* Andrew Bartlett <abartlet at samba.org> nulis:

> On Mon, 2004-02-16 at 16:35, Beast wrote:
> > * Andrew Bartlett <abartlet at samba.org> nulis:
> > 
> > > On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote:
> > > > Hi!
> > > > 
> > > > How can I maintain users old NT RIDs while migrating to Samba PDC when they
> > > > start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000
> > > > so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix.
> > > > Maintaining the old RIDs is essential for migrating on-the-fly, because
> > > > re-adding hundreds of computers to domain and losing local user profiles is
> > > > not an option.
> > 
> > 
> > The only way to achieve these requirement is to use pwdump on NT PDC.
> 
> I don't see how this is relevant.  'net rpc vampire' gets the passwords
> very nicely and migrates much more than pwdump.  As I said, in
> particular it gets the SIDs right.
> 

OK, Thanks. I'll try it again. Last time vampiring my NT (with samba 3.0.1), the samba password attribute was only filled with 'XXX' (it was from smb-ldaptools i guess)

With pwdump, you get the full control of account creation as well as any necessary attributes. Good if you already has account stored on ldap for another purpose.

> > >From there you'll get old RID and hashes for machine+useraccount.
> > Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months.
> > 
> > x = unknown value, maybe 1 or 2.
> 
> The issue would no doubt be the same for 'net rpc vampire', as they read
> the same password database.
> 

Last week migrating my smallest site with 60+ pc clients, only 1 (one) machine which is joined recently is able to login, other need to rejoin to NT domain and then obtain the new machine password with pwdump.
Random sample from other site which machine was joined more than 6 months old get same results.
It was strange, renaming machine name won't change the password also. So far I've found no problem with account password. 
Bugs or expected behaviour?

> You need to use 'ldapsam' or 'tdbsam', you cannot use smbpasswd.  Both
> backends can store arbitrary RIDs, to satisfy exactly this requirement.
> 

I use ldapsam only.

> Andrew Bartlett

Tks.

--beast

More information about the samba mailing list