[Samba] Migrating from a WinNT 4 PDC to Samba 3 PDC Troubles

Nathaniel Grier nathanielgrier at mabtrans.com
Tue Jul 13 16:27:32 GMT 2004 

Craig,

Following your response as well as your response to Eric, I've tried
changing a few things in my config as well as the order of the steps.
Unfortunately I'm still having problems. Clearing my .tdbs (w/o Samba
running) I've done:
* net rpc setsid -S MABSERVE1 -W MAB -UAdministrator%secret (and the SID
shows up in secrets.tdb).
* net rpc join -S MABSERVE1 -W MAB -UAdministrator%secret (and the machine
successfully adds to the domain; looking at secrets.tdb we have a number of
things including the domain SID and the Machine trust account hash)
*If I then run net rpc vampire -S MABSERVE1 -UAdministrator%secret -d 4 I
get the following (clipped following the parsing of the smb.conf) output:

[2004/07/13 11:56:30, 4] param/loadparm.c:lp_load(3917)
  pm_process() returned Yes
[2004/07/13 11:56:30, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.1.251 bcast=192.168.1.255 nmask=255.255.255.0
[2004/07/13 11:56:30, 3] libsmb/namequery.c:resolve_lmhosts(857)
  resolve_lmhosts: Attempting lmhosts lookup for name MABSERVE1<0x20>
[2004/07/13 11:56:30, 4] libsmb/namequery.c:startlmhosts(547)
  startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
[2004/07/13 11:56:30, 3] libsmb/namequery.c:resolve_wins(755)
  resolve_wins: Attempting wins lookup for name MABSERVE1<0x20>
[2004/07/13 11:56:30, 3] libsmb/namequery.c:resolve_wins(758)
  resolve_wins: WINS server resolution selected and no WINS servers listed.
[2004/07/13 11:56:30, 3] libsmb/namequery.c:resolve_hosts(902)
  resolve_hosts: Attempting host lookup for name MABSERVE1<0x20>
[2004/07/13 11:56:31, 3] libsmb/namequery.c:name_resolve_bcast(697)
  name_resolve_bcast: Attempting broadcast lookup for name MABSERVE1<0x20>
[2004/07/13 11:56:31, 4] libsmb/nmblib.c:debug_nmb_packet(109)
  nmb packet from 192.168.1.253(137) header: id=30028 opcode=Query(0)
response=Yes
      header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=Yes
      header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
      answers: nmb_name=MABSERVE1<20> rr_type=32 rr_class=1 ttl=300000
      answers   0 char `.....   hex 6000C0A801FD
[2004/07/13 11:56:31, 2] libsmb/namequery.c:name_query(491)
  Got a positive name query response from 192.168.1.253 ( 192.168.1.253 )
[2004/07/13 11:56:31, 3] libsmb/cliconnect.c:cli_start_connection(1373)
  Connecting to host=MABSERVE1
[2004/07/13 11:56:31, 3] lib/util_sock.c:open_socket_out(735)
  Connecting to 192.168.1.253 at port 445
[2004/07/13 11:56:31, 2] lib/util_sock.c:open_socket_out(772)
  error connecting to 192.168.1.253:445 (Connection refused)
[2004/07/13 11:56:31, 3] lib/util_sock.c:open_socket_out(735)
  Connecting to 192.168.1.253 at port 139
[2004/07/13 11:56:31, 4] lib/time.c:get_serverzone(122)
  Serverzone is 14400
Cannot import users from MAB at this time, as the current domain:
        MABSERVE3: S-1-5-21-763135753-2099275703-424145120
conflicts with the remote domain
        MAB: S-1-5-21-1430529950-745024717-1233803906
Perhaps you need to set: 

        security=user
        workgroup=MAB

 in your smb.conf?
[2004/07/13 11:56:31, 1] utils/net_rpc.c:run_rpc_command(141)
  rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
[2004/07/13 11:56:31, 2] utils/net.c:main(792)
  return code = 1

* If I run net setlocalsid S-1-5-21-1430529950-745024717-1233803906 and then
* net rpc vampire -S MABSERVE1 -UAdministrator%secret -d 4 I get the
following output (again starting after processing of smb.conf; also I've x'd
out the challenge/response strings)
[2004/07/13 11:58:41, 4] param/loadparm.c:lp_load(3917)
  pm_process() returned Yes
[2004/07/13 11:58:41, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.1.251 bcast=192.168.1.255 nmask=255.255.255.0
[2004/07/13 11:58:41, 3] libsmb/cliconnect.c:cli_start_connection(1373)
  Connecting to host=MABSERVE1
[2004/07/13 11:58:41, 3] lib/util_sock.c:open_socket_out(735)
  Connecting to 192.168.1.253 at port 445
[2004/07/13 11:58:41, 2] lib/util_sock.c:open_socket_out(772)
  error connecting to 192.168.1.253:445 (Connection refused)
[2004/07/13 11:58:41, 3] lib/util_sock.c:open_socket_out(735)
  Connecting to 192.168.1.253 at port 139
[2004/07/13 11:58:41, 4] lib/time.c:get_serverzone(122)
  Serverzone is 14400
[2004/07/13 11:58:41, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(260)
  Using cleartext machine password
[2004/07/13 11:58:41, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45)
  cli_net_req_chal: LSA Request Challenge from MABSERVE3 to MABSERVE1:
XXXXXXXXXXXX
[2004/07/13 11:58:41, 4] libsmb/credentials.c:cred_session_key(59)
  cred_session_key
[2004/07/13 11:58:41, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2004/07/13 11:58:41, 4] rpc_client/cli_netlogon.c:cli_net_auth2(102)
  cli_net_auth2: srv:\\MABSERVE1 acct:MABSERVE3$ sc:2 mc: MABSERVE3 chal
XXXXXXXXXXXX neg: XXXXXXXX
[2004/07/13 11:58:41, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2004/07/13 11:58:41, 4] libsmb/credentials.c:cred_assert(121)
  cred_assert
Fetching DOMAIN database
[2004/07/13 11:58:41, 4] libsmb/credentials.c:cred_create(90)
  cred_create
Failed to fetch domain database: NT_STATUS_ACCESS_DENIED
[2004/07/13 11:58:41, 1] utils/net_rpc.c:run_rpc_command(141)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2004/07/13 11:58:41, 2] utils/net.c:main(792)
  return code = 1

* Also, following the first call to net rpc vampire, the secrets.tdb file is
updated with the randomly generated SID for the local machine.

Relevant pieces from the smb.conf follow:

[global]
        security = domain
        workgroup = MAB
        netbios name = MABSERVE3
        preferred master = Yes
        domain master = No

Any suggestions would be greatly appreciated! Thanks.

Nathaniel Grier

-----Original Message-----
From: Craig White [mailto:craigwhite at azapple.com] 
Sent: Tuesday, July 13, 2004 1:48 AM
To: Nathaniel Grier
Cc: samba at lists.samba.org
Subject: Re: [Samba] Migrating from a WinNT 4 PDC to Samba 3 PDC Troubles

On Mon, 2004-07-12 at 21:35, Nathaniel Grier wrote:
> Hi,
> 
> I've been in the process of attempting a transition from our current NT
4.0 
> PDC to Samba 3.0.4 on linux (Debian running the 2.4.18 kernel). I can get 
> the smbd/nmbd up and running just fine and configure them by hand or with 
> SWAT and the changes are saved.
> 
> I've been following the HOWTO's and get stuck at the net rpc vampire step:
> I am able to join the linux machine, call it SERVER2, successfully to the 
> domain, DOM. However, when I call 'net rpc vampire -S SERVER1 -U 
> Administrator%secret' I get the error that my current domain and that of 
> the server are incompatible:
> Your current domain SERVER2 (SID:xxxx) does not match the server's domain 
> DOM (SID:xxx).
> 
> (Sorry, I'm paraphrasing the error output as I'm at home and don't have it

> in front of me, but it's quite straightforward and contains no more useful

> information than that.)
> So even though it says that I've join the domain DOM, it still thinks I'm 
> in some domain with the name of the machine SERVER2. I've checked (as per 
> the error message) that the smb.conf has the
> workgroup = DOM
> security = user
> 
> Also, if I run pdbedit -Lv it reports that the current domain is SERVER2 
> rather than DOM. Running net rpc setsid DOM simply adds the SID of the 
> domain to secrets.tdb but doesn't switch its insistence of SERVER2 being 
> the domain rather than DOM. A call to net rpc testjoin says things are AOK

> & that I'm in the domain DOM. Running net setlocalsid SERVER2 SID of DOM 
> changes the SID of the SERVER2 domain to be the same as the of DOM, but 
> just causes authentication errors when running net rpc vampire as it still

> thinks that the domains have different names.
> 
> Any suggestions as to how to resolve this problem would be most 
> appreciated. I'm guessing a way to simply reset the name of the domain it 
> thinks its in would work, but having not worked much with 3.0, I'm not 
> sure. (I've used 2.2, but it's been a while since I've set one up and not 
> in as large a network environment.)
----
before running net rpc vampire command you need to set samba up as it
were like a BDC and join the domain.

BDC looks something like this...
security = domain
domain master = yes
preferred master = no

smbpasswd -j DOMAIN -r PDC_OF_DOMAIN -U Administrator%password
net setlocalsid SID
where SID is the SID of the existing NT4 domain but possibly the net rpc
vampire sucks that in (I don't remember)

Hope this helps

Craig

More information about the samba mailing list