[Samba] Can't login to Samba PDC

Craig White craigwhite at azapple.com
Mon Mar 1 16:51:33 GMT 2004

Please keep this on list...

The logical thing to do would be to keep your NT server as the PDC. Set
up samba not to be a domain controller at all but as a member server to
the domain (join that machine to the domain - using password server =
PDC / security = domain and net join ...)

That way, you can create all of the users, join all the machines, set up
roaming profiles (on the 'member' server) and get all ready. Then, when
you are ready, you can do the net rpc vampire command and suck all of
the user accounts/machine accounts/groups into your LDAP.


On Mon, 2004-03-01 at 09:34, Scott Gross wrote:
> I was planning to do each machine manually rather than using scripts to move
> the users as I have to change a lot of things on the users PC to keep them
> running after I move them to the new domain.  So my intention was to join
> the computer to the new domain, add the user to the Samba domain then
> configure their PC for the new e-mail system and such.  I have to do about
> 100 workstations in many different locations and a slow change over with no
> problems is preferable to a faster one where users might experience
> problems.
> This having been said I'm still having problems that after I join the
> workstation to the new domain I can't login to it.
> > -----Original Message-----
> > From: Craig White [mailto:craigwhite at azapple.com]
> > Sent: Friday, February 27, 2004 9:33 PM
> > To: Scott Gross
> > Cc: samba at lists.samba.org
> > Subject: RE: [Samba] Can't login to Samba PDC
> > 
> > Let's keep this on list - there are a lot brighter people than I am on
> > this stuff...
> > 
> > On Fri, 2004-02-27 at 19:58, Scott Gross wrote:
> > 
> > > 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is
> > > working? Does LDAP handle linux login? Are you logging ldap connections
> > > etc?
> > >
> > > migrate as in move from one to the other.  I'm trying to get the Samba
> > > server running while we're using NT4 and then I will move my users and
> > > workstations to the new domain.  I'm going to move them one machine and
> > user
> > > at a time manually.  Yes LDAP handles the linux logins as well and this
> > is
> > > working.  I haven't set-up the LDAP to log the logins but this is
> > something
> > > I want to do as well.
> > ----
> > OK - I am trying to understand what you are telling me.
> > 
> > I can't possibly envision a scenario that you can make this work -
> > moving one computer and one user over at a time. The computer accounts
> > continually change their passwords.
> > 
> > This is what the net rpc vampire command is designed to do, move the
> > machine accounts, user accounts and group accounts over to new setup
> > while still retaining all the SID structure. It indeed works - I know
> > because I did it.
> > 
> > That is not to say that it is without it's problems but it is - the
> > intended method and I learned a long time ago about the benefit to
> > calculate wind direction before I start peeing.
> > 
> > If you really feel as though you have LDAP set up properly - it appears
> > that you have a grasp on it since you can run ldapsearch from command
> > line (I am shocked at the number of people that think they have LDAP
> > running and can't query LDAP), then you really should just slapcat your
> > current setup, dump it, slapadd the stuff you need into LDAP and use the
> > net rpc vampire and suck it all in. You should have no problem getting
> > it to simultaneously add the posixAccount & sambaSamAccount properties -
> > the only things that you may have to reconcile are 1 - existing accounts
> > in posixland that you want to be both posix & samba (perhaps you have
> > overlap and different passwords/uid's) and 2 - It's hard to pull the
> > plug on the existing NT 4 server because it probably has file & print
> > shares that you wanna keep around...try shutting off the netlogon
> > service AFTER - you change the settings in smb.conf to make it PDC like
> > and restarting smbd/nmbd. It will still be mostly functional
> > 
> > Craig

More information about the samba mailing list