[Samba] Machine accounts, Samba 3, NT Domain migration

[Beast]

* Andrew Bartlett <abartlet at samba.org> menulis:

> > Well, congratulations.
> > most likely you need to rejoin all of your clients before running
> > rpc vampire.
> > 
> > After this step is complete, you can then login from client to
> > samba  domain without rejoining again.
> 
> You should *never* have to rejoin clients.  Ever.  That is the point
> of a vampired system.  If there are situations where you do have to
> rejoin

Andrew,

I'd loved to be wrong here, but i'm afraid not.

I've just vampiring again using latest smbldap script, but it still
has weird results. Here's the summary, comparing pwdump.exe result vs
rpc vampire:

1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash
on rpc-Vampire, passwd is different.
2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as
LANMANHASH in PWD.
3. No valid hash in PWD (only "****"), but has valid NTHASH in VMP.
4. Valid PWD, valid VMP and both are same.

On rpc-vampire, from total of 638 machine, 448 are only having
NTpassword hash entry.

Is it ok for machine account to have only one hash? (i can not try it
right now because the site is on another city).


> machines, then this is either a bug, or administrator error (such as
> not

Bug in samba or smb-ldap script? where should I report the bug?

> having valid machine accounts in /etc/passwd or equiv).

I'm afraid not. I've sucessfully migrating hundreds machines, so
hopefully I understand what is required ;-) 

> 
> Andrew Bartlett
> 


--beast