[Samba] Domain merging problems

Magnus Henoch mange at freemail.hu
Tue Nov 2 13:48:25 GMT 2004 

The network I'm adminning was until recently physically separated into
two networks, each with a Samba 3 PDC/fileserver, a couple of WinXP
Pro workstations, and about ten users.  I used tdbsam as backend for
both Samba servers.

Recently, the networks were physically joined.  There were no problems
with that, but as one of the servers was ripe for retirement I wanted
to join the two domains into one, letting the other server do
everything.

Thus (here is where you start counting my mistakes) I copied /home and
/var/lib/samba from the old server to a temporary directory on the new
one, and got rid of the old server.  On the new server, I exported the
passdb of the old server to smbpasswd, edited it to avoid UID
conflicts, created the new users, merged the edited smbpasswd file,
untarred the home directories and chown:ed them.  Then I created
machine accounts for the workstations in the old domain, and joined
them to the domain, and expected everything to work.

It sort of did.  The users of the old domain could log in with their
old passwords, and access their home directories.  However, there were
problems with Word - on startup, it asks twice for the user's name and
initials, and then complains about the assistant not being correctly
installed, which does not happen for the users originally in the new
domain.  They can't access C:\Documents and settings\username, since
the SID recorded in the ACL no longer points to a valid user.  Thus
directories called username.domainname are created instead.

Further, some users have the same SID.  I tried to change that using
pdbedit -u username -U new-sid, but it complained about not finding
the RID in the database.  It worked when I did:

tdbtool passdb.tdb
insert RID_new-sid username\0

first.  I have done this for one user, but it's not the magical
solution I hoped it would be - in the ACL, the user still appears as
OLDDOMAIN\username, and problems with Word persist.  pdbedit -L -v
shows the old domain name in the user record - is there any way to
change that?

All in all, I feel like starting over, wiping the users of the old
domain from the database, recreate them one by one, and change the
ownership of c:\Documents and settings\* on the workstations.  But I
can't see how I could do that without resetting their passwords, as
pdbedit can't change the hashed passwords directly but requires the
cleartext one.  Is there another way to do that?

Or is there a simpler solution to my problems?

Finally, how would I have done this properly from the beginning?

Magnus

More information about the samba mailing list