[Samba] Migrating NT4 Domain with Idealx tools

Paul Coray paul.coray at unibas.ch
Sat Nov 13 11:23:30 GMT 2004

Marcel de Riedmatten wrote:
> Le mar 09/11/2004 à 17:57, Paul Coray a écrit :
>>Hi all
>>For several days I've been doing tests for our upcoming migration from 
>>an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 
>>and some Win2k. We want all of our users eventually switch from Windows 
>>to KDE on Linux with thin clients through NX :-)
>>I managed to net rpc vampire all user and machine accounts into LDAP, 
>>but then I realized some problems:
>>- The migrated machine accounts have no samba attributes. I can 
>>reproduce this behavior adding a machine account doing smbldap-useradd 
>>-w [machinename], just as in the 'add machine script' line in smb.conf 
>>suggested by Idealx. The machine account  machinename$ will exist then, 
>>but without sambaSAMAccount object class nor any other samba attribute. 
>>Only after adding these by hand and joning the machine to my samba 
>>domain, users can login. I tried also using smbldap-useradd with 
>>multiple options, -w for workstation account and -a for samba 
>>attributes, but no luck. I wish I shouldn't add 200 machines to an 
>>already existing domain after the migration...
> This doesn't seem normal.  The samba attribute should be added by the
> vampire.

But I my case it doesn't... net rpc vampire says 'Couldn't create Posix 
information for machinename$'. Well in reality, it did, but without 
samba atrrs.

Now I realize this works when i configure LDAP and Idealx-Tools to store 
machine accounts in the same container as useraccounts. Although this 
makes my directory look somewhat messy, I can live with it if I have to. 
Still I can't add machines doing smbldap-useradd -w, nor when I try to 
join the domain from a client.

  So I would suspect some problem in the communication with the
> PDC and double check that on the samba box 
> 1) you have the domain SID as local SID

Do SIDS for the PDC and for the domain have to be the same?

> 2) you have joined the domain as BDC
> 3) you can see the attribute with net samdump 
>>- Users, once logged in to Linux, cannot change their password with 
>>smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm 
>>talking about a logged in user...
> At distance this is a hard guess. I suggest that you look at the ldap
> log to get an idea what happend. 


More information about the samba mailing list