[Samba] HELP !!! migrating from win2000 pdc to linux pdc

Phil Dawson phil.dawson at gedys.co.uk
Wed Mar 16 12:39:28 GMT 2005 

Hello,

Second post: first had logs attached but was too big.

I have a test environment with 1 windows 2000 AD domain pdc ( mixed mode 
install ), 1 linux server ( to become pdc ) and a win xp box to test logon 
when the migration was completed.  The problem is no matter what I try 
after the migration the win xp's logonserver = windows server not linux 
server.  I have no idea what is going on here.  I've listed the process 
for migration just incase I'm doing something wrong.

NB: Initially I had a problem with the migration because machines were not 
being created.  The problem was due to useradd conforming to the posix 
standard and wouldn't allow accounts prefixed with $.  Got an interim fix 
from RedHat which fixed this problem.

i can log in using 

smbclient -L localhost -U% -- anonymous shares available
smbclient -L //linuxpdc/public -U pdawson -- shares available plus home 
directory



Is there anything obvious I've missed?  I've been at this for weeks now 
and have no idea what to check next. ( logs are a blur now ).


for the purpose of log entries ( supplied if requested )

Domain: TESTPDC0
Windows 2000:   TESTPDC                 ( 192.168.44.80 )
Linux Server    LINUXPDC   ( RHES4 )            ( 192.168.44.81 )
WinXP                                           ( 192.168.44.20 ) ( 
machine name HP96281120913 )


Added linuxpdc and testpdc to /etc/samba/lmhosts
Added linuxpdc and testpdc to our DNS


cleaned groups up with 

------ delGrps.sh ------------

net groupmap cleanup
net groupmap delete ntgroup="Print Operators"
net groupmap delete ntgroup="Domain Guests"
net groupmap delete ntgroup="System Operators"
net groupmap delete ntgroup="DnsAdmins"
net groupmap delete ntgroup="Replicator"
net groupmap delete ntgroup="Guests"
net groupmap delete ntgroup="Power Users"
net groupmap delete ntgroup="DnsUpdateProxy"
net groupmap delete ntgroup="Administrators"
net groupmap delete ntgroup="Account Operators"
net groupmap delete ntgroup="Backup Operators"
net groupmap delete ntgroup="Users"
net groupmap delete ntgroup="Domain Users"
net groupmap delete ntgroup="Domain Admins"
net groupmap delete ntgroup="Domain Computers"
net groupmap delete ntgroup="Cert Publishers"
net groupmap delete ntgroup="RAS and IAS Servers"
net groupmap delete ntgroup="Pre-Windows 2000 Compatible Access"
net groupmap delete ntgroup="Group Policy Creator Owners"
net groupmap delete ntgroup="Enterprise Admins"
net groupmap delete ntgroup="Domain Controllers"
net groupmap delete ntgroup="Schema Admins"
net groupmap delete ntgroup="Server Operators"

------ delGrps.sh end ------------


removed secrets.tdb and passwd.tdb

set up smb.conf to be ROLE_DOMAIN_BDC

< testparm showed no errors >

net rpc join -S testpdc -W testpdc0 -UAdministrator%password

< joined the domain ok.  checked on the win2000 server and linuxpdc was 
listed as a domain controller >

net rpc getsid -S testpdc -W testpdc0

< sid was put into secrets >

net getlocalsid testpdc0

S-1-5-21-705938202-4238141491-2786779978

< showed correct sid >

net getlocalsid

< no sid available so used: >

net setlocalsid S-1-5-21-705938202-4238141491-2786779978

net getlocalsid

S-1-5-21-705938202-4238141491-2786779978

< used initGrps.sh script to add groups >

------- initGrps.sh ----------

net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

------- initGrps.sh end ----------

net rpc vampire -S testpdc -U Administrator%password

< no errors>

< list the groups on win 2000 box >

net group -l -S testpdc -U Administrator%password

< list groups on linuxpdc >

net groupmap list


-----------------------------------------

Server Operators (S-1-5-32-549) -> Server Operators
Domain Guests (S-1-5-21-705938202-4238141491-2786779978-514) -> nobody
Enterprise Admins (S-1-5-21-705938202-4238141491-2786779978-519) -> 
Enterprise Admins
DnsAdmins (S-1-5-21-705938202-4238141491-2786779978-1101) -> DnsAdmins
Domain Controllers (S-1-5-21-705938202-4238141491-2786779978-516) -> 
Domain Controllers
Administrators (S-1-5-21-705938202-4238141491-2786779978-1007) -> sys
Schema Admins (S-1-5-21-705938202-4238141491-2786779978-518) -> Schema 
Admins
Replicators (S-1-5-21-705938202-4238141491-2786779978-1019) -> kmem
Replicator (S-1-5-32-552) -> Replicator
Guests (S-1-5-32-546) -> nobody
Group Policy Creator Owners (S-1-5-21-705938202-4238141491-2786779978-520) 
-> Group Policy Creator Owners
Domain Users (S-1-5-21-705938202-4238141491-2786779978-1201) -> users
Power Users (S-1-5-32-547) -> ntadmin
Domain Guests (S-1-5-21-705938202-4238141491-2786779978-1199) -> nobody
DnsUpdateProxy (S-1-5-21-705938202-4238141491-2786779978-1102) -> 
DnsUpdateProxy
Print Operators (S-1-5-32-550) -> lp
Administrators (S-1-5-32-544) -> Administrators
Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> Pre-Windows 2000 
Compatible Access
Account Operators (S-1-5-32-548) -> wheel
Domain Admins (S-1-5-21-705938202-4238141491-2786779978-1001) -> root
Account Operators (S-1-5-21-705938202-4238141491-2786779978-1021) -> wheel
Backup Operators (S-1-5-32-551) -> bin
Users (S-1-5-32-545) -> public
Backup Operators (S-1-5-21-705938202-4238141491-2786779978-1003) -> bin
RAS and IAS Servers (S-1-5-21-705938202-4238141491-2786779978-553) -> RAS 
and IAS Servers
Print Operators (S-1-5-21-705938202-4238141491-2786779978-1015) -> lp
Domain Users (S-1-5-21-705938202-4238141491-2786779978-513) -> users
System Operators (S-1-5-21-705938202-4238141491-2786779978-1005) -> daemon
Domain Computers (S-1-5-21-705938202-4238141491-2786779978-515) -> Domain 
Computers
Domain Admins (S-1-5-21-705938202-4238141491-2786779978-512) -> root
Cert Publishers (S-1-5-21-705938202-4238141491-2786779978-517) -> Cert 
Publishers


-------------------------------------------



< everything seems ok >

< checked users and groups.  everything migrated ok. >

< added all imported users to the users group. >

< changed linuxpdc to be domain master >

testparm verified this

< switched off win2000 pdc >

< started smb with: >

service smb start

< switched on win xp box >

< used regedit to change signorseal >

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
"RequireSignOrSeal"=dword:00000000

< re-booted xp machine >

< seemed to log in ok >

username: pdawson
password: password

< opened console with cmd >

< run set >

< LOGONSERVER=\\TESTPDC     <--- not what I was expecting >

< no drive mapping and logon.bat didn't run >





<<<< had to remove logs ... too big for list.  could be supplied on demand 
>>>>



Regards,

Phil

More information about the samba mailing list