[Samba] HELP !!! migrating from win2000 pdc to linux pdc

John H Terpstra jht at samba.org
Wed Mar 16 14:54:41 GMT 2005 

Phil,

After migrating the domain data did you change the role of the Samba server to 
PDC?

In your smb.conf you need to set in [global]:

	domain master = Yes

The run 'testparm' to validate your settings.

- John T.

On Wednesday 16 March 2005 05:39, Phil Dawson wrote:
> Hello,
>
> Second post: first had logs attached but was too big.
>
> I have a test environment with 1 windows 2000 AD domain pdc ( mixed mode
> install ), 1 linux server ( to become pdc ) and a win xp box to test logon
> when the migration was completed.  The problem is no matter what I try
> after the migration the win xp's logonserver = windows server not linux
> server.  I have no idea what is going on here.  I've listed the process
> for migration just incase I'm doing something wrong.
>
> NB: Initially I had a problem with the migration because machines were not
> being created.  The problem was due to useradd conforming to the posix
> standard and wouldn't allow accounts prefixed with $.  Got an interim fix
> from RedHat which fixed this problem.
>
> i can log in using
>
> smbclient -L localhost -U% -- anonymous shares available
> smbclient -L //linuxpdc/public -U pdawson -- shares available plus home
> directory
>
>
>
> Is there anything obvious I've missed?  I've been at this for weeks now
> and have no idea what to check next. ( logs are a blur now ).
>
>
> for the purpose of log entries ( supplied if requested )
>
> Domain: TESTPDC0
> Windows 2000:   TESTPDC                 ( 192.168.44.80 )
> Linux Server    LINUXPDC   ( RHES4 )            ( 192.168.44.81 )
> WinXP                                           ( 192.168.44.20 ) (
> machine name HP96281120913 )
>
>
> Added linuxpdc and testpdc to /etc/samba/lmhosts
> Added linuxpdc and testpdc to our DNS
>
>
> cleaned groups up with
>
> ------ delGrps.sh ------------
>
> net groupmap cleanup
> net groupmap delete ntgroup="Print Operators"
> net groupmap delete ntgroup="Domain Guests"
> net groupmap delete ntgroup="System Operators"
> net groupmap delete ntgroup="DnsAdmins"
> net groupmap delete ntgroup="Replicator"
> net groupmap delete ntgroup="Guests"
> net groupmap delete ntgroup="Power Users"
> net groupmap delete ntgroup="DnsUpdateProxy"
> net groupmap delete ntgroup="Administrators"
> net groupmap delete ntgroup="Account Operators"
> net groupmap delete ntgroup="Backup Operators"
> net groupmap delete ntgroup="Users"
> net groupmap delete ntgroup="Domain Users"
> net groupmap delete ntgroup="Domain Admins"
> net groupmap delete ntgroup="Domain Computers"
> net groupmap delete ntgroup="Cert Publishers"
> net groupmap delete ntgroup="RAS and IAS Servers"
> net groupmap delete ntgroup="Pre-Windows 2000 Compatible Access"
> net groupmap delete ntgroup="Group Policy Creator Owners"
> net groupmap delete ntgroup="Enterprise Admins"
> net groupmap delete ntgroup="Domain Controllers"
> net groupmap delete ntgroup="Schema Admins"
> net groupmap delete ntgroup="Server Operators"
>
> ------ delGrps.sh end ------------
>
>
> removed secrets.tdb and passwd.tdb
>
> set up smb.conf to be ROLE_DOMAIN_BDC
>
> < testparm showed no errors >
>
> net rpc join -S testpdc -W testpdc0 -UAdministrator%password
>
> < joined the domain ok.  checked on the win2000 server and linuxpdc was
> listed as a domain controller >
>
> net rpc getsid -S testpdc -W testpdc0
>
> < sid was put into secrets >
>
> net getlocalsid testpdc0
>
> S-1-5-21-705938202-4238141491-2786779978
>
> < showed correct sid >
>
> net getlocalsid
>
> < no sid available so used: >
>
> net setlocalsid S-1-5-21-705938202-4238141491-2786779978
>
> net getlocalsid
>
> S-1-5-21-705938202-4238141491-2786779978
>
> < used initGrps.sh script to add groups >
>
> ------- initGrps.sh ----------
>
> net groupmap modify ntgroup="Domain Admins" unixgroup=root
> net groupmap modify ntgroup="Domain Users" unixgroup=users
> net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
>
> ------- initGrps.sh end ----------
>
> net rpc vampire -S testpdc -U Administrator%password
>
> < no errors>
>
> < list the groups on win 2000 box >
>
> net group -l -S testpdc -U Administrator%password
>
> < list groups on linuxpdc >
>
> net groupmap list
>
>
> -----------------------------------------
>
> Server Operators (S-1-5-32-549) -> Server Operators
> Domain Guests (S-1-5-21-705938202-4238141491-2786779978-514) -> nobody
> Enterprise Admins (S-1-5-21-705938202-4238141491-2786779978-519) ->
> Enterprise Admins
> DnsAdmins (S-1-5-21-705938202-4238141491-2786779978-1101) -> DnsAdmins
> Domain Controllers (S-1-5-21-705938202-4238141491-2786779978-516) ->
> Domain Controllers
> Administrators (S-1-5-21-705938202-4238141491-2786779978-1007) -> sys
> Schema Admins (S-1-5-21-705938202-4238141491-2786779978-518) -> Schema
> Admins
> Replicators (S-1-5-21-705938202-4238141491-2786779978-1019) -> kmem
> Replicator (S-1-5-32-552) -> Replicator
> Guests (S-1-5-32-546) -> nobody
> Group Policy Creator Owners (S-1-5-21-705938202-4238141491-2786779978-520)
> -> Group Policy Creator Owners
> Domain Users (S-1-5-21-705938202-4238141491-2786779978-1201) -> users
> Power Users (S-1-5-32-547) -> ntadmin
> Domain Guests (S-1-5-21-705938202-4238141491-2786779978-1199) -> nobody
> DnsUpdateProxy (S-1-5-21-705938202-4238141491-2786779978-1102) ->
> DnsUpdateProxy
> Print Operators (S-1-5-32-550) -> lp
> Administrators (S-1-5-32-544) -> Administrators
> Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> Pre-Windows 2000
> Compatible Access
> Account Operators (S-1-5-32-548) -> wheel
> Domain Admins (S-1-5-21-705938202-4238141491-2786779978-1001) -> root
> Account Operators (S-1-5-21-705938202-4238141491-2786779978-1021) -> wheel
> Backup Operators (S-1-5-32-551) -> bin
> Users (S-1-5-32-545) -> public
> Backup Operators (S-1-5-21-705938202-4238141491-2786779978-1003) -> bin
> RAS and IAS Servers (S-1-5-21-705938202-4238141491-2786779978-553) -> RAS
> and IAS Servers
> Print Operators (S-1-5-21-705938202-4238141491-2786779978-1015) -> lp
> Domain Users (S-1-5-21-705938202-4238141491-2786779978-513) -> users
> System Operators (S-1-5-21-705938202-4238141491-2786779978-1005) -> daemon
> Domain Computers (S-1-5-21-705938202-4238141491-2786779978-515) -> Domain
> Computers
> Domain Admins (S-1-5-21-705938202-4238141491-2786779978-512) -> root
> Cert Publishers (S-1-5-21-705938202-4238141491-2786779978-517) -> Cert
> Publishers
>
>
> -------------------------------------------
>
>
>
> < everything seems ok >
>
> < checked users and groups.  everything migrated ok. >
>
> < added all imported users to the users group. >
>
> < changed linuxpdc to be domain master >
>
> testparm verified this
>
> < switched off win2000 pdc >
>
> < started smb with: >
>
> service smb start
>
> < switched on win xp box >
>
> < used regedit to change signorseal >
>
>  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
> "RequireSignOrSeal"=dword:00000000
>
> < re-booted xp machine >
>
> < seemed to log in ok >
>
> username: pdawson
> password: password
>
> < opened console with cmd >
>
> < run set >
>
> < LOGONSERVER=\\TESTPDC     <--- not what I was expecting >
>
> < no drive mapping and logon.bat didn't run >
>
>
>
>
>
> <<<< had to remove logs ... too big for list.  could be supplied on demand
>
>
>
>
> Regards,
>
> Phil

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list