[Samba] Re: net rpc vampire - cannot login to migrated computer
accounts
Thomas Bork
tombork at web.de
Sun Nov 13 15:25:33 GMT 2005
Christoph Peus wrote:
>> You have to find the point in the migration process, where the new
>> sambaSID is calculated. Your migrated sambaSID is not correct.
> Hmmm... if I understood the "net rpc vampire" migration magic right, the
> SID is not calculated using the algorithm you explained above but
> fetched from the NT server. (Otherwise it wouldn't be possible to have
> some SIDs with uneven RIDs like "....-1933" after the migration.)
If I think about this:
If the complete SID (SID + RID) is recalculated during the migration
process, it will be impossible to load a roaming profile, because the
recalculated SID is not the same as in the profile (if the RID is
included in the authentification process).
Maybe the algorithmic calculating will only be used for new created
accounts (users/machines). If this is the case, I wrote a lot of shit ;)
> What *is* "calculated" during the migration is the uidNumber, and
> therefore this may differ from the original one, but does samba really
> use the algorithimic relationship between the uidNumber and the SID/RID
> as a kind of authentication base for the maschine?
> I changed the RID to "2 x uidNumber + 1000", but this didn't solve the
> problem.
> I guess that there's something wrong with the password related
> attributes of the maschine account. Do you know where I can find a
> documentation for the DC/client trust mechanism?
Sorry, I searched the Samba3-HOWTO but have not found something about, only
http://us2.samba.org/samba/docs/man/Samba3-HOWTO/samba-pdc.html
Maybe this is usefull:
http://searchopensource.techtarget.com/tip/1,289483,sid39_gci1138762,00.html
Think only the SID/RID and the sambaNTPassword/sambaLMPassword are used
for authentification.
Have you tried to set the "sambaPwdCanChange" and "sambaPwdMustChange"
attributes with pdbedit?
der tom
More information about the samba
mailing list