[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

John H Terpstra jht at samba.org
Sun Nov 13 16:32:28 GMT 2005 

On Sunday 13 November 2005 08:25, Thomas Bork wrote:
> Christoph Peus wrote:
> >> You have to find the point in the migration process, where the new
> >> sambaSID is calculated. Your migrated sambaSID is not correct.
> >
> > Hmmm... if I understood the "net rpc vampire" migration magic right, the
> > SID is not calculated using the algorithm you explained above but
> > fetched from the NT server. (Otherwise it wouldn't be possible to have
> > some SIDs with uneven RIDs like "....-1933" after the migration.)
>
> If I think about this:
>
> If the complete SID (SID + RID) is recalculated during the migration
> process, it will be impossible to load a roaming profile, because the
> recalculated SID is not the same as in the profile (if the RID is
> included in the authentification process).
> Maybe the algorithmic calculating will only be used for new created
> accounts (users/machines). If this is the case, I wrote a lot of shit ;)

When accounts are migrated from NT4 to Samba-3 using the "net rpc vampire" 
process the RID is preserved, but a UNIX UID is allocated out of the "idmap 
uid" range that was set in the smb.conf file. Samba does NOT overwrite the 
RID - if it did it would destroy the whole purpose of the account migration 
facility.

> > What *is* "calculated" during the migration is the uidNumber, and
> > therefore this may differ from the original one, but does samba really
> > use the algorithimic relationship between the uidNumber and the SID/RID
> > as a kind of authentication base for the maschine?
> > I changed the RID to "2 x uidNumber + 1000", but this didn't solve the
> > problem.
> > I guess that there's something wrong with the password related
> > attributes of the maschine account. Do you know where I can find a
> > documentation for the DC/client trust mechanism?
>
> Sorry, I searched the Samba3-HOWTO but have not found something about, only
>
> http://us2.samba.org/samba/docs/man/Samba3-HOWTO/samba-pdc.html
>
> Maybe this is usefull:
>
> http://searchopensource.techtarget.com/tip/1,289483,sid39_gci1138762,00.htm
>l

It really baffles me that people make such impossibly difficult sport of 
deploying Samba. We have copious documentation. What excuse is there for 
people not being able to find it? Sure it can (and will be) improved, but on 
the whole, the information necessary to deploy Samba-3 in all of its 
supported (as in "It does work") modes is well documented.

My book, "Samba-3 by Example" documents step-by-step and led-by-the-nose 
instructions to installation of Samba-3. It also documents the NT4 to Samba-3 
migration process in step-by-step format. The migration documentation has 
been revised and up-dated following feedback from many sites. It does work. 
The most common cause of failure is typographical mistakes and minor platform 
(even Linux is NOT a consistent platform) variances. It is humanly impossible 
to document all platform variances, but we try anyhow!

Every time someone reports a step in this book that fails for any reason I add 
to the documentation so that others can be spared pain and agony. I value 
such feedback. Contribution of additional chapters to the "Samba-3 by 
Example" book are most welcome - and I strongly encourage anyone who is 
willing to write a chapter to do so.

The information on the SearchOpenSource.Com web site is material I am 
developing to replace or update a few chapters in the Samba3-HOWTO. In the 
fullness of time there will be more and better information in the HOWTO also.

Having written two books, and having contributed them to the Samba 
documentation, and given that they are available on the Samba web site, and 
that they are well indexed on Google - I do not know what else to do to 
encourage people to read them, follow them and help to improve the quality 
and relevance by contributing updates.

> Think only the SID/RID and the sambaNTPassword/sambaLMPassword are used
> for authentification.
> Have you tried to set the "sambaPwdCanChange" and "sambaPwdMustChange"
> attributes with pdbedit?

If you want to find out why a logon fails follow the diagnostic process. Set 
in smb.conf [global]:

	log level = 10
	log file = /var/log/samba/%m.log
	max log size = 0

Then examine the log file that will be produced during a log-in session to 
find what step is not being permitted. That will help to locate the cause of 
the problem far more efficiently than speculating about the problem.

There are two important new chapters in the Samba3-HOWTO (second edition that 
was released in August) that are essential reading. One chapter deals with 
the "net" command, and the other deals with "User Rights and Privileges".

Additionally, chapter 10 has some useful information regarding the pdbedit 
command.

Also, the index at the back of the book is hyper-link enabled. That means that 
if you download the PDF from the Samba web site, when an reference is located 
in the index, click on the page number and it will take you directly to the 
reference.

Enjoy.

- John T.

More information about the samba mailing list