[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

Craig White craigwhite at azapple.com
Sun Nov 13 20:49:00 GMT 2005 

On Sun, 2005-11-13 at 20:50 +0100, Christoph Peus wrote:
> John H Terpstra wrote:
> 
> >>Aha. That's a clear statement.
> >>It's true that the DC was downgraded from Windows 2000 to NT4, because the
> >>original domain is Windows 2000/AD runinng in mixed mode, but every
> >>reference to "net rpc vampire" and "AD in mixed mode" says that this works.
> >>Is it possible that "net rpc vampire" works only partially when used with
> >>AD/mixed mode?
> > 
> > 
> > The "net rpc vampire" migration process will migrate all accounts from ADS to 
> > Samba-3 (NT4-style domain), but all machines will need to re-join the domain.
> 
> John, thanks for confirming this information.
> 
> > NT4 domain accounts can be migrated without need for domain members to be 
> > rejoined to the domain. The "net rpc vampire" is inherently an NT4-style 
> > migration process. 
> > 
> > Samba-3 is not capable of being an ADS server, hence the need for domain 
> > members to be re-joined to the domain.
> 
> I know that "net rpc vampire" is NT4-style and that samba-3 is not capable 
> of being an ADS server, but does this imply that the migration of maschine 
> accounts (which work afterwards) from a mixed mode AD is not possible? My 
> understanding of "AD in mixed mode" has been that it's NT4-compatible to 
> some degree and I doubt that the typical user (e.g. myself) has enough 
> knowledge of the AD internals to know that this compatibility applies to 
> users and groups but not to maschine accounts.
> 
> Another point: The fact that "net rpc vampire" offers no option for a 
> "user/group accounts only" migration suggests that migrating maschine 
> accounts is generally sensefull, but what are maschine accounts worth, when 
> maschines cannot login to them afterwards and which have to be recreated 
> anyway by rejoining the domain?
> 
> I read the migration chapters of your books carefully and found no 
> reference to a "net rpc vampire" migration from a mixed mode AD. I searched 
> the internet up and down for further information regarding my migration 
> project, found a lot of Howtos and newsgroup postings, but nothing which 
> said that migration of maschine accounts isn't possible in this 
> environment, and I asked a samba team member at the SambaXP conference, who 
> personally told me that "net rpc vampire works for AD/mixed mode", which 
> means to me, that it works *completely*.
> 
> So, I just write all this to point out that I'm not in the situation I'm in 
> now because I've ignored the available documentation - to answer your other 
> posting in this thread - but because I read it carefully and listened to 
> the gurus. Obviously this wasn't sufficient.
> 
> Please:
> 
> - Add one sentence to the migration chapters of your books, which point out 
> that maschine accounts won't work afterwards when migrated from a mixed 
> mode AD and that maschines will have to rejoin the domain.
> 
> - "net rpc vampire" should offer an "skip maschine accounts" option for 
> those users who want to migrate from mixed mode AD.
> 
> Thanks!
> 
> 
> >>BTW: I'm not the first to encounter this problem. Another samba user (Kang
> >>Sun) reported exactly the same problem about a year ago, but didn't get an
> >>answer.
> > 
> > 
> > The mailing list is a subscriber supported facility. If anyone has an urgent 
> > need for answers they should obtain paid support. Please refer to the Samba 
> > web site for information regarding paid support sources.
> 
> I didn't mention this to claim that it's your duty to answer every question 
> in a newsgroup (of course it's not!), but to point out that this question 
> may be worth answering in general, esspecially because you can run into 
> this problem though you have read the docs carefully, as I've tried to 
> explain above.
> 
> Christoph
> 
> PS: Is it known what's the cause for this maschine account incompatibility 
> in detail? No way of reverting a client to a NT4-style trust to the samba-PDC?
----
This is interesting since I would have thought the 'mixed mode' would
have worked for machine accounts but apparently it doesn't though the
documentation does continually refer to NT4 and in the newer section of
privileges, the added roles in Win2000 server are referenced so at least
some distinction is drawn between NT4 and Win2K server roles - just
nothing clear on 'mixed mode' and machine accounts.

I hadn't read through the vampire documentation in quite some time, I
think the only time I went through it was samba 3.0.0 and the release 2
of the How-To book and I see now that it is removed from the How-To and
in the By-Example and has been greatly enhanced.

Some suggestions for John in the documentation...

1 - Suggest to reader that the vampire process doesn't always work
properly the first time and one should back up account db immediately
prior to vampire step so that one restore their tdb/ldap db, fix what
wasn't exactly right and repeat from that step. This was a process that
I had to figure out myself as I learned with each vampire effort.

2 - Given that certain 'Enterprise' distributions have versions near
3.0.9 / 3.0.10 that the added features have a specific tag for which
version they were added so that users of those versions don't beat their
heads on the wall for features that they can't use.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list