[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

John H Terpstra jht at samba.org
Sun Nov 13 22:19:24 GMT 2005 

On Sunday 13 November 2005 12:50, Christoph Peus wrote:
> John H Terpstra wrote:
> ...
> > NT4 domain accounts can be migrated without need for domain members to be
> > rejoined to the domain. The "net rpc vampire" is inherently an NT4-style
> > migration process.
> >
> > Samba-3 is not capable of being an ADS server, hence the need for domain
> > members to be re-joined to the domain.
>
> I know that "net rpc vampire" is NT4-style and that samba-3 is not capable
> of being an ADS server, but does this imply that the migration of maschine
> accounts (which work afterwards) from a mixed mode AD is not possible? My
> understanding of "AD in mixed mode" has been that it's NT4-compatible to
> some degree and I doubt that the typical user (e.g. myself) has enough
> knowledge of the AD internals to know that this compatibility applies to
> users and groups but not to maschine accounts.

If you migrate the domain membership trust account for an NT4 Workstation or 
Server from ADS to Samba-3 the client does not need to be re-joined to the 
domain. It will work just fine because the client (NT4) is capable only of 
using an NT4-style domain interaction.

Windows 2000/2003/XP Pro client domain members of an ADS domain store 
credentials that are membership credentials that are specific to ADS. When 
the ADS domain accounts are migrated to a Samba-3 domain, the client tries to 
log onto the Samba-3 domain using ADS credentials - and logically, that 
fails. This has nothing to do with ADS-mixed mode, it is the result of the 
client having used the more advanced AD protocols when it was joined to the 
domain.

> Another point: The fact that "net rpc vampire" offers no option for a
> "user/group accounts only" migration suggests that migrating maschine
> accounts is generally sensefull, but what are maschine accounts worth, when
> maschines cannot login to them afterwards and which have to be recreated
> anyway by rejoining the domain?

The documentation does not address migration of ADS to Samab-3. Sorry. Maybe 
someone should contribute a chapter on that subject. :-)

> I read the migration chapters of your books carefully and found no
> reference to a "net rpc vampire" migration from a mixed mode AD. I searched

Correct. I do believe that the documentation is quite specific. We do support 
migration of NT4 domains to Samba-3. It is possible to migrate ADS domain 
accounts to Samba-3, but Samba-3 can not be an ADS server. I believe that is 
also very clearly documented, but I am willing to be proven wrong.

> the internet up and down for further information regarding my migration
> project, found a lot of Howtos and newsgroup postings, but nothing which
> said that migration of maschine accounts isn't possible in this
> environment, and I asked a samba team member at the SambaXP conference, who
> personally told me that "net rpc vampire works for AD/mixed mode", which
> means to me, that it works *completely*.

OK. Understood, sorry to hear that you have been mislead. I'll clarify the 
documentation further.

> So, I just write all this to point out that I'm not in the situation I'm in
> now because I've ignored the available documentation - to answer your other
> posting in this thread - but because I read it carefully and listened to
> the gurus. Obviously this wasn't sufficient.

Ah ah, the documentation clearly points out that Samba-3 is not capable of 
being an ADS server. I guess that is not clear enough so I'll fix it.

> Please:
>
> - Add one sentence to the migration chapters of your books, which point out
> that maschine accounts won't work afterwards when migrated from a mixed
> mode AD and that maschines will have to rejoin the domain.

OK. I'll add that.

> - "net rpc vampire" should offer an "skip maschine accounts" option for
> those users who want to migrate from mixed mode AD.

Please file a bug report on https://bugzilla.samba.org/ so this comes to the 
attention of the developers and does not get lost in the woodwork.

> Thanks!
>
> >>BTW: I'm not the first to encounter this problem. Another samba user
> >> (Kang Sun) reported exactly the same problem about a year ago, but
> >> didn't get an answer.
> >
> > The mailing list is a subscriber supported facility. If anyone has an
> > urgent need for answers they should obtain paid support. Please refer to
> > the Samba web site for information regarding paid support sources.
>
> I didn't mention this to claim that it's your duty to answer every question
> in a newsgroup (of course it's not!), but to point out that this question
> may be worth answering in general, esspecially because you can run into
> this problem though you have read the docs carefully, as I've tried to
> explain above.

I understand your point. I apologise for not stating more clearly what are the 
consequences of Samba not being able to be an ADS server. 

> PS: Is it known what's the cause for this maschine account incompatibility
> in detail? No way of reverting a client to a NT4-style trust to the
> samba-PDC?

Yes - the fact that the client was joined to ADS using Kerberos and LDAP 
protocols that Samba-3 does not support, except when used as a member of an 
ADS domain.

- John T.

More information about the samba mailing list