[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

John H Terpstra jht at samba.org
Sun Nov 13 22:25:56 GMT 2005 

On Sunday 13 November 2005 13:49, Craig White wrote:
> On Sun, 2005-11-13 at 20:50 +0100, Christoph Peus wrote:
> > John H Terpstra wrote:
> > >>Aha. That's a clear statement.
> > >>It's true that the DC was downgraded from Windows 2000 to NT4, because
> > >> the original domain is Windows 2000/AD runinng in mixed mode, but
> > >> every reference to "net rpc vampire" and "AD in mixed mode" says that
> > >> this works. Is it possible that "net rpc vampire" works only partially
> > >> when used with AD/mixed mode?
> > >
> > > The "net rpc vampire" migration process will migrate all accounts from
> > > ADS to Samba-3 (NT4-style domain), but all machines will need to
> > > re-join the domain.
> >
> > John, thanks for confirming this information.
> >
> > > NT4 domain accounts can be migrated without need for domain members to
> > > be rejoined to the domain. The "net rpc vampire" is inherently an
> > > NT4-style migration process.
> > >
> > > Samba-3 is not capable of being an ADS server, hence the need for
> > > domain members to be re-joined to the domain.
> >
> > I know that "net rpc vampire" is NT4-style and that samba-3 is not
> > capable of being an ADS server, but does this imply that the migration of
> > maschine accounts (which work afterwards) from a mixed mode AD is not
> > possible? My understanding of "AD in mixed mode" has been that it's
> > NT4-compatible to some degree and I doubt that the typical user (e.g.
> > myself) has enough knowledge of the AD internals to know that this
> > compatibility applies to users and groups but not to maschine accounts.
> >
> > Another point: The fact that "net rpc vampire" offers no option for a
> > "user/group accounts only" migration suggests that migrating maschine
> > accounts is generally sensefull, but what are maschine accounts worth,
> > when maschines cannot login to them afterwards and which have to be
> > recreated anyway by rejoining the domain?
> >
> > I read the migration chapters of your books carefully and found no
> > reference to a "net rpc vampire" migration from a mixed mode AD. I
> > searched the internet up and down for further information regarding my
> > migration project, found a lot of Howtos and newsgroup postings, but
> > nothing which said that migration of maschine accounts isn't possible in
> > this
> > environment, and I asked a samba team member at the SambaXP conference,
> > who personally told me that "net rpc vampire works for AD/mixed mode",
> > which means to me, that it works *completely*.
> >
> > So, I just write all this to point out that I'm not in the situation I'm
> > in now because I've ignored the available documentation - to answer your
> > other posting in this thread - but because I read it carefully and
> > listened to the gurus. Obviously this wasn't sufficient.
> >
> > Please:
> >
> > - Add one sentence to the migration chapters of your books, which point
> > out that maschine accounts won't work afterwards when migrated from a
> > mixed mode AD and that maschines will have to rejoin the domain.
> >
> > - "net rpc vampire" should offer an "skip maschine accounts" option for
> > those users who want to migrate from mixed mode AD.
> >
> > Thanks!
> >
> > >>BTW: I'm not the first to encounter this problem. Another samba user
> > >> (Kang Sun) reported exactly the same problem about a year ago, but
> > >> didn't get an answer.
> > >
> > > The mailing list is a subscriber supported facility. If anyone has an
> > > urgent need for answers they should obtain paid support. Please refer
> > > to the Samba web site for information regarding paid support sources.
> >
> > I didn't mention this to claim that it's your duty to answer every
> > question in a newsgroup (of course it's not!), but to point out that this
> > question may be worth answering in general, esspecially because you can
> > run into this problem though you have read the docs carefully, as I've
> > tried to explain above.
> >
> > Christoph
> >
> > PS: Is it known what's the cause for this maschine account
> > incompatibility in detail? No way of reverting a client to a NT4-style
> > trust to the samba-PDC?
>
> ----
> This is interesting since I would have thought the 'mixed mode' would
> have worked for machine accounts but apparently it doesn't though the
> documentation does continually refer to NT4 and in the newer section of
> privileges, the added roles in Win2000 server are referenced so at least
> some distinction is drawn between NT4 and Win2K server roles - just
> nothing clear on 'mixed mode' and machine accounts.

Mixed mode simply means that an NT4 workstation or server can join the ADS 
domain and participate as a domain member. NT4 workstation and server are not 
capable of using ADS protocols (Kerberos and LDAP), and could otherwise not 
participate in the ADS environment.

Samba-3 can use the ADS protocols, but only as an ADS domain member - not as 
an ADS server.

> I hadn't read through the vampire documentation in quite some time, I
> think the only time I went through it was samba 3.0.0 and the release 2
> of the How-To book and I see now that it is removed from the How-To and
> in the By-Example and has been greatly enhanced.
>
> Some suggestions for John in the documentation...
>
> 1 - Suggest to reader that the vampire process doesn't always work
> properly the first time and one should back up account db immediately
> prior to vampire step so that one restore their tdb/ldap db, fix what
> wasn't exactly right and repeat from that step. This was a process that
> I had to figure out myself as I learned with each vampire effort.

Please submit a documentation patch, or more specific update recommendations. 

I can send you the source files if you can not download them yourself. The 
source files are available from:

http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/?root=samba-docs

> 2 - Given that certain 'Enterprise' distributions have versions near
> 3.0.9 / 3.0.10 that the added features have a specific tag for which
> version they were added so that users of those versions don't beat their
> heads on the wall for features that they can't use.

Please clarify this for me. I'm not able to parse this.

Thanks.

- John T.

More information about the samba mailing list