[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

[Christoph Peus]

John H Terpstra wrote:

>>I know that "net rpc vampire" is NT4-style and that samba-3 is not capable
>>of being an ADS server, but does this imply that the migration of maschine
>>accounts (which work afterwards) from a mixed mode AD is not possible? My
>>understanding of "AD in mixed mode" has been that it's NT4-compatible to
>>some degree and I doubt that the typical user (e.g. myself) has enough
>>knowledge of the AD internals to know that this compatibility applies to
>>users and groups but not to maschine accounts.
> 
> 
> If you migrate the domain membership trust account for an NT4 Workstation or 
> Server from ADS to Samba-3 the client does not need to be re-joined to the 
> domain. It will work just fine because the client (NT4) is capable only of 
> using an NT4-style domain interaction.
> 
> Windows 2000/2003/XP Pro client domain members of an ADS domain store 
> credentials that are membership credentials that are specific to ADS. When 
> the ADS domain accounts are migrated to a Samba-3 domain, the client tries to 
> log onto the Samba-3 domain using ADS credentials - and logically, that 
> fails. This has nothing to do with ADS-mixed mode, it is the result of the 
> client having used the more advanced AD protocols when it was joined to the 
> domain.

Thanks for the clarification! Question: if a Win2k/XP workstation has 
joined a NT4 domain and this domain is upgraded later on to AD, does the 
maschine account of the workstation remain NT4-Style - and therefore 
migratable by "vampire" - or is it upgraded to AD-Style?
But I think that the answer to the question "can net rpc vampire migrate 
maschine accounts from an AD server" has to be "it depends" anyway, 
because it works at least for NT4 maschines.

>>Another point: The fact that "net rpc vampire" offers no option for a
>>"user/group accounts only" migration suggests that migrating maschine
>>accounts is generally sensefull, but what are maschine accounts worth, when
>>maschines cannot login to them afterwards and which have to be recreated
>>anyway by rejoining the domain?
> 
> 
> The documentation does not address migration of ADS to Samab-3. Sorry. Maybe 
> someone should contribute a chapter on that subject. :-)

For migration of ADS/mixed mode to samba-3 it would be sufficient to 
reference the NT4PDC to samba-3 chapter and add a sentence which 
explains, that migration of Win2k/XP client maschine accounts will not 
work (if they joined the domain when the Server was already AD - I'm not 
sure about this - see above.)

>>I read the migration chapters of your books carefully and found no
>>reference to a "net rpc vampire" migration from a mixed mode AD. I searched
> 
> 
> Correct. I do believe that the documentation is quite specific. We do support 
> migration of NT4 domains to Samba-3. It is possible to migrate ADS domain 
> accounts to Samba-3, but Samba-3 can not be an ADS server. I believe that is 
> also very clearly documented, but I am willing to be proven wrong.

It *is* clearly documented that Samba-3 cannot be an ADS server, but for 
a user with limited knowledge of ADS (like me ;) this does not imply 
that migration of the maschine accounts is not possible. ("When user and 
group accounts can be migrated from ADS without problem, why shouldn't 
this work with maschine accounts too?" This applies even more when ADS 
is running in mixed mode, which is known to be "NT4-compatible"). This 
difference between users/groups and maschines in respect to migration 
should be explained explicitly in the documentation.

>>- "net rpc vampire" should offer an "skip maschine accounts" option for
>>those users who want to migrate from mixed mode AD.
> 
> 
> Please file a bug report on https://bugzilla.samba.org/ so this comes to the 
> attention of the developers and does not get lost in the woodwork.

OK, I will do so.

>>>The mailing list is a subscriber supported facility. If anyone has an
>>>urgent need for answers they should obtain paid support. Please refer to
>>>the Samba web site for information regarding paid support sources.
>>
>>I didn't mention this to claim that it's your duty to answer every question
>>in a newsgroup (of course it's not!), but to point out that this question
>>may be worth answering in general, esspecially because you can run into
>>this problem though you have read the docs carefully, as I've tried to
>>explain above.
> 
> 
> I understand your point. I apologise for not stating more clearly what are the 
> consequences of Samba not being able to be an ADS server. 

John, you don't have to apologise for something. Your documentation is 
great, probably the best I have ever seen for a complex thing like 
samba-3. I'm sorry if my postings - written under the impression of 
frustation with this "cannot login any longer" problem after migration - 
sound a little bit... impolite. This wasn't my intention.
I will be happy if my experience with "net rpc vampire" leads to a 
documentation update which will protect other users to encounter the 
same problem.

>>PS: Is it known what's the cause for this maschine account incompatibility
>>in detail? No way of reverting a client to a NT4-style trust to the
>>samba-PDC?
> 
> 
> Yes - the fact that the client was joined to ADS using Kerberos and LDAP 
> protocols that Samba-3 does not support, except when used as a member of an 
> ADS domain.

Yes, but what's the underlying technical cause for the cause? ;-)
It would be interesting to see how two identical XP-maschines would 
differ after having joined the one to a NT4-Domain and the other to an 
ADS domain. Which regkyes differ? Has somebody tried to make a "back to 
NT4-Style trust" conversation tool for Win2k/XP-maschines?
Otherwise I have to search a solution now for the task of letting 500 
clients rejoin the domain unattended/automatically somehow.

Christoph