[Samba] Seamless update from Samba 2 to Samba 3 on a new server

Florian Marinier florian.marinier at cnrs-orleans.fr
Fri May 23 13:41:59 GMT 2008 

Hi,

I'm new to the list, I hope i'm posting at the right place ;)

I'm having a hard time trying to update and to move my Samba 2.2 PDC to a
new Debian server.

Currently, the PDC is using Samba 2.2.8 on a Solaris Server. My goal is to
move it to another computer, and to update it to a

newer version (3.0.24)
This must be fully transparent for the users, since I have no time to
disjoin and to rejoin the domain on all machines.
I'm using the smbpassword backend, and a NIS server. The NIS stores all
the Unix accounts, but the machine accounts are local.
The domain name is SMBDOM.
The PDC is called aldebaran, and has the Netbios name PDC.

I've caught SID of the old machine, with the smbpasswd -X SMBDOM, which is
the same than the one I get with smbpasswd -X PDC.

Now, I've installed my Samba 3 server on the new machine, which uses the
same hostname and the same Netbios name.
I've set the SID to the old domain one, using net setlocalsid
olddomainsid, and net setlocalsid olddomainsid.

I've also copied the smb.conf, and the secrets.tdb, and done the group
mappings.
Here is the result of the net groupmap list command :

testpdc:/var/log/samba# net groupmap list
Domain Admins (S-1-5-21-2616637325-650964048-2930221742-512) -> adminasr
Domain Computers (S-1-5-21-2616637325-650964048-2930221742-515) -> machines


The problem is that the old domain computers can't join the new domain.
I'm having the message "Windows can't connect... The

server might not be running, or your machine account has not been
found..." or something like that.

Here is what I can see in the logs :

[2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
  creds_server_check: credentials check failed.
[2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
  _net_auth2: creds_server_check failed. Rejecting auth request from
client CYANN machine account CYANN$
[2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
  creds_server_check: credentials check failed.
[2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
  _net_auth2: creds_server_check failed. Rejecting auth request from
client CYANN machine account CYANN$


When running pdbedit -vL with my username for example, everything seems
fine :

testpdc:/var/log/samba# pdbedit -vL marinier
Unix username:        marinier
NT username:
Account Flags:        [UX         ]
User SID:             S-1-5-21-2616637325-650964048-2930221742-3324
Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-513
Full Name:            Florian Marinier
Home Directory:       \\pdc\marinier
HomeDir Drive:        u:
Logon Script:         montage.bat marinier
Profile Path:
Domain:               SMBDOM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Fri, 04 Apr 2008 15:53:44 CEST
Password can change:  Fri, 04 Apr 2008 15:53:44 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

The SID is the right one.

When running pdbedit -vL cyann$ (which is one of my machine accounts)

testpdc:/var/log/samba# pdbedit -vL cyann$
Unix username:        cyann$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-2616637325-650964048-2930221742-2820
Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-515
Full Name:            Trust Account
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:               SMBDOM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Wed, 18 Apr 2007 18:28:27 CEST
Password can change:  Wed, 18 Apr 2007 18:28:27 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

the SID and domain are the right ones...
But I still can't log in :(

I may have an answer, but i'd be glad to have a confirmation :
On my old Solaris server, my machines group had the GID 101.
And on my new Debian Server, the GID 101 is already used by Crontab, so I
chose another GID.

May it be the source of all my problems?



PS : However, when i disjoin and rejoin the domain, everything seems Ok.

Does anyone have a clue?

Thanks,

Florian

More information about the samba mailing list