[Samba] Seamless update from Samba 2 to Samba 3 on a new server

Remy Zandwijk remy.zandwijk at falw.vu.nl
Sat May 24 19:21:53 GMT 2008 

Florian,

An obvious question maybe, but does your local passwd file contain the machine 
accounts? And why do you copy the secrets.tdb? I think that's not needed.

Remy




> Hi,
> 
> I'm new to the list, I hope i'm posting at the right place ;)
> 
> I'm having a hard time trying to update and to move my Samba 2.2 PDC to a
> new Debian server.
> 
> Currently, the PDC is using Samba 2.2.8 on a Solaris Server. My goal is to
> move it to another computer, and to update it to a
> 
> newer version (3.0.24)
> This must be fully transparent for the users, since I have no time to
> disjoin and to rejoin the domain on all machines.
> I'm using the smbpassword backend, and a NIS server. The NIS stores all
> the Unix accounts, but the machine accounts are local.
> The domain name is SMBDOM.
> The PDC is called aldebaran, and has the Netbios name PDC.
> 
> I've caught SID of the old machine, with the smbpasswd -X SMBDOM, which is
> the same than the one I get with smbpasswd -X PDC.
> 
> Now, I've installed my Samba 3 server on the new machine, which uses the
> same hostname and the same Netbios name.
> I've set the SID to the old domain one, using net setlocalsid
> olddomainsid, and net setlocalsid olddomainsid.
> 
> I've also copied the smb.conf, and the secrets.tdb, and done the group
> mappings.
> Here is the result of the net groupmap list command :
> 
> testpdc:/var/log/samba# net groupmap list
> Domain Admins (S-1-5-21-2616637325-650964048-2930221742-512) -> adminasr
> Domain Computers (S-1-5-21-2616637325-650964048-2930221742-515) -> machines
> 
> 
> The problem is that the old domain computers can't join the new domain.
> I'm having the message "Windows can't connect... The
> 
> server might not be running, or your machine account has not been
> found..." or something like that.
> 
> Here is what I can see in the logs :
> 
> [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
>   creds_server_check: credentials check failed.
> [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
>   _net_auth2: creds_server_check failed. Rejecting auth request from
> client CYANN machine account CYANN$
> [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
>   creds_server_check: credentials check failed.
> [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
>   _net_auth2: creds_server_check failed. Rejecting auth request from
> client CYANN machine account CYANN$
> 
> 
> When running pdbedit -vL with my username for example, everything seems
> fine :
> 
> testpdc:/var/log/samba# pdbedit -vL marinier
> Unix username:        marinier
> NT username:
> Account Flags:        [UX         ]
> User SID:             S-1-5-21-2616637325-650964048-2930221742-3324
> Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-513
> Full Name:            Florian Marinier
> Home Directory:       \\pdc\marinier
> HomeDir Drive:        u:
> Logon Script:         montage.bat marinier
> Profile Path:
> Domain:               SMBDOM
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
> Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
> Password last set:    Fri, 04 Apr 2008 15:53:44 CEST
> Password can change:  Fri, 04 Apr 2008 15:53:44 CEST
> Password must change: Tue, 19 Jan 2038 04:14:07 CET
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> The SID is the right one.
> 
> When running pdbedit -vL cyann$ (which is one of my machine accounts)
> 
> testpdc:/var/log/samba# pdbedit -vL cyann$
> Unix username:        cyann$
> NT username:
> Account Flags:        [W          ]
> User SID:             S-1-5-21-2616637325-650964048-2930221742-2820
> Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-515
> Full Name:            Trust Account
> Home Directory:
> HomeDir Drive:        (null)
> Logon Script:
> Profile Path:
> Domain:               SMBDOM
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
> Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
> Password last set:    Wed, 18 Apr 2007 18:28:27 CEST
> Password can change:  Wed, 18 Apr 2007 18:28:27 CEST
> Password must change: Tue, 19 Jan 2038 04:14:07 CET
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> the SID and domain are the right ones...
> But I still can't log in :(
> 
> I may have an answer, but i'd be glad to have a confirmation :
> On my old Solaris server, my machines group had the GID 101.
> And on my new Debian Server, the GID 101 is already used by Crontab, so I
> chose another GID.
> 
> May it be the source of all my problems?
> 
> 
> 
> PS : However, when i disjoin and rejoin the domain, everything seems Ok.
> 
> Does anyone have a clue?
> 
> Thanks,
> 
> Florian
>

More information about the samba mailing list