[Samba] Re: net vampire and WIn2003 AD

Liutauras Adomaitis liutauras.adomaitis at gmail.com
Mon May 11 21:50:27 GMT 2009

On Sat, May 9, 2009 at 6:05 PM, Liutauras Adomaitis <
liutauras.adomaitis at gmail.com> wrote:

> Hello Samba People,
> it is my first letter to Samba ML, so first of all - thanks Samba team for
> a great SW.
> Now the question:
> I want to migrate from Win2003 AD to Samba 3.3.2. I want to use net vampire
> feature to import all account information (is there any other way to do
> it?). Net vampire works partly - in the direct meaning of this word - it is
> importing only 131 objects. How come?
> Full story:
> Samba is configured with OpenLdap and smbldap-tools. They are working. Then
> I launch:
> net rpc vampire ldif <connection parameters to win server>
> it instantly gives me:
> Fetching (to ldif) DOMAIN database
> nothing is vampired.
> if I run command without ldif, it imports 131 objects and then gives me the
> same:
> ..... 131 time ....
> Creating account: lalalala
> Windows server gives me two event messages after that:
> Event ID: 5713:
> The full synchronization request from the server SERVER completed
> successfully. 131 object(s) has(have) been returned to the caller.
> And the other Warning:
> Event ID 5714
> The full synchronization request from the server SERVER failed with the
> following error:
> This replicant database is outdated; synchronization is required.
> If I check LDAP database - it is filled with imported data. The only thing
> I miss is LM password, but this is not a problem, since I can reset
> passwords.
> What is interesting - I thought there is some objects with national
> characters and I tried to deleted some unused objects from AD. I did this
> kind of cleaning several times and every time I do vampire i have imported
> 131 objects (atleast windows say that, I did not count). After each cleaning
> vampire fails on the different object, but on 131st. I tried sorting AD
> objects by modification date, but this did not give me  a clue about why
> import stops after 131 objects.
> I can provide full info of my samba setup, but I guess my setup is ok,
> since some objects are imported. (where some things net rpc vampire command
> said to me,like: smb_set_primary_group: gave 1, but I don't think this is a
> problem, because import doesn't stop on this mesages.
> There is a porblem, why vampire imports just part of the accounts.
> Why net rpc vampire ldif give error instantly and doesn't import anything,
> but net rpc vampire (without keyword ldif0 starts working?

I have made cleaning of AD database and suddenly I have moved much further
in vampire process. I have got all users and hosts imported, most of group
membership done, but still:
Creating unix group: 'Cert Publishers'
Creating unix group: 'RAS and IAS Servers'

I think there must be something wrong with AD or Import process doesn't
handle national characters well. As you see process is stoping on Cer
Publichers and RAS and IAS Servers group creation. Thne I checked my
OpenLdap database I saw, that 'Cert Publishers' group is created, but it has
only Top and PosixGroup ObjectClasses, no Samba related stuff. The same is
with 'RAS and IAS Servers' group. But there are two other objects in Group
tree, with
and object classes of SambaRidEntry and SambaGroupMapping, and with
attributes which are missing in 'Cert Publishers' group.

It seems, that thes two groups mentioned above have been splited in two
parts - one with posixAccount info and the other with SambaAccount info.
This is probably the problem.

Has anybody any ideas what is going on?
Can I delete those two groups in AD (they have no members)? I'm importing
data from production server, but this server is going to be switched off
just after migration. So i wonder if there will be any problems in short
term, because I don't care in long term.


