[Samba] Migrating samba domain to new computer.

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Aug 30 06:54:55 MDT 2010


The localsid on a DC should be the domain sid.    You should be able to 
fix this with "net setlocalsid" command.

Generally in Windows you want to assign permissions and rights  to a 
group rather than directly to a user.    As long as your Administrator 
account is in the "Domain Admins" group and that group has a sid of 
"*****-512" you should be OK.    I don't think Samba automatically adds 
any rights or permissions to the Administrator user.  I had explicitly 
added some rights to my Administrator account after upgrading to Samba 
3.4.8  when trying to fix some other issue-  it may not have been 
necessary though.


# net rpc rights list Administrator -S myserver  -U Administrator
Enter Administrator's password:
SeMachineAccountPrivilege
SeAddUsersPrivilege


I am pretty sure if you run gpedit on a windows machine and look at 
rights you will see that the rights are assigned to the Administrator 
group not the domain administrator.




On 08/27/2010 02:56 PM, John McMonagle wrote:
> How about some more specific  problems.
>
> noticed that there is no localsid.
> net getlocalsid
> [2010/08/27 13:48:15,  0] utils/net.c:net_getlocalsid(708)
>    Can't fetch domain SID for name: OSHKOSH
>
> I have seen mention that the localsid should be the same as the domainsid
> when using ldap.
> Is that true?
>
> Seen comments that the user sid for the administrator must end with -500.
> Is that true?
> Mine is not. it will be painfull to change but I can deal with it.
>
> Thanks
>
> John
>
> On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
>    
>> Should have read this first:
>> http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
>>
>> Problem is I did it the wrong way on a few production systems.
>> Odds are this is the second time I did it wrong.
>>
>> Running Debian Lenny using smbldap.
>> It mostly works.
>> Existing members of the domain are working OK.
>> The first thing that got my attention is was not able to join a new xp
>> workstation to the domain.
>>
>> Also noticed that the server is not a member of the domain.
>> net rpc testjoin
>> [2010/08/26 14:20:26,  0]
>> rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
>>    get_schannel_session_key: could not fetch trust account password for
>> domain 'ADVOCAP'
>> [2010/08/26 14:20:26,  0] utils/net_rpc_join.c:net_rpc_join_ok(87)
>>    net_rpc_join_ok: failed to get schannel session key from server FONDY for
>> domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>> Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>
>> Can not join domain:
>>   net join -U administrator
>> Enter administrator's password:
>> [2010/08/26 14:25:48,  0] utils/net_rpc_join.c:net_rpc_join_newstyle(349)
>>    error setting trust account password: NT_STATUS_ACCESS_DENIED
>>
>> tdbdump secrets.tdb
>> does not show any entry for the server
>>
>> Looked at one of the old  servers secrets.tdb
>> and it did not have and entry for that server either.
>>
>> Any suggestions on the best way to fix this?
>>
>> John
>>      
>    



More information about the samba mailing list