[Samba] Migrating samba domain to new computer.
johnm at advocap.org
Mon Aug 30 13:57:26 MDT 2010
Making progress but still messed up :-(
Turned up error messages in samba and getting some error message such as:
_samr_SetUserInfo2: root does possess sufficient rights
Odd as the I'm not using root.
My administrator account is administrator not root.
Set up over 4 years ago and the populate script created account like this:
gecos: Windows Administrator
description: Windows Administrator
displayName: Windows Administrator
sambaAcctFlags: [UX ]
I just ran smbldap-populate and it created:
sambaAcctFlags: [U ]
gecos: Netbios Domain Administrator
I have read some comments from people saying to have the administrator account
to be named root. Has smldap-tools or samba been changed to require the
administrator to have uid of root?
On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote:
> The localsid on a DC should be the domain sid. You should be able to
> fix this with "net setlocalsid" command.
> Generally in Windows you want to assign permissions and rights to a
> group rather than directly to a user. As long as your Administrator
> account is in the "Domain Admins" group and that group has a sid of
> "*****-512" you should be OK. I don't think Samba automatically adds
> any rights or permissions to the Administrator user. I had explicitly
> added some rights to my Administrator account after upgrading to Samba
> 3.4.8 when trying to fix some other issue- it may not have been
> necessary though.
> # net rpc rights list Administrator -S myserver -U Administrator
> Enter Administrator's password:
> I am pretty sure if you run gpedit on a windows machine and look at
> rights you will see that the rights are assigned to the Administrator
> group not the domain administrator.
> On 08/27/2010 02:56 PM, John McMonagle wrote:
> > How about some more specific problems.
> > noticed that there is no localsid.
> > net getlocalsid
> > [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708)
> > Can't fetch domain SID for name: OSHKOSH
> > I have seen mention that the localsid should be the same as the domainsid
> > when using ldap.
> > Is that true?
> > Seen comments that the user sid for the administrator must end with -500.
> > Is that true?
> > Mine is not. it will be painfull to change but I can deal with it.
> > Thanks
> > John
> > On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
> >> Should have read this first:
> >> http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
> >> Problem is I did it the wrong way on a few production systems.
> >> Odds are this is the second time I did it wrong.
> >> Running Debian Lenny using smbldap.
> >> It mostly works.
> >> Existing members of the domain are working OK.
> >> The first thing that got my attention is was not able to join a new xp
> >> workstation to the domain.
> >> Also noticed that the server is not a member of the domain.
> >> net rpc testjoin
> >> [2010/08/26 14:20:26, 0]
> >> rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
> >> get_schannel_session_key: could not fetch trust account password for
> >> domain 'ADVOCAP'
> >> [2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87)
> >> net_rpc_join_ok: failed to get schannel session key from server FONDY
> >> for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >> Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >> Can not join domain:
> >> net join -U administrator
> >> Enter administrator's password:
> >> [2010/08/26 14:25:48, 0]
> >> utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust
> >> account password: NT_STATUS_ACCESS_DENIED
> >> tdbdump secrets.tdb
> >> does not show any entry for the server
> >> Looked at one of the old servers secrets.tdb
> >> and it did not have and entry for that server either.
> >> Any suggestions on the best way to fix this?
> >> John
More information about the samba