[Samba] Migrating samba domain to new computer.

John McMonagle johnm at advocap.org
Mon Aug 30 13:57:26 MDT 2010 

Thanks Gaiseric

Making progress but still messed up  :-(

Turned up error messages in samba and getting some error message such as:
_samr_SetUserInfo2: root does possess sufficient rights

Odd as the I'm not using root.
My administrator account is administrator not root.

Set up over 4 years ago and the populate script created account like this:
dn: uid=administrator,ou=People,dc=advocap,dc=org
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
cn: administrator
uid: administrator
gidNumber: 512
homeDirectory: /root
givenName: Windows
sn: Administrator
gecos: Windows Administrator
description: Windows Administrator
shadowMin: 1
shadowWarning: 10
shadowInactive: 10
shadowLastChange: 12726
displayName: Windows Administrator
sambaHomeDrive: U:
sambaDomainName: ADVOCAP
creatorsName: cn=Manager,dc=advocap,dc=org
createTimestamp: 20041104200736Z
loginShell: /bin/bash
sambaLMPassword: xx
sambaPwdLastSet: 1102083012
sambaNTPassword: xx
userPassword:: xx
shadowMax: 99999
shadowExpire: 22278
sambaPwdCanChange: 1072850418
sambaPwdMustChange: 1922119808
sambaAcctFlags: [UX         ]
uidNumber: 0
structuralObjectClass: inetOrgPerson
entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91
sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998
entryCSN: 20100827183656.000000Z#000000#000#000000

I just ran smbldap-populate and it created:
dn: uid=root,ou=People,dc=advocap,dc=org
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomeDrive: U:
sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
sambaLMPassword: XXX
sambaNTPassword: XXX
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-3708734655-3086812103-629500990-500
loginShell: /bin/false
gecos: Netbios Domain Administrator

I have read some comments from people saying to have the administrator account  
to be named root.   Has smldap-tools or samba been changed to require the 
administrator to have uid of root?


On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote:
> The localsid on a DC should be the domain sid.    You should be able to
> fix this with "net setlocalsid" command.
>
> Generally in Windows you want to assign permissions and rights  to a
> group rather than directly to a user.    As long as your Administrator
> account is in the "Domain Admins" group and that group has a sid of
> "*****-512" you should be OK.    I don't think Samba automatically adds
> any rights or permissions to the Administrator user.  I had explicitly
> added some rights to my Administrator account after upgrading to Samba
> 3.4.8  when trying to fix some other issue-  it may not have been
> necessary though.
>
>
> # net rpc rights list Administrator -S myserver  -U Administrator
> Enter Administrator's password:
> SeMachineAccountPrivilege
> SeAddUsersPrivilege
>
>
> I am pretty sure if you run gpedit on a windows machine and look at
> rights you will see that the rights are assigned to the Administrator
> group not the domain administrator.
>
> On 08/27/2010 02:56 PM, John McMonagle wrote:
> > How about some more specific  problems.
> >
> > noticed that there is no localsid.
> > net getlocalsid
> > [2010/08/27 13:48:15,  0] utils/net.c:net_getlocalsid(708)
> >    Can't fetch domain SID for name: OSHKOSH
> >
> > I have seen mention that the localsid should be the same as the domainsid
> > when using ldap.
> > Is that true?
> >
> > Seen comments that the user sid for the administrator must end with -500.
> > Is that true?
> > Mine is not. it will be painfull to change but I can deal with it.
> >
> > Thanks
> >
> > John
> >
> > On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
> >> Should have read this first:
> >> http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
> >>
> >> Problem is I did it the wrong way on a few production systems.
> >> Odds are this is the second time I did it wrong.
> >>
> >> Running Debian Lenny using smbldap.
> >> It mostly works.
> >> Existing members of the domain are working OK.
> >> The first thing that got my attention is was not able to join a new xp
> >> workstation to the domain.
> >>
> >> Also noticed that the server is not a member of the domain.
> >> net rpc testjoin
> >> [2010/08/26 14:20:26,  0]
> >> rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
> >>    get_schannel_session_key: could not fetch trust account password for
> >> domain 'ADVOCAP'
> >> [2010/08/26 14:20:26,  0] utils/net_rpc_join.c:net_rpc_join_ok(87)
> >>    net_rpc_join_ok: failed to get schannel session key from server FONDY
> >> for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >> Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >>
> >> Can not join domain:
> >>   net join -U administrator
> >> Enter administrator's password:
> >> [2010/08/26 14:25:48,  0]
> >> utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust
> >> account password: NT_STATUS_ACCESS_DENIED
> >>
> >> tdbdump secrets.tdb
> >> does not show any entry for the server
> >>
> >> Looked at one of the old  servers secrets.tdb
> >> and it did not have and entry for that server either.
> >>
> >> Any suggestions on the best way to fix this?
> >>
> >> John

More information about the samba mailing list