[Samba] Migrating samba domain to new computer.

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Aug 30 14:38:35 MDT 2010 

I didn't use smldap-tools.  But I think you have to configure them with 
the appropriate ldap user credentials-  which is typically NOT root.   
Although it looks like ldap perms are not the issue since stuff is being 
created.


So you have both a root and administrator account in /etc/passwd?

Do you have all the unix users in /etc/passwd on the new machine (or are 
you using NIS or LDAP for a common unix account backend?)

I suspect that you may need to use pdbedit or smbpasswd to manually 
create the Administrator samba account on the new machine.




On 08/30/2010 03:57 PM, John McMonagle wrote:
> Thanks Gaiseric
>
> Making progress but still messed up  :-(
>
> Turned up error messages in samba and getting some error message such as:
> _samr_SetUserInfo2: root does possess sufficient rights
>
> Odd as the I'm not using root.
> My administrator account is administrator not root.
>
> Set up over 4 years ago and the populate script created account like this:
> dn: uid=administrator,ou=People,dc=advocap,dc=org
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> cn: administrator
> uid: administrator
> gidNumber: 512
> homeDirectory: /root
> givenName: Windows
> sn: Administrator
> gecos: Windows Administrator
> description: Windows Administrator
> shadowMin: 1
> shadowWarning: 10
> shadowInactive: 10
> shadowLastChange: 12726
> displayName: Windows Administrator
> sambaHomeDrive: U:
> sambaDomainName: ADVOCAP
> creatorsName: cn=Manager,dc=advocap,dc=org
> createTimestamp: 20041104200736Z
> loginShell: /bin/bash
> sambaLMPassword: xx
> sambaPwdLastSet: 1102083012
> sambaNTPassword: xx
> userPassword:: xx
> shadowMax: 99999
> shadowExpire: 22278
> sambaPwdCanChange: 1072850418
> sambaPwdMustChange: 1922119808
> sambaAcctFlags: [UX         ]
> uidNumber: 0
> structuralObjectClass: inetOrgPerson
> entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91
> sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
> sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998
> entryCSN: 20100827183656.000000Z#000000#000#000000
>
> I just ran smbldap-populate and it created:
> dn: uid=root,ou=People,dc=advocap,dc=org
> cn: root
> sn: root
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSAMAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> gidNumber: 0
> uid: root
> uidNumber: 0
> homeDirectory: /home/root
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomeDrive: U:
> sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
> sambaLMPassword: XXX
> sambaNTPassword: XXX
> sambaAcctFlags: [U          ]
> sambaSID: S-1-5-21-3708734655-3086812103-629500990-500
> loginShell: /bin/false
> gecos: Netbios Domain Administrator
>
> I have read some comments from people saying to have the administrator account
> to be named root.   Has smldap-tools or samba been changed to require the
> administrator to have uid of root?
>
>
> On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote:
>    
>> The localsid on a DC should be the domain sid.    You should be able to
>> fix this with "net setlocalsid" command.
>>
>> Generally in Windows you want to assign permissions and rights  to a
>> group rather than directly to a user.    As long as your Administrator
>> account is in the "Domain Admins" group and that group has a sid of
>> "*****-512" you should be OK.    I don't think Samba automatically adds
>> any rights or permissions to the Administrator user.  I had explicitly
>> added some rights to my Administrator account after upgrading to Samba
>> 3.4.8  when trying to fix some other issue-  it may not have been
>> necessary though.
>>
>>
>> # net rpc rights list Administrator -S myserver  -U Administrator
>> Enter Administrator's password:
>> SeMachineAccountPrivilege
>> SeAddUsersPrivilege
>>
>>
>> I am pretty sure if you run gpedit on a windows machine and look at
>> rights you will see that the rights are assigned to the Administrator
>> group not the domain administrator.
>>
>> On 08/27/2010 02:56 PM, John McMonagle wrote:
>>      
>>> How about some more specific  problems.
>>>
>>> noticed that there is no localsid.
>>> net getlocalsid
>>> [2010/08/27 13:48:15,  0] utils/net.c:net_getlocalsid(708)
>>>     Can't fetch domain SID for name: OSHKOSH
>>>
>>> I have seen mention that the localsid should be the same as the domainsid
>>> when using ldap.
>>> Is that true?
>>>
>>> Seen comments that the user sid for the administrator must end with -500.
>>> Is that true?
>>> Mine is not. it will be painfull to change but I can deal with it.
>>>
>>> Thanks
>>>
>>> John
>>>
>>> On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
>>>        
>>>> Should have read this first:
>>>> http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
>>>>
>>>> Problem is I did it the wrong way on a few production systems.
>>>> Odds are this is the second time I did it wrong.
>>>>
>>>> Running Debian Lenny using smbldap.
>>>> It mostly works.
>>>> Existing members of the domain are working OK.
>>>> The first thing that got my attention is was not able to join a new xp
>>>> workstation to the domain.
>>>>
>>>> Also noticed that the server is not a member of the domain.
>>>> net rpc testjoin
>>>> [2010/08/26 14:20:26,  0]
>>>> rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
>>>>     get_schannel_session_key: could not fetch trust account password for
>>>> domain 'ADVOCAP'
>>>> [2010/08/26 14:20:26,  0] utils/net_rpc_join.c:net_rpc_join_ok(87)
>>>>     net_rpc_join_ok: failed to get schannel session key from server FONDY
>>>> for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>>> Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>>>
>>>> Can not join domain:
>>>>    net join -U administrator
>>>> Enter administrator's password:
>>>> [2010/08/26 14:25:48,  0]
>>>> utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust
>>>> account password: NT_STATUS_ACCESS_DENIED
>>>>
>>>> tdbdump secrets.tdb
>>>> does not show any entry for the server
>>>>
>>>> Looked at one of the old  servers secrets.tdb
>>>> and it did not have and entry for that server either.
>>>>
>>>> Any suggestions on the best way to fix this?
>>>>
>>>> John
>>>>          
>

More information about the samba mailing list