[Samba] NT4 Migration

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Sep 22 12:17:52 MDT 2010 

What do the following commands show?

     net getlocalsid
     net getdomainsid

They should be the same.

When you ran " net rpc getsid "  did you include "-S 
the_name_of_the_NT4_server" ?   Maybe it somehow talked to another 
domain controller.  If your samba machine was configured as a BDC before 
you vampired the info from the NT4 server, maybe it didn't pull the sid 
from the NT4 server.

Can you just manually change your SID in LDAP to match that from the NT4 
server?


I also found (at least with samba 3.4.x) that even if I set "ldap group 
suffix=ou=group" in smb.conf, samba would look through my whole LDAP 
tree for group entries.  I had initially tried to have separate 
"ou=group" and "ou=smb_group" containers to separate my unix groups from 
my samba group mappings.

I suspect your group mapping issue may resolve itself once you fix the 
sid mismatch.



On 09/22/2010 11:58 AM, Dermot wrote:
> Hi,
>
> I am in the process of attempting a NT4 Domain to Samba migration
> (3.2.5). I have been following the instructions at
> http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html. I am
> using an ldap backend. I am not convinced everything is set-up
> correctly.
>
> Before I began I removed all /var/lib/samba/*tdb and shutdown smb and ldap.
>
> At point 13 where you do `getent group` the Domain groups do not
> appear. They exist in the ldap tree ou=Groups.
>
> I have the joined the samba machine to the NT4 domain (point 14)
>
> When I attempt pdbedit -Lw, I get:
>
> sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our domain
> sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our domain
> sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our domain
>
> This sid is not the one that appears in my ldap sambaDomainName or
> from the `net rpc getsid ` command. Also when I attempt `netgroupmap
> list` (point 16) I get:
>   net groupmap list
> [2010/09/22 15:41:05,  0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3342)
>    ldapsam_setsamgrent: LDAP search failed: No such object
> [2010/09/22 15:41:05,  0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3417)
>    ldapsam_enum_group_mapping: Unable to open passdb
>
>
> So something is wrong but I am not sure what. Can anyone offer any advise?
> Thanks in advance,
> Dp.
>

More information about the samba mailing list