[Samba] NT4 Migration

Dermot paikkos at gmail.com
Thu Sep 23 03:21:30 MDT 2010 

Thanks all for the replies. I should point out that I have only one
PDC and one NT domain. I do have several existing Samba servers that
use the domain security option.

>  10.
>
>      The LDAP management password must be installed into the secrets.tdb file as follows:
>
>     root#  smbpasswd -w not24get
>      Setting stored password for
>                  "cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb
>
>Did you run this command?

Yes, I did. I deleted secrets.tdb before I began. I ran it again to
see what the output was:
smbpasswd -w not24get
Setting stored password for "cn=admin,dc=mydomain,dc=co,dc=uk" in secrets.tdb

When I run smbldap-populate I am also prompted by smbpasswd. I am not
sure if that is correct.


>What do the following commands show?
>
>  net getlocalsid
>   net getdomainsid
>
>They should be the same.

I get an error:
net getlocalsid
[2010/09/23 08:13:01,  0] utils/net.c:net_getlocalsid(708)
  Can't fetch domain SID for name: LDAP

net getdomainsid
Could not fetch local SID

LDAP is the hostname of the local machine that I would like to
eventually migrate to. I wondering if that might be a poor choice of
hostname now. I checked my history and I definitely ran `net rpc -S
my_nt_server_netbios_name`, I hope it doesn't hurt to run it again.
This was the output:
Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM
in secrets.tdb

#net rpc getsid -S SPLPDC -U Administrator
Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM
in secrets.tdb
# net getdomainsid
Could not fetch local SID
# net getlocalsid
[2010/09/23 08:18:21,  0] utils/net.c:net_getlocalsid(708)
  Can't fetch domain SID for name: LDAP

I have not used net rpc vampire yet (point 17) because I haven't
passed the safety checks in point 16.


> Can you just manually change your SID in LDAP to match that from the NT4 server?

I am not entirely sure this is necessary. In my ldap tree I have an
item called sambaDomainName and that has the correct SID:

Here is the partial output from slapcat -v

# id=0000001a
dn: sambaDomainName=MYDOM,dc=mydomain,dc=co,dc=uk
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 1000
structuralObjectClass: sambaDomain
entryUUID: 60ea2452-56bd-102f-9b84-07665867de80
creatorsName: cn=admin,dc=mydomain,dc=co,dc=uk
createTimestamp: 20100917153835Z
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
gidNumber: 1000
sambaDomainName: MYDOM
sambaSID: S-1-5-21-900663976-1457140431-1537874043
sambaNextRid: 1000
uidNumber: 1000
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
entryCSN: 20100922144116.351528Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=co,dc=uk
modifyTimestamp: 20100922144116Z


> I also found (at least with samba 3.4.x) that even if I set "ldap group suffix=ou=group" in smb.conf, samba would look through my whole LDAP tree for group entries.  I had initially tried to have separate "ou=group" and
> "ou=smb_group" containers to separate my unix groups from my samba group mappings.
smb.conf:
        ldap admin dn = cn=admin,dc=mydomain,dc=co,dc=uk
        ldap group suffix = ou=group
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=Computer

That might be a hint. The ldap group is ou=Groups. I edited my
smb.conf, deleted secrets.tdb, and stepped through the process again.
Now `net groupmap list` give me:
Domain Admins (S-1-5-21-1979685110-1467996072-351907979-512) -> 512
Domain Users (S-1-5-21-1979685110-1467996072-351907979-513) -> 513
Domain Guests (S-1-5-21-1979685110-1467996072-351907979-514) -> 514
Domain Computers (S-1-5-21-1979685110-1467996072-351907979-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552

This is more like it and I may be nearly ready to vampire. However I
am worried about the errors I get now from net getlocalsid and
getdomainsid.

>
> Are you using idmap? I had this when the nextgid value in idmap went out of
> range for some bizarre reason.
>
Yes I am using idmap
smb.conf
        idmap backend = ldapsam:ldap://127.0.0.1/
        idmap uid = 15000-20000
        idmap gid = 15000-20000

I don't know how to get the current or next id to find out if this is the case.

I think the question I'd like to ask the list is, do they think that
it' safe for me to continue when I am still getting errors from
getdomainsid and pdbedit does not show show the root user?

Thanks,
Dp.

More information about the samba mailing list