[Samba] NT4 Migration
Dermot
paikkos at gmail.com
Thu Sep 23 03:21:30 MDT 2010
Thanks all for the replies. I should point out that I have only one
PDC and one NT domain. I do have several existing Samba servers that
use the domain security option.
> 10.
>
> The LDAP management password must be installed into the secrets.tdb file as follows:
>
> root# smbpasswd -w not24get
> Setting stored password for
> "cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb
>
>Did you run this command?
Yes, I did. I deleted secrets.tdb before I began. I ran it again to
see what the output was:
smbpasswd -w not24get
Setting stored password for "cn=admin,dc=mydomain,dc=co,dc=uk" in secrets.tdb
When I run smbldap-populate I am also prompted by smbpasswd. I am not
sure if that is correct.
>What do the following commands show?
>
> net getlocalsid
> net getdomainsid
>
>They should be the same.
I get an error:
net getlocalsid
[2010/09/23 08:13:01, 0] utils/net.c:net_getlocalsid(708)
Can't fetch domain SID for name: LDAP
net getdomainsid
Could not fetch local SID
LDAP is the hostname of the local machine that I would like to
eventually migrate to. I wondering if that might be a poor choice of
hostname now. I checked my history and I definitely ran `net rpc -S
my_nt_server_netbios_name`, I hope it doesn't hurt to run it again.
This was the output:
Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM
in secrets.tdb
#net rpc getsid -S SPLPDC -U Administrator
Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM
in secrets.tdb
# net getdomainsid
Could not fetch local SID
# net getlocalsid
[2010/09/23 08:18:21, 0] utils/net.c:net_getlocalsid(708)
Can't fetch domain SID for name: LDAP
I have not used net rpc vampire yet (point 17) because I haven't
passed the safety checks in point 16.
> Can you just manually change your SID in LDAP to match that from the NT4 server?
I am not entirely sure this is necessary. In my ldap tree I have an
item called sambaDomainName and that has the correct SID:
Here is the partial output from slapcat -v
# id=0000001a
dn: sambaDomainName=MYDOM,dc=mydomain,dc=co,dc=uk
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 1000
structuralObjectClass: sambaDomain
entryUUID: 60ea2452-56bd-102f-9b84-07665867de80
creatorsName: cn=admin,dc=mydomain,dc=co,dc=uk
createTimestamp: 20100917153835Z
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
gidNumber: 1000
sambaDomainName: MYDOM
sambaSID: S-1-5-21-900663976-1457140431-1537874043
sambaNextRid: 1000
uidNumber: 1000
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
entryCSN: 20100922144116.351528Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=co,dc=uk
modifyTimestamp: 20100922144116Z
> I also found (at least with samba 3.4.x) that even if I set "ldap group suffix=ou=group" in smb.conf, samba would look through my whole LDAP tree for group entries. I had initially tried to have separate "ou=group" and
> "ou=smb_group" containers to separate my unix groups from my samba group mappings.
smb.conf:
ldap admin dn = cn=admin,dc=mydomain,dc=co,dc=uk
ldap group suffix = ou=group
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=Computer
That might be a hint. The ldap group is ou=Groups. I edited my
smb.conf, deleted secrets.tdb, and stepped through the process again.
Now `net groupmap list` give me:
Domain Admins (S-1-5-21-1979685110-1467996072-351907979-512) -> 512
Domain Users (S-1-5-21-1979685110-1467996072-351907979-513) -> 513
Domain Guests (S-1-5-21-1979685110-1467996072-351907979-514) -> 514
Domain Computers (S-1-5-21-1979685110-1467996072-351907979-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
This is more like it and I may be nearly ready to vampire. However I
am worried about the errors I get now from net getlocalsid and
getdomainsid.
>
> Are you using idmap? I had this when the nextgid value in idmap went out of
> range for some bizarre reason.
>
Yes I am using idmap
smb.conf
idmap backend = ldapsam:ldap://127.0.0.1/
idmap uid = 15000-20000
idmap gid = 15000-20000
I don't know how to get the current or next id to find out if this is the case.
I think the question I'd like to ask the list is, do they think that
it' safe for me to continue when I am still getting errors from
getdomainsid and pdbedit does not show show the root user?
Thanks,
Dp.
More information about the samba
mailing list