[Samba] Migrating user accounts Samba 3.5.3 to Windows 2003 (2008)

Martin Hochreiter linuxbox at wavenet.at
Tue Oct 18 11:10:24 MDT 2011 

Am 18.10.2011 17:58 schrieb ITSEF Admin:
> Hi all,
>
> I need some help with the following problem:
>
> I need to migrate a bunch of user accounts to another domain on a Windows 2003
> server (eventually to 2008R2, but that step seemed to big to do in one go).
> To keep all access rights etc. correct, I need to get the SID history set
> correctly as well.
>
> > From what I've researched so far, I'm aware of
> http://lists.samba.org/archive/samba/2005-April/103743.html
> and
> http://lists.samba.org/archive/samba/2005-June/107028.html
>
> which basically state that this migration should be possible using ADMT. As
> far as I know, I have all prerequisites in places as listed in those
> postings, however, I still cannot get ADMT to run. It does find the Samba
> server and recognises it as domain controller for OLDDOMAIN, but when I ask
> it to migrate SID history as well, I get a rather cryptic error "Could not
> verify auditing and TcpipClientSupport on domains. Will not be able to
> migrate Sid's. The system cannot find the file specified." Unfortunately,
> Aunt Google does not have much on that one... Neither tshark nor Process
> Monitor nor the Samba logs provided any additional clues (that I would
> recognise), so this was a dead end for the time being.
>
> After having checked and re-checked domain trusts, administrator accounts
> (with equal passwords), SID filters being off, ... on both machines, I then
> tried a different approach: The "sidhist.vbs" script from the 2003 support
> tools, which in theory should be able to accomplish the same. However, when I
> try to run this script, I also get an error: "Error 0x800706BA, Unable to
> read the configuration information of the computer "SAMBA_DC". The error was:
> The RPC server is unavailable." I've done a lot of searching on this one as
> well, I even went as far as running tshark on the connection to see whether
> that would yield any clues - but came up empty yet again.
>
> Unfortunately, I'm now at the end of my - limited - knowledge of both Samba
> and Windows and would therefore like to ask whether anyone on this list may
> be able to hit me with the appropriate clue stick and/or point me in the
> direction of the proper TFM. Any tips for solving or even just debugging this
> are most welcome.
>
> Thanks in advance,
>
> Thomas
Hi Thomas!

We did a complete migration from Samba 3.5.9 to Windows2008R2 - but we did
not find any windows tool that was helpful to migrate the password and 
the sid history.

So we installed a AD domain with a Win2008R2 Server and joined a Samba 4 
pre 17.
Then we migrated all (6000!) accounts with the windows based active 
directory migration tool
version 2 (all higher ones are not working) and run a script that 
converted the hash from
password in the form that Samba 4 stores it and feed that together with 
the sid history
into the Samba 4 database directly (with ldbedit tools).

Samba synced that with the win2008R2 Server and that was almost working....
"Almost" meens, that a windows 7 client can only authenticate (the user 
of course) if
its request hits a samba server and if the "password never expire" flag 
is set.
  If a user sets its password on the new AD domain then it was working 
with a win2008R2 server too.
WinXP does not show this behaviour.

We force the users to change there passwords quickly so we could shut 
down the
Sambas a few days after the migration.

The Sid history was working without any problems, from the beginning.

That is/was our working way

regars
Martin

More information about the samba mailing list