[Samba] Help with migration

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon May 7 07:25:21 MDT 2012 

You may want to set up a test environment.


I have not been able to get NTLMv2 working properly.   I believe
enabling NTLMv2 should still systems to negotiate ver 2 but that didn't
happen-  at least I was unable to login from a Windows 2003 client with
a samba PDC.   NTLMv2 uses better encryption for authenticating the
users than NTLM v1 but I am not sure if the actual password itself gets
store differently in LDAP.    I think the same hash mechanism is used to
store the password. 


I upgrade from samba 3.0.x to samba 3.4.x.  (both with LDAP backend.) 
   I believe some of the issues I found were
  -  the nobody user and nobody group need to be explicitly mapped
  - some functionality with domain trusts were fixed, others broken
  -  I may have needed to explicitly grant privilegedes to the Domain
Administrators group.  (But that may have been because I initially mixed
up the group mapping for some groups.)


At some point joining machines to the domain got a little trickier.    I
need to make sure that some samba attributes were precreated

        type:      sambaPrimaryGroupSID  
        value:    S-1-5-21-XXX-XXX-XXX-515

        type:      sambaAccountFlags
        value:     [W         ]


I am not sure if this issue happened with samba 3.4.x or would have
happened in 3.1.x, 3.2x or 3.3.x.  It may also be a schema checking
hiccup on the LDAP server.




On 05/07/12 05:54, Denis Fateyev wrote:
> Hello Alejandro,
>
> Probably to check all the details you need to create a build environment,
> at first. It's the general advice. As for your question, I had samba-3.5
> server (upgraded from 3.0.28) which was able to authenticate all windows:
> from win98 to win7 (domain members). So I think it's possible to do.
> Actually I cannot recall any problems I had during the upgrade process,
> except very little ones. I used 'SerNet' samba builds (btw, many thanks to
> them!)
>
> ---
> wbr, Denis.
>
>
> On Fri, May 4, 2012 at 8:17 PM, Alejandro Iacobelli <
> aiacobelli at khutech.com.ar> wrote:
>
>> Hello to all, my name is Alejandro and I have a little question to anyone
>> of this list.
>>
>>  I´ve created ,6 years ago, an ldap+smb proyect for a big company. Back
>> then, samba (Lenny server)  only worked with NT hashes but now (Squeeze
>> server) they want to authenticate with Win7 (ntlm2 protocols) And
>> configurating windows7 to accept old NT hashes is not an exit. I want to
>> update ONLY the smb package from samba (2:3.2.5-4lenny15) to samba
>> (2:3.5.6~dfsg-3squeeze8).
>> PD: I'm using an OLD and modified by myself openldap version so i cant
>> touch it.
>>
>>  My question is this:
>>
>>
>>  Have someone of you did this kind of migration any time? can you give me
>> advices?
>>
>>  i need to know if something could go wrong in the relation with openldap.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list