[Samba] How to install a replacement PDC?

Chris Smith smb_77 at chrissmith.org
Tue Jul 30 08:12:34 MDT 2013

On Mon, Jul 29, 2013 at 6:47 AM,  <samba1 at nym.hush.com> wrote:
> I’d appreciate some pointers on what to do. I don’t want to have
> the exact same users on the new Debian server (some of the users on
> the Unix server have left) so was hoping to just create users and
> groups manually rather than copy existing files across. Do I need
> to edit the UIDs and GIDs somehow, and then export/import some
> password/security files? I’ve seen that on the Unix server there’s
> a file named /etc/smbpasswd, but that isn’t on the Debian server,
> so I’m wondering if they’re using a different type of security back-
> end…  Is there a command which will report this, or which smb.conf
> parameters will identify this? I don’t do a lot of this stuff, so
> any help would be appreciated.

Most likely is that It would have simplest to copy the old Samba
configuration to the new system. Update the smb.conf for necessary
changes (review all of the Changelog's from the old version to the new
version), change from the smbpasswd backend to the tdbsam backend (the
new default), then remove the users you no longer want or need.

Having said that I just finished migrating an NT4 PDC with Exchange
5.5 to two new VM's; the PDC part to a new Debian Samba installation
"by hand" (the long way), and the Exchange 5.5 part to a new NT4
server install (sounds like fun, right?). Fortunately the client
install base was under 25 so doing it the long way was not out of the
question. Had I been moving between Samba version I would not even
have been tempted to do anything except follow the first paragraph

Basically, in the long way, you need the same domain SID, the same
user SID's and I believe also the same machine SID's (I manually set
all of these as well), etc. and the proper group mappings (no longer
automatic, see chapter 9 of the official howto). Then you'll have to
"rejoin" all machines to the new PDC although really you are just
resetting the trust password. The UID/GID's are meaningless to the
Windows side, no need to mess with those, although I prefer to use
different ranges for Windows users, and Machines (and also a different
group for Machines - just a nicety for scripting later on). Done
properly the users will see no difference when they login to the
domain, same profile, etc.


More information about the samba mailing list