[Samba] Seamless update from Samba 2 to Samba 3 on a new server - Samba

This is a discussion on [Samba] Seamless update from Samba 2 to Samba 3 on a new server - Samba ; Hi, I'm new to the list, I hope i'm posting at the right place I'm having a hard time trying to update and to move my Samba 2.2 PDC to a new Debian server. Currently, the PDC is using Samba ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] Seamless update from Samba 2 to Samba 3 on a new server

  1. [Samba] Seamless update from Samba 2 to Samba 3 on a new server

    Hi,

    I'm new to the list, I hope i'm posting at the right place

    I'm having a hard time trying to update and to move my Samba 2.2 PDC to a
    new Debian server.

    Currently, the PDC is using Samba 2.2.8 on a Solaris Server. My goal is to
    move it to another computer, and to update it to a

    newer version (3.0.24)
    This must be fully transparent for the users, since I have no time to
    disjoin and to rejoin the domain on all machines.
    I'm using the smbpassword backend, and a NIS server. The NIS stores all
    the Unix accounts, but the machine accounts are local.
    The domain name is SMBDOM.
    The PDC is called aldebaran, and has the Netbios name PDC.

    I've caught SID of the old machine, with the smbpasswd -X SMBDOM, which is
    the same than the one I get with smbpasswd -X PDC.

    Now, I've installed my Samba 3 server on the new machine, which uses the
    same hostname and the same Netbios name.
    I've set the SID to the old domain one, using net setlocalsid
    olddomainsid, and net setlocalsid olddomainsid.

    I've also copied the smb.conf, and the secrets.tdb, and done the group
    mappings.
    Here is the result of the net groupmap list command :

    testpdc:/var/log/samba# net groupmap list
    Domain Admins (S-1-5-21-2616637325-650964048-2930221742-512) -> adminasr
    Domain Computers (S-1-5-21-2616637325-650964048-2930221742-515) -> machines


    The problem is that the old domain computers can't join the new domain.
    I'm having the message "Windows can't connect... The

    server might not be running, or your machine account has not been
    found..." or something like that.

    Here is what I can see in the logs :

    [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
    creds_server_check: credentials check failed.
    [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
    _net_auth2: creds_server_check failed. Rejecting auth request from
    client CYANN machine account CYANN$
    [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
    creds_server_check: credentials check failed.
    [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
    _net_auth2: creds_server_check failed. Rejecting auth request from
    client CYANN machine account CYANN$


    When running pdbedit -vL with my username for example, everything seems
    fine :

    testpdc:/var/log/samba# pdbedit -vL marinier
    Unix username: marinier
    NT username:
    Account Flags: [UX ]
    User SID: S-1-5-21-2616637325-650964048-2930221742-3324
    Primary Group SID: S-1-5-21-2616637325-650964048-2930221742-513
    Full Name: Florian Marinier
    Home Directory: \\pdc\marinier
    HomeDir Drive: u:
    Logon Script: montage.bat marinier
    Profile Path:
    Domain: SMBDOM
    Account desc:
    Workstations:
    Munged dial:
    Logon time: 0
    Logoff time: Tue, 19 Jan 2038 04:14:07 CET
    Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
    Password last set: Fri, 04 Apr 2008 15:53:44 CEST
    Password can change: Fri, 04 Apr 2008 15:53:44 CEST
    Password must change: Tue, 19 Jan 2038 04:14:07 CET
    Last bad password : 0
    Bad password count : 0
    Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

    The SID is the right one.

    When running pdbedit -vL cyann$ (which is one of my machine accounts)

    testpdc:/var/log/samba# pdbedit -vL cyann$
    Unix username: cyann$
    NT username:
    Account Flags: [W ]
    User SID: S-1-5-21-2616637325-650964048-2930221742-2820
    Primary Group SID: S-1-5-21-2616637325-650964048-2930221742-515
    Full Name: Trust Account
    Home Directory:
    HomeDir Drive: (null)
    Logon Script:
    Profile Path:
    Domain: SMBDOM
    Account desc:
    Workstations:
    Munged dial:
    Logon time: 0
    Logoff time: Tue, 19 Jan 2038 04:14:07 CET
    Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
    Password last set: Wed, 18 Apr 2007 18:28:27 CEST
    Password can change: Wed, 18 Apr 2007 18:28:27 CEST
    Password must change: Tue, 19 Jan 2038 04:14:07 CET
    Last bad password : 0
    Bad password count : 0
    Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

    the SID and domain are the right ones...
    But I still can't log in

    I may have an answer, but i'd be glad to have a confirmation :
    On my old Solaris server, my machines group had the GID 101.
    And on my new Debian Server, the GID 101 is already used by Crontab, so I
    chose another GID.

    May it be the source of all my problems?



    PS : However, when i disjoin and rejoin the domain, everything seems Ok.

    Does anyone have a clue?

    Thanks,

    Florian

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] Seamless update from Samba 2 to Samba 3 on a new server

    I forgot to post the first section of my smb.conf :

    [global]
    workgroup = SMBDOM
    netbios name = PDC
    smb passwd file = /etc/samba/smbpasswd
    server string = controleur du domaine SMBDOM
    encrypt passwords = Yes
    passwd program = /usr/bin/passwd %U
    unix password sync = no
    ; passwd chat =
    *New*password*%n\n*Retype*new*password*%n\n*passwd :*all*authentification*tokens*updated*successfully *
    log level = 2
    log file = /var/log/samba/pdc-log.%m
    max log size = 250
    name resolve order = wins hosts lmhosts bcast
    logon path =
    logon drive = u:
    logon home = \\%L\%U
    logon script = montage.bat %U
    domain logons = Yes
    preexec = /etc/samba/netlogon/cree_dir.sh %U
    domain master = Yes
    wins support = yes
    dns proxy = yes
    socket options = TCP_NODELAY
    guest account = nobody
    os level = 65
    preferred master = Yes
    ; interfaces = 163.9.34.7/255.255.255.0
    ; bind interfaces only = yes
    remote announce = 163.9.100.255 192.168.24.255 192.168.23.255


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] Seamless update from Samba 2 to Samba 3 on a new server

    Florian,

    An obvious question maybe, but does your local passwd file contain the machine
    accounts? And why do you copy the secrets.tdb? I think that's not needed.

    Remy




    > Hi,
    >
    > I'm new to the list, I hope i'm posting at the right place
    >
    > I'm having a hard time trying to update and to move my Samba 2.2 PDC to a
    > new Debian server.
    >
    > Currently, the PDC is using Samba 2.2.8 on a Solaris Server. My goal is to
    > move it to another computer, and to update it to a
    >
    > newer version (3.0.24)
    > This must be fully transparent for the users, since I have no time to
    > disjoin and to rejoin the domain on all machines.
    > I'm using the smbpassword backend, and a NIS server. The NIS stores all
    > the Unix accounts, but the machine accounts are local.
    > The domain name is SMBDOM.
    > The PDC is called aldebaran, and has the Netbios name PDC.
    >
    > I've caught SID of the old machine, with the smbpasswd -X SMBDOM, which is
    > the same than the one I get with smbpasswd -X PDC.
    >
    > Now, I've installed my Samba 3 server on the new machine, which uses the
    > same hostname and the same Netbios name.
    > I've set the SID to the old domain one, using net setlocalsid
    > olddomainsid, and net setlocalsid olddomainsid.
    >
    > I've also copied the smb.conf, and the secrets.tdb, and done the group
    > mappings.
    > Here is the result of the net groupmap list command :
    >
    > testpdc:/var/log/samba# net groupmap list
    > Domain Admins (S-1-5-21-2616637325-650964048-2930221742-512) -> adminasr
    > Domain Computers (S-1-5-21-2616637325-650964048-2930221742-515) -> machines
    >
    >
    > The problem is that the old domain computers can't join the new domain.
    > I'm having the message "Windows can't connect... The
    >
    > server might not be running, or your machine account has not been
    > found..." or something like that.
    >
    > Here is what I can see in the logs :
    >
    > [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
    > creds_server_check: credentials check failed.
    > [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
    > _net_auth2: creds_server_check failed. Rejecting auth request from
    > client CYANN machine account CYANN$
    > [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
    > creds_server_check: credentials check failed.
    > [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
    > _net_auth2: creds_server_check failed. Rejecting auth request from
    > client CYANN machine account CYANN$
    >
    >
    > When running pdbedit -vL with my username for example, everything seems
    > fine :
    >
    > testpdc:/var/log/samba# pdbedit -vL marinier
    > Unix username: marinier
    > NT username:
    > Account Flags: [UX ]
    > User SID: S-1-5-21-2616637325-650964048-2930221742-3324
    > Primary Group SID: S-1-5-21-2616637325-650964048-2930221742-513
    > Full Name: Florian Marinier
    > Home Directory: \\pdc\marinier
    > HomeDir Drive: u:
    > Logon Script: montage.bat marinier
    > Profile Path:
    > Domain: SMBDOM
    > Account desc:
    > Workstations:
    > Munged dial:
    > Logon time: 0
    > Logoff time: Tue, 19 Jan 2038 04:14:07 CET
    > Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
    > Password last set: Fri, 04 Apr 2008 15:53:44 CEST
    > Password can change: Fri, 04 Apr 2008 15:53:44 CEST
    > Password must change: Tue, 19 Jan 2038 04:14:07 CET
    > Last bad password : 0
    > Bad password count : 0
    > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    >
    > The SID is the right one.
    >
    > When running pdbedit -vL cyann$ (which is one of my machine accounts)
    >
    > testpdc:/var/log/samba# pdbedit -vL cyann$
    > Unix username: cyann$
    > NT username:
    > Account Flags: [W ]
    > User SID: S-1-5-21-2616637325-650964048-2930221742-2820
    > Primary Group SID: S-1-5-21-2616637325-650964048-2930221742-515
    > Full Name: Trust Account
    > Home Directory:
    > HomeDir Drive: (null)
    > Logon Script:
    > Profile Path:
    > Domain: SMBDOM
    > Account desc:
    > Workstations:
    > Munged dial:
    > Logon time: 0
    > Logoff time: Tue, 19 Jan 2038 04:14:07 CET
    > Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
    > Password last set: Wed, 18 Apr 2007 18:28:27 CEST
    > Password can change: Wed, 18 Apr 2007 18:28:27 CEST
    > Password must change: Tue, 19 Jan 2038 04:14:07 CET
    > Last bad password : 0
    > Bad password count : 0
    > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    >
    > the SID and domain are the right ones...
    > But I still can't log in
    >
    > I may have an answer, but i'd be glad to have a confirmation :
    > On my old Solaris server, my machines group had the GID 101.
    > And on my new Debian Server, the GID 101 is already used by Crontab, so I
    > chose another GID.
    >
    > May it be the source of all my problems?
    >
    >
    >
    > PS : However, when i disjoin and rejoin the domain, everything seems Ok.
    >
    > Does anyone have a clue?
    >
    > Thanks,
    >
    > Florian
    >



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  4. Re: [Samba] Seamless update from Samba 2 to Samba 3 on a new server

    Thanks for your answer Remy.

    Yes, my local passwd and shadow files does contain the machine accounts.
    In fact, the NIS only stores the user accounts.

    I've copied the Secrets.tdb according to the Chapter 8 of the Samba doc,
    and especially "Replacing a Domain Controller" part, here :
    http://www.samba.org/samba/docs/man/....html#id385896

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  5. Re: [Samba] Seamless update from Samba 2 to Samba 3 on a new server

    > I've copied the Secrets.tdb according to the Chapter 8 of the Samba doc,
    > and especially "Replacing a Domain Controller" part, here :
    > http://www.samba.org/samba/docs/man/....html#id385896


    Correct. But the doc also says:

    --
    All Samba servers, other than one that uses LDAP, depend on the tdb files, and
    particularly on the secrets.tdb file. So long as the tdb files are all in
    place, the smb.conf file is preserved, and either the hostname is identical or
    the netbios name is set to the original server name, Samba should correctly
    pick up the original SID and preserve all other settings. It is sound advice
    to validate this before turning the system over to users.
    --

    You wrote you used 'net setlocalsid' to set the SID. According the doc this
    isn't necessary.

    -Remy

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread