After a frightening experience with W2K Active Directory, we've been considering an "emergency migration" to Samba. I've been looking at both 2.2.7 and the latest 3.0 alpha, but have found little information about migrating from W2K. Most information seems to be about Windows NT PDC. What I've tried is to pull the information from the AD tree with pwdump3 and put it in the smbpasswd file, with some small conversions. I've taken the domain SID and put it in DOMAIN.SID and created all the corresponding UNIX accounts for the computers. Unfortunately, the clients are still experiencing problems when logging into the moved domain. Even a level 10 log doesn't tell me anything specific about what's going on; it keeps repeating that the user authenticated correctly. But on the W2K client, the users only get the information that their password/username was incorrect. With 3.0 alpha, I also struggled a bit first with getting the group bits right to map Domain Users to the users unix group, but I think I got that one down. Does anyone have any information to share? I'm beginning to think that this kind of migration is not possible, and that we should burn for allowing the migration from Windows NT to Windows 2000 in the first place :-) -- Jonas ?berg Systems administrator/webmaster, Department of Informatics, School of Economics and Commercial Law, Gothenburg University. Phone. +46-31-7732717, Fax. +47-31-7734754
Jonas try to create a user for your win2k machines like this... Linux System > Machine$ Samba System > Machine replace Machine by your machine name... ... ----- Original Message ----- From: "Jonas Oberg" <jonas@informatik.gu.se> To: <samba@lists.samba.org> Sent: Tuesday, December 10, 2002 10:58 AM Subject: [Samba] Migrating W2K AD to Samba?> After a frightening experience with W2K Active Directory, we've been > considering an "emergency migration" to Samba. I've been looking at > both 2.2.7 and the latest 3.0 alpha, but have found little information > about migrating from W2K. Most information seems to be about Windows > NT PDC. > > What I've tried is to pull the information from the AD tree with > pwdump3 and put it in the smbpasswd file, with some small > conversions. I've taken the domain SID and put it in DOMAIN.SID and > created all the corresponding UNIX accounts for the computers. > > Unfortunately, the clients are still experiencing problems when > logging into the moved domain. Even a level 10 log doesn't tell me > anything specific about what's going on; it keeps repeating that the > user authenticated correctly. But on the W2K client, the users only > get the information that their password/username was incorrect. > > With 3.0 alpha, I also struggled a bit first with getting the group > bits right to map Domain Users to the users unix group, but I think I > got that one down. > > Does anyone have any information to share? I'm beginning to think that > this kind of migration is not possible, and that we should burn for > allowing the migration from Windows NT to Windows 2000 in the first > place :-) > > > -- > Jonas ?berg > Systems administrator/webmaster, Department of Informatics, > School of Economics and Commercial Law, Gothenburg University. > Phone. +46-31-7732717, Fax. +47-31-7734754 > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.427 / Virus Database: 240 - Release Date: 6/12/2002
On Tue, Dec 10, 2002 at 01:58:22PM +0100, Jonas Oberg wrote:> After a frightening experience with W2K Active Directory, we've been > considering an "emergency migration" to Samba. I've been looking at > both 2.2.7 and the latest 3.0 alpha, but have found little information > about migrating from W2K. Most information seems to be about Windows > NT PDC. > > What I've tried is to pull the information from the AD tree with > pwdump3 and put it in the smbpasswd file, with some small > conversions. I've taken the domain SID and put it in DOMAIN.SID and > created all the corresponding UNIX accounts for the computers.This won't work. You'll need to re-add all the clients to the Samba domain. The user passwords should still be valid, it's the machine accounts you'll need to re-create. Don't use the same SID. The clients will get confused as AD-PDC features will appear to have gone from the PDC. Treat it as a new domain with the same user passwords.> Unfortunately, the clients are still experiencing problems when > logging into the moved domain. Even a level 10 log doesn't tell me > anything specific about what's going on; it keeps repeating that the > user authenticated correctly. But on the W2K client, the users only > get the information that their password/username was incorrect.Once the clients are using AD, they'll expect to see all the features of an AD PDC. You need to re-add them to the Samba domain as a "downlevel" ie. NT4.x domain. Let us know how this goes. Jeremy.