samba - Oct 2003 - Migrating from win2k pdc to samba3 + ldap + pam + nss

So here is the setup now: pam worknig, ldap working, samba working, passwd
sync works great both ways (linux accounts > win accouns; win > lin).
I'm
useing another domain name for the new pdc. Today i tried to migtrate all
the accounts from the Win2k PDC and i got into problems. I changed in
smb.conf the domain name to the one of the win PDC , joind my samba intro
the domain and did a    net rpc vampire , text flashed :) , and accounts
were imported. Everything seemd to be ok . I changed the domain name to
the new one, and restarted samba. I tried to login to the domain from a
win 2k workstation previosly joind into the new domain. None of the
imported accouts worked. I read some more docs and tried a

scorpius:~# /usr/local/samba/bin/net groupmap modify ntgroup='Domain
Users' unixgroup=users net:
/build/buildd/openldap2-2.0.23/libraries/liblber/decode.c:500: ber_scanf:
Assertion `(( ber )->ber_opts.lbo_valid==0x2)' failed. Aborted

If i try the same thind with "Domain Admins" -> root it doesn't
work at
all and says group not found
scorpius:~# /usr/local/samba/bin/net groupmap modify ntgroup='Domain
Admins' unixgroup=root [2003/10/08 10:43:38, 0]
passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(1954)
  ldapsam_update_group_mapping_entry: No group to modify!
Could not update group database


scorpius:~# /usr/local/samba/bin/net groupmap list
Users (S-1-5-32-545) -> users
Domain Admins (S-1-5-21-682003330-616249376-1417001333-512) -> Domain
Admins Domain Users (S-1-5-21-682003330-616249376-1417001333-513) ->
Domain Users Domain Guests (S-1-5-21-682003330-616249376-1417001333-514)
-> Domain Guests Administrators (S-1-5-32-544) -> Administrators
Guests (S-1-5-32-546) -> Guests
Account Operators (S-1-5-32-548) -> Account Operators
Server Operators (S-1-5-32-549) -> Server Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicator (S-1-5-32-552) -> Replicator
Domain Computers (S-1-5-21-682003330-616249376-1417001333-515) -> Domain
Computers


So any ideeas, i think i can't use the accounts beacuse of the different sid

I can't add by hand old accounts , beacause i have around 2000 users, so
it is a must to migrate.

Thanks

-- 
Permission to live...DENIED!

On Thu, 2003-10-09 at 04:00, Alexandru Ionica wrote:
> So here is the setup now: pam worknig, ldap working, samba working, passwd
> sync works great both ways (linux accounts > win accouns; win > lin).
I'm
> useing another domain name for the new pdc. Today i tried to migtrate all
> the accounts from the Win2k PDC and i got into problems. I changed in
> smb.conf the domain name to the one of the win PDC , joind my samba intro
> the domain and did a    net rpc vampire , text flashed :) , and accounts
> were imported. Everything seemd to be ok . 
> I changed the domain name to
> the new one, and restarted samba. 
This seems to be the critical failure here.  You must not rename the
domain - ever.  You imported the users under one domain, you must keep
that name.  Furthermore, you must import the users under the name that
they came from.

Kill all the accounts, and try again.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20031011/8ed8592f/attachment.bin