We're trying to migrate from a windows NT domain to a Samba domain. I've installed Samba 3.0.2a with an LDAP backend. The server seems to be running fine as I can browse the shares from a non-domain Win2k workstation after a successful password check. The workstations join the domain just fine but after I join them to the domain I can't log in to them. I've checked my schannel and sign or seal settings in the Samba server and the workstation but still no luck. Any help is greatly appreciated, I've been working at this for about two months now and I'm just getting frustrated.
Did you configure nss and pam to work with ldap ? Do you have netlogon share path world writable? BLOCKQUOTE { BORDER-LEFT:#1F4687 1px solid; padding-left:20px; margin-left: 0px; }-----Original Message----- From: Scott Gross <SGross@newsgroupwest.com> Sent: Friday, 27. Feb 2004 15:22 -0800 To: samba@lists.samba.org Subject: [Samba] Can't login to Samba PDC We're trying to migrate from a windows NT domain to a Samba domain. I've installed Samba 3.0.2a with an LDAP backend. The server seems to be running fine as I can browse the shares from a non-domain Win2k workstation after a successful password check. The workstations join the domain just fine but after I join them to the domain I can't log in to them. I've checked my schannel and sign or seal settings in the Samba server and the workstation but still no luck. Any help is greatly appreciated, I've been working at this for about two months now and I'm just getting frustrated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
On Fri, 2004-02-27 at 16:22, Scott Gross wrote:> We're trying to migrate from a windows NT domain to a Samba domain. I've > installed Samba 3.0.2a with an LDAP backend. The server seems to be running > fine as I can browse the shares from a non-domain Win2k workstation after a > successful password check. The workstations join the domain just fine but > after I join them to the domain I can't log in to them. I've checked my > schannel and sign or seal settings in the Samba server and the workstation > but still no luck. Any help is greatly appreciated, I've been working at > this for about two months now and I'm just getting frustrated.---- Not enough information to give a meaningful answer. 1 - signorseal settings applicable to Samba 2.x not 3.x 2 - logs? why would you think that /var/log/samba/smbd.log, /var/log/samba/log.nmbd, /var/log/samba/ip.of.connecting.system wouldn't give you real clues to what's going on? 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is working? Does LDAP handle linux login? Are you logging ldap connections etc? 4 - you seem to have not stated the required - I have read the 'how-to' at <http://us1.samba.org/samba/docs/man/> 5 - net getlocalsid / ldapsearch -x -h localhost -b 'base-of-ldap' '(cn=Domain User)' #do they sid portions match? Craig
Let's keep this on list - there are a lot brighter people than I am on this stuff... On Fri, 2004-02-27 at 19:58, Scott Gross wrote:> 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is > working? Does LDAP handle linux login? Are you logging ldap connections > etc? > > migrate as in move from one to the other. I'm trying to get the Samba > server running while we're using NT4 and then I will move my users and > workstations to the new domain. I'm going to move them one machine and user > at a time manually. Yes LDAP handles the linux logins as well and this is > working. I haven't set-up the LDAP to log the logins but this is something > I want to do as well.---- OK - I am trying to understand what you are telling me. I can't possibly envision a scenario that you can make this work - moving one computer and one user over at a time. The computer accounts continually change their passwords. This is what the net rpc vampire command is designed to do, move the machine accounts, user accounts and group accounts over to new setup while still retaining all the SID structure. It indeed works - I know because I did it. That is not to say that it is without it's problems but it is - the intended method and I learned a long time ago about the benefit to calculate wind direction before I start peeing. If you really feel as though you have LDAP set up properly - it appears that you have a grasp on it since you can run ldapsearch from command line (I am shocked at the number of people that think they have LDAP running and can't query LDAP), then you really should just slapcat your current setup, dump it, slapadd the stuff you need into LDAP and use the net rpc vampire and suck it all in. You should have no problem getting it to simultaneously add the posixAccount & sambaSamAccount properties - the only things that you may have to reconcile are 1 - existing accounts in posixland that you want to be both posix & samba (perhaps you have overlap and different passwords/uid's) and 2 - It's hard to pull the plug on the existing NT 4 server because it probably has file & print shares that you wanna keep around...try shutting off the netlogon service AFTER - you change the settings in smb.conf to make it PDC like and restarting smbd/nmbd. It will still be mostly functional Craig
Please keep this on list... The logical thing to do would be to keep your NT server as the PDC. Set up samba not to be a domain controller at all but as a member server to the domain (join that machine to the domain - using password server PDC / security = domain and net join ...) That way, you can create all of the users, join all the machines, set up roaming profiles (on the 'member' server) and get all ready. Then, when you are ready, you can do the net rpc vampire command and suck all of the user accounts/machine accounts/groups into your LDAP. Craig On Mon, 2004-03-01 at 09:34, Scott Gross wrote:> I was planning to do each machine manually rather than using scripts to move > the users as I have to change a lot of things on the users PC to keep them > running after I move them to the new domain. So my intention was to join > the computer to the new domain, add the user to the Samba domain then > configure their PC for the new e-mail system and such. I have to do about > 100 workstations in many different locations and a slow change over with no > problems is preferable to a faster one where users might experience > problems. > > This having been said I'm still having problems that after I join the > workstation to the new domain I can't login to it. > > > -----Original Message----- > > From: Craig White [mailto:craigwhite@azapple.com] > > Sent: Friday, February 27, 2004 9:33 PM > > To: Scott Gross > > Cc: samba@lists.samba.org > > Subject: RE: [Samba] Can't login to Samba PDC > > > > Let's keep this on list - there are a lot brighter people than I am on > > this stuff... > > > > On Fri, 2004-02-27 at 19:58, Scott Gross wrote: > > > > > 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is > > > working? Does LDAP handle linux login? Are you logging ldap connections > > > etc? > > > > > > migrate as in move from one to the other. I'm trying to get the Samba > > > server running while we're using NT4 and then I will move my users and > > > workstations to the new domain. I'm going to move them one machine and > > user > > > at a time manually. Yes LDAP handles the linux logins as well and this > > is > > > working. I haven't set-up the LDAP to log the logins but this is > > something > > > I want to do as well. > > ---- > > OK - I am trying to understand what you are telling me. > > > > I can't possibly envision a scenario that you can make this work - > > moving one computer and one user over at a time. The computer accounts > > continually change their passwords. > > > > This is what the net rpc vampire command is designed to do, move the > > machine accounts, user accounts and group accounts over to new setup > > while still retaining all the SID structure. It indeed works - I know > > because I did it. > > > > That is not to say that it is without it's problems but it is - the > > intended method and I learned a long time ago about the benefit to > > calculate wind direction before I start peeing. > > > > If you really feel as though you have LDAP set up properly - it appears > > that you have a grasp on it since you can run ldapsearch from command > > line (I am shocked at the number of people that think they have LDAP > > running and can't query LDAP), then you really should just slapcat your > > current setup, dump it, slapadd the stuff you need into LDAP and use the > > net rpc vampire and suck it all in. You should have no problem getting > > it to simultaneously add the posixAccount & sambaSamAccount properties - > > the only things that you may have to reconcile are 1 - existing accounts > > in posixland that you want to be both posix & samba (perhaps you have > > overlap and different passwords/uid's) and 2 - It's hard to pull the > > plug on the existing NT 4 server because it probably has file & print > > shares that you wanna keep around...try shutting off the netlogon > > service AFTER - you change the settings in smb.conf to make it PDC like > > and restarting smbd/nmbd. It will still be mostly functional > > > > Craig
First thing is...please keep this on list Second thing is...if NT is a PDC, then machine accounts should be created on that system - You can't simulataneously have a Windows & Samba PDC/BDC of any combination. How would you be sure which machine is getting the machine accounts and which machine is handling the authentication? Craig On Mon, 2004-03-01 at 09:48, Scott Gross wrote:> First thing is first. I need to be able to join a machine to the domain and > be able to login to the domain. This is just to test and make sure the new > Samba server is working. This is the problem I'm having and what I'm > looking for help on. Not how to migrate my users. > > > -----Original Message----- > > From: Craig White [mailto:craigwhite@azapple.com] > > Sent: Monday, March 01, 2004 8:52 AM > > To: Scott Gross > > Cc: samba@lists.samba.org > > Subject: RE: [Samba] Can't login to Samba PDC > > > > Please keep this on list... > > > > The logical thing to do would be to keep your NT server as the PDC. Set > > up samba not to be a domain controller at all but as a member server to > > the domain (join that machine to the domain - using password server > > PDC / security = domain and net join ...) > > > > That way, you can create all of the users, join all the machines, set up > > roaming profiles (on the 'member' server) and get all ready. Then, when > > you are ready, you can do the net rpc vampire command and suck all of > > the user accounts/machine accounts/groups into your LDAP. > > > > Craig > > > > On Mon, 2004-03-01 at 09:34, Scott Gross wrote: > > > I was planning to do each machine manually rather than using scripts to > > move > > > the users as I have to change a lot of things on the users PC to keep > > them > > > running after I move them to the new domain. So my intention was to > > join > > > the computer to the new domain, add the user to the Samba domain then > > > configure their PC for the new e-mail system and such. I have to do > > about > > > 100 workstations in many different locations and a slow change over with > > no > > > problems is preferable to a faster one where users might experience > > > problems. > > > > > > This having been said I'm still having problems that after I join the > > > workstation to the new domain I can't login to it. > > > > > > > -----Original Message----- > > > > From: Craig White [mailto:craigwhite@azapple.com] > > > > Sent: Friday, February 27, 2004 9:33 PM > > > > To: Scott Gross > > > > Cc: samba@lists.samba.org > > > > Subject: RE: [Samba] Can't login to Samba PDC > > > > > > > > Let's keep this on list - there are a lot brighter people than I am on > > > > this stuff... > > > > > > > > On Fri, 2004-02-27 at 19:58, Scott Gross wrote: > > > > > > > > > 3 - migrate? as in net rpc vampire? - how certain are you that LDAP > > is > > > > > working? Does LDAP handle linux login? Are you logging ldap > > connections > > > > > etc? > > > > > > > > > > migrate as in move from one to the other. I'm trying to get the > > Samba > > > > > server running while we're using NT4 and then I will move my users > > and > > > > > workstations to the new domain. I'm going to move them one machine > > and > > > > user > > > > > at a time manually. Yes LDAP handles the linux logins as well and > > this > > > > is > > > > > working. I haven't set-up the LDAP to log the logins but this is > > > > something > > > > > I want to do as well. > > > > ---- > > > > OK - I am trying to understand what you are telling me. > > > > > > > > I can't possibly envision a scenario that you can make this work - > > > > moving one computer and one user over at a time. The computer accounts > > > > continually change their passwords. > > > > > > > > This is what the net rpc vampire command is designed to do, move the > > > > machine accounts, user accounts and group accounts over to new setup > > > > while still retaining all the SID structure. It indeed works - I know > > > > because I did it. > > > > > > > > That is not to say that it is without it's problems but it is - the > > > > intended method and I learned a long time ago about the benefit to > > > > calculate wind direction before I start peeing. > > > > > > > > If you really feel as though you have LDAP set up properly - it > > appears > > > > that you have a grasp on it since you can run ldapsearch from command > > > > line (I am shocked at the number of people that think they have LDAP > > > > running and can't query LDAP), then you really should just slapcat > > your > > > > current setup, dump it, slapadd the stuff you need into LDAP and use > > the > > > > net rpc vampire and suck it all in. You should have no problem getting > > > > it to simultaneously add the posixAccount & sambaSamAccount properties > > - > > > > the only things that you may have to reconcile are 1 - existing > > accounts > > > > in posixland that you want to be both posix & samba (perhaps you have > > > > overlap and different passwords/uid's) and 2 - It's hard to pull the > > > > plug on the existing NT 4 server because it probably has file & print > > > > shares that you wanna keep around...try shutting off the netlogon > > > > service AFTER - you change the settings in smb.conf to make it PDC > > like > > > > and restarting smbd/nmbd. It will still be mostly functional > > > > > > > > Craig
On Mon, 2004-03-01 at 10:42, Scott Gross wrote:> First thing is what list do you keeping talking about? Am I not supposed to > be asking about Samba things in this list? >--- The Samba list is the list I am specifically referring to. Everytime you hit the 'reply' button, it replies only to me. If you hit 'reply to all' it will also reply to the samba list. Every reply I have hit, I have added the samba@lists.samba.org to the address because you seem to only want to reply to me. Thus, you would be asking Samba things to the samba list if you would only include the samba list in your replies. ---> Second is the domain names are different. That is how you can tell which > domain you are logging into. Why don't you try helping with the problem or > let someone else if you don't want to. >--- I would be happy to let someone else help you - you have to actually post to the list instead of just emailing me. If the domain names are different, then your usage of the term migrate in your original email was misleading and I'm sorry it took me 4 emails to get this information out of you. Evidently, the method you are using to 'join' the domain with the computer isn't functioning properly. Are you putting the computer accounts in the 'People' container? Is root a samba member? Do you use the Win2K/WinXP wizard to join the domain? Craig> > > -----Original Message----- > > From: Craig White [mailto:craigwhite@azapple.com] > > Sent: Monday, March 01, 2004 9:43 AM > > To: Scott Gross > > Cc: samba@lists.samba.org > > Subject: RE: [Samba] Can't login to Samba PDC > > > > First thing is...please keep this on list > > > > Second thing is...if NT is a PDC, then machine accounts should be > > created on that system - You can't simulataneously have a Windows & > > Samba PDC/BDC of any combination. How would you be sure which machine is > > getting the machine accounts and which machine is handling the > > authentication? > > > > Craig > > > > On Mon, 2004-03-01 at 09:48, Scott Gross wrote: > > > First thing is first. I need to be able to join a machine to the domain > > and > > > be able to login to the domain. This is just to test and make sure the > > new > > > Samba server is working. This is the problem I'm having and what I'm > > > looking for help on. Not how to migrate my users. > > > > > > > -----Original Message----- > > > > From: Craig White [mailto:craigwhite@azapple.com] > > > > Sent: Monday, March 01, 2004 8:52 AM > > > > To: Scott Gross > > > > Cc: samba@lists.samba.org > > > > Subject: RE: [Samba] Can't login to Samba PDC > > > > > > > > Please keep this on list... > > > > > > > > The logical thing to do would be to keep your NT server as the PDC. > > Set > > > > up samba not to be a domain controller at all but as a member server > > to > > > > the domain (join that machine to the domain - using password server > > > > PDC / security = domain and net join ...) > > > > > > > > That way, you can create all of the users, join all the machines, set > > up > > > > roaming profiles (on the 'member' server) and get all ready. Then, > > when > > > > you are ready, you can do the net rpc vampire command and suck all of > > > > the user accounts/machine accounts/groups into your LDAP. > > > > > > > > Craig > > > > > > > > On Mon, 2004-03-01 at 09:34, Scott Gross wrote: > > > > > I was planning to do each machine manually rather than using scripts > > to > > > > move > > > > > the users as I have to change a lot of things on the users PC to > > keep > > > > them > > > > > running after I move them to the new domain. So my intention was to > > > > join > > > > > the computer to the new domain, add the user to the Samba domain > > then > > > > > configure their PC for the new e-mail system and such. I have to do > > > > about > > > > > 100 workstations in many different locations and a slow change over > > with > > > > no > > > > > problems is preferable to a faster one where users might experience > > > > > problems. > > > > > > > > > > This having been said I'm still having problems that after I join > > the > > > > > workstation to the new domain I can't login to it. > > > > > > > > > > > -----Original Message----- > > > > > > From: Craig White [mailto:craigwhite@azapple.com] > > > > > > Sent: Friday, February 27, 2004 9:33 PM > > > > > > To: Scott Gross > > > > > > Cc: samba@lists.samba.org > > > > > > Subject: RE: [Samba] Can't login to Samba PDC > > > > > > > > > > > > Let's keep this on list - there are a lot brighter people than I > > am on > > > > > > this stuff... > > > > > > > > > > > > On Fri, 2004-02-27 at 19:58, Scott Gross wrote: > > > > > > > > > > > > > 3 - migrate? as in net rpc vampire? - how certain are you that > > LDAP > > > > is > > > > > > > working? Does LDAP handle linux login? Are you logging ldap > > > > connections > > > > > > > etc? > > > > > > > > > > > > > > migrate as in move from one to the other. I'm trying to get the > > > > Samba > > > > > > > server running while we're using NT4 and then I will move my > > users > > > > and > > > > > > > workstations to the new domain. I'm going to move them one > > machine > > > > and > > > > > > user > > > > > > > at a time manually. Yes LDAP handles the linux logins as well > > and > > > > this > > > > > > is > > > > > > > working. I haven't set-up the LDAP to log the logins but this > > is > > > > > > something > > > > > > > I want to do as well. > > > > > > ---- > > > > > > OK - I am trying to understand what you are telling me. > > > > > > > > > > > > I can't possibly envision a scenario that you can make this work - > > > > > > moving one computer and one user over at a time. The computer > > accounts > > > > > > continually change their passwords. > > > > > > > > > > > > This is what the net rpc vampire command is designed to do, move > > the > > > > > > machine accounts, user accounts and group accounts over to new > > setup > > > > > > while still retaining all the SID structure. It indeed works - I > > know > > > > > > because I did it. > > > > > > > > > > > > That is not to say that it is without it's problems but it is - > > the > > > > > > intended method and I learned a long time ago about the benefit to > > > > > > calculate wind direction before I start peeing. > > > > > > > > > > > > If you really feel as though you have LDAP set up properly - it > > > > appears > > > > > > that you have a grasp on it since you can run ldapsearch from > > command > > > > > > line (I am shocked at the number of people that think they have > > LDAP > > > > > > running and can't query LDAP), then you really should just slapcat > > > > your > > > > > > current setup, dump it, slapadd the stuff you need into LDAP and > > use > > > > the > > > > > > net rpc vampire and suck it all in. You should have no problem > > getting > > > > > > it to simultaneously add the posixAccount & sambaSamAccount > > properties > > > > - > > > > > > the only things that you may have to reconcile are 1 - existing > > > > accounts > > > > > > in posixland that you want to be both posix & samba (perhaps you > > have > > > > > > overlap and different passwords/uid's) and 2 - It's hard to pull > > the > > > > > > plug on the existing NT 4 server because it probably has file & > > print > > > > > > shares that you wanna keep around...try shutting off the netlogon > > > > > > service AFTER - you change the settings in smb.conf to make it PDC > > > > like > > > > > > and restarting smbd/nmbd. It will still be mostly functional > > > > > > > > > > > > Craig
Sorry, when I was hitting reply I thought it was going back to the list not just to you. I wasn't paying attention to the address line in the e-mail. I'm not using the windows wizard to join the domain but I am doing the join from the windows workstation. I'm not big on some of the wizards so I use the change button (from windows XP computer name screen) or the properties button (from Win2K network identification screen). The computer is being added to the _COMPUTERS_ container in my LDAP with the appropriate trailing $ (uid=fife3400sales02$,ou=_COMPUTERS_). The domain portion of all SID's is the same (User-Group-Computer-sambaDomainName). When the workstation tries to authenticate the user I can see the connection to IPC$ on the samba server. 'uid=root,ou=_USERS_' is a sambaSamAccount and is a member of 'cn=Domain Users,ou=_GROUPS_'. I did just notice that 'cn=Domain Computers,ou=_GROUPS_' doesn't have any members in it. Do I need to add the computers to this group?> -----Original Message----- > From: Craig White [mailto:craigwhite@azapple.com] > Sent: Monday, March 01, 2004 10:16 AM > To: Scott Gross > Cc: samba@lists.samba.org > Subject: RE: [Samba] Can't login to Samba PDC > > On Mon, 2004-03-01 at 10:42, Scott Gross wrote: > > First thing is what list do you keeping talking about? Am I not > supposed to > > be asking about Samba things in this list? > > > --- > The Samba list is the list I am specifically referring to. Everytime you > hit the 'reply' button, it replies only to me. If you hit 'reply to all' > it will also reply to the samba list. Every reply I have hit, I have > added the samba@lists.samba.org to the address because you seem to only > want to reply to me. Thus, you would be asking Samba things to the samba > list if you would only include the samba list in your replies. > --- > > Second is the domain names are different. That is how you can tell > which > > domain you are logging into. Why don't you try helping with the problem > or > > let someone else if you don't want to. > > > --- > I would be happy to let someone else help you - you have to actually > post to the list instead of just emailing me. > > If the domain names are different, then your usage of the term migrate > in your original email was misleading and I'm sorry it took me 4 emails > to get this information out of you. > > Evidently, the method you are using to 'join' the domain with the > computer isn't functioning properly. Are you putting the computer > accounts in the 'People' container? Is root a samba member? Do you use > the Win2K/WinXP wizard to join the domain? > > Craig > > > > > > -----Original Message----- > > > From: Craig White [mailto:craigwhite@azapple.com] > > > Sent: Monday, March 01, 2004 9:43 AM > > > To: Scott Gross > > > Cc: samba@lists.samba.org > > > Subject: RE: [Samba] Can't login to Samba PDC > > > > > > First thing is...please keep this on list > > > > > > Second thing is...if NT is a PDC, then machine accounts should be > > > created on that system - You can't simulataneously have a Windows & > > > Samba PDC/BDC of any combination. How would you be sure which machine > is > > > getting the machine accounts and which machine is handling the > > > authentication? > > > > > > Craig > > > > > > On Mon, 2004-03-01 at 09:48, Scott Gross wrote: > > > > First thing is first. I need to be able to join a machine to the > domain > > > and > > > > be able to login to the domain. This is just to test and make sure > the > > > new > > > > Samba server is working. This is the problem I'm having and what > I'm > > > > looking for help on. Not how to migrate my users. > > > > > > > > > -----Original Message----- > > > > > From: Craig White [mailto:craigwhite@azapple.com] > > > > > Sent: Monday, March 01, 2004 8:52 AM > > > > > To: Scott Gross > > > > > Cc: samba@lists.samba.org > > > > > Subject: RE: [Samba] Can't login to Samba PDC > > > > > > > > > > Please keep this on list... > > > > > > > > > > The logical thing to do would be to keep your NT server as the > PDC. > > > Set > > > > > up samba not to be a domain controller at all but as a member > server > > > to > > > > > the domain (join that machine to the domain - using password > server > > > > > PDC / security = domain and net join ...) > > > > > > > > > > That way, you can create all of the users, join all the machines, > set > > > up > > > > > roaming profiles (on the 'member' server) and get all ready. Then, > > > when > > > > > you are ready, you can do the net rpc vampire command and suck all > of > > > > > the user accounts/machine accounts/groups into your LDAP. > > > > > > > > > > Craig > > > > > > > > > > On Mon, 2004-03-01 at 09:34, Scott Gross wrote: > > > > > > I was planning to do each machine manually rather than using > scripts > > > to > > > > > move > > > > > > the users as I have to change a lot of things on the users PC to > > > keep > > > > > them > > > > > > running after I move them to the new domain. So my intention > was to > > > > > join > > > > > > the computer to the new domain, add the user to the Samba domain > > > then > > > > > > configure their PC for the new e-mail system and such. I have > to do > > > > > about > > > > > > 100 workstations in many different locations and a slow change > over > > > with > > > > > no > > > > > > problems is preferable to a faster one where users might > experience > > > > > > problems. > > > > > > > > > > > > This having been said I'm still having problems that after I > join > > > the > > > > > > workstation to the new domain I can't login to it. > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Craig White [mailto:craigwhite@azapple.com] > > > > > > > Sent: Friday, February 27, 2004 9:33 PM > > > > > > > To: Scott Gross > > > > > > > Cc: samba@lists.samba.org > > > > > > > Subject: RE: [Samba] Can't login to Samba PDC > > > > > > > > > > > > > > Let's keep this on list - there are a lot brighter people than > I > > > am on > > > > > > > this stuff... > > > > > > > > > > > > > > On Fri, 2004-02-27 at 19:58, Scott Gross wrote: > > > > > > > > > > > > > > > 3 - migrate? as in net rpc vampire? - how certain are you > that > > > LDAP > > > > > is > > > > > > > > working? Does LDAP handle linux login? Are you logging ldap > > > > > connections > > > > > > > > etc? > > > > > > > > > > > > > > > > migrate as in move from one to the other. I'm trying to get > the > > > > > Samba > > > > > > > > server running while we're using NT4 and then I will move my > > > users > > > > > and > > > > > > > > workstations to the new domain. I'm going to move them one > > > machine > > > > > and > > > > > > > user > > > > > > > > at a time manually. Yes LDAP handles the linux logins as > well > > > and > > > > > this > > > > > > > is > > > > > > > > working. I haven't set-up the LDAP to log the logins but > this > > > is > > > > > > > something > > > > > > > > I want to do as well. > > > > > > > ---- > > > > > > > OK - I am trying to understand what you are telling me. > > > > > > > > > > > > > > I can't possibly envision a scenario that you can make this > work - > > > > > > > moving one computer and one user over at a time. The computer > > > accounts > > > > > > > continually change their passwords. > > > > > > > > > > > > > > This is what the net rpc vampire command is designed to do, > move > > > the > > > > > > > machine accounts, user accounts and group accounts over to new > > > setup > > > > > > > while still retaining all the SID structure. It indeed works - > I > > > know > > > > > > > because I did it. > > > > > > > > > > > > > > That is not to say that it is without it's problems but it is > - > > > the > > > > > > > intended method and I learned a long time ago about the > benefit to > > > > > > > calculate wind direction before I start peeing. > > > > > > > > > > > > > > If you really feel as though you have LDAP set up properly - > it > > > > > appears > > > > > > > that you have a grasp on it since you can run ldapsearch from > > > command > > > > > > > line (I am shocked at the number of people that think they > have > > > LDAP > > > > > > > running and can't query LDAP), then you really should just > slapcat > > > > > your > > > > > > > current setup, dump it, slapadd the stuff you need into LDAP > and > > > use > > > > > the > > > > > > > net rpc vampire and suck it all in. You should have no problem > > > getting > > > > > > > it to simultaneously add the posixAccount & sambaSamAccount > > > properties > > > > > - > > > > > > > the only things that you may have to reconcile are 1 - > existing > > > > > accounts > > > > > > > in posixland that you want to be both posix & samba (perhaps > you > > > have > > > > > > > overlap and different passwords/uid's) and 2 - It's hard to > pull > > > the > > > > > > > plug on the existing NT 4 server because it probably has file > & > > > print > > > > > > > shares that you wanna keep around...try shutting off the > netlogon > > > > > > > service AFTER - you change the settings in smb.conf to make it > PDC > > > > > like > > > > > > > and restarting smbd/nmbd. It will still be mostly functional > > > > > > > > > > > > > > Craig