samba - Dec 2007 - Can not add a new NT Workstation to a new (vampired) samba domain

I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux server 
(samba 3.0.24).

This was with a completely fresh install of debian.

My smb.conf is pretty simple:

[global]
     workgroup = BUTLER
     netbios name = STAR3
     passdb backend = tdbsam
     domain master = No
     domain logons = Yes
     os level = 33
     add user script = /usr/sbin/useradd -m '%u'
     delete user script = /usr/sbin/userdel -r '%u'
     add group script = /usr/sbin/groupadd '%g'
     delete group script = /usr/sbin/groupdel '%g'
     add user to group script = /usr/sbin/usermod -G '%g' '%u'
     add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null
'%u'
#     wins server = [IP of wins server]

[files]
        comment = SAMBA File Server
        path = /home/files
        read only = No

In addition I have the following smbusers file:

star3:/etc/samba# cat smbusers
root = Administrator


testparm tells me this setup will give me a BDC.

I first added the samba server (star3) to the old NT4 PDC using the 
server manager tool
and then did a:

net rpc join -S nova -UAdministrator%password

This worked and I was able to access the machine from the PDC.

I then did a vampire:

net rpc vampire -S nova -W BUTLER -UAdministrator%password

and this worked for most of the user accounts and machine accounts 
(there were some that
had errors, but these were mostly for old users or machines that were 
long since gone), these
errors look like:

Creating account: chris
[2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
  Unable to modify passwd TDB! Error: Record does not exist occured 
while storing the main record (USER_chris)
Creating account: ECLIPSE$
[2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
  Unable to modify passwd TDB! Error: Record does not exist occured 
while storing the main record (USER_eclipse$)
Creating account: GALAXY$
[2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
  Unable to modify passwd TDB! Error: Record does not exist occured 
while storing the main record (USER_galaxy$)

In the case of GALAXY$, this is a current machine and it did seem to 
function afterwards, though maybe
its using stored credentials still?

After the vampiring I shut down the NT4 PDC (nova) and did various login 
and file sharing tests
and the main accounts (including Administrator) all seemed to work. The 
samba box was still
functioning in BDC role.

I then decided to try adding a new Windows XP Pro workstation to the 
domain (it had previously
been a member, but I had removed it from the old domain to experiment 
with moving user profiles between
domains).

When I told it to join the domain it returned an error telling me that 
it could not find the domain.
So I thought "maybe a BDC cannot join new machines to the domain".
(The
NT4 PDC was switched
off at this time).

So then I stopped samba and set:

domain master = yes
wins support = yes

and restarted samba.

Then when I tried to add the machine I got a Windows error dialog saying:

   The following error occurred while attempting to join the domain 
"Butler":
   The user name could not be found.

I was using the "Administrator" user name, and I was able to log into
the BUTLER domain on another Windows box as the Administrator and
access the file share on the samba box and create new files in the folder
owned by Administrator.

I googled this for a bit last night and found quite a few references to this
error, but nothing really conclusive.

Any suggestions?

Thanks

Stephen.

On Mon, 2007-12-10 at 07:17 -0700, Stephen Vermeulen
wrote:
> I was using the "Administrator" user name, and I was able to log
into
> the BUTLER domain on another Windows box as the Administrator and
> access the file share on the samba box and create new files in the
> folder
> owned by Administrator.
> 
> I googled this for a bit last night and found quite a few references
> to this
> error, but nothing really conclusive.
> 
> Any suggestions?
Raise your log level and make sure your machine add script is indeed
working properly (also make sure you do not have nscd running, or make
it so that add * script scrripts you have properly tell nscd to refresh
their status as nscd do negative caching too).

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>

Stephen Vermeulen wrote:
> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux 
> server (samba 3.0.24).
>
> This was with a completely fresh install of debian.
>
> I first added the samba server (star3) to the old NT4 PDC using the 
> server manager tool
> and then did a:
>
> net rpc join -S nova -UAdministrator%password
>
> This worked and I was able to access the machine from the PDC.
>
> I then did a vampire:
>
> net rpc vampire -S nova -W BUTLER -UAdministrator%password
>
> and this worked for most of the user accounts and machine accounts 
> (there were some that
> had errors, but these were mostly for old users or machines that were 
> long since gone), these
> errors look like:
I checked the SIDs of the original NT4 PDC and the samba BDC (after net 
vampire had
run) and they were different.  Could this be causing problems? According 
to this microsoft article:

http://www.microsoft.com/technet/sysinternals/Utilities/NewSid.mspx

"... a BDC's relationship to a Domain is identified by it having the 
same computer SID as the other Domain Controllers (DCs)."


Stephen

Stephen Vermeulen wrote:
> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux 
> server (samba 3.0.24).
>
> This was with a completely fresh install of debian.
>
>
...
> I then decided to try adding a new Windows XP Pro workstation to the 
> domain (it had previously
> been a member, but I had removed it from the old domain to experiment 
> with moving user profiles between
> domains).
>
> When I told it to join the domain it returned an error telling me that 
> it could not find the domain.
> So I thought "maybe a BDC cannot join new machines to the
domain".
> (The NT4 PDC was switched
> off at this time).
>
> So then I stopped samba and set:
>
> domain master = yes
> wins support = yes
>
> and restarted samba.
>
> Then when I tried to add the machine I got a Windows error dialog saying:
>
>   The following error occurred while attempting to join the domain 
> "Butler":
>   The user name could not be found.
>
> I was using the "Administrator" user name, and I was able to log
into
> the BUTLER domain on another Windows box as the Administrator and
> access the file share on the samba box and create new files in the folder
> owned by Administrator.
Since the BDC SID was not the same as the PDC's SID I used the net command
to fetch the SID from the PDC and write it to the BDC. Now a "net 
getlocalsid"
reports the same SID. 

Shouldn't net vampire have made the BDC have the same SID as the PDC?

After doing this the error changed to "Access is denied"

I then redid the net vampire, but this did not change things.

I have increased the log level to 2 and the following log file section
is what happens when I try to add the new machine.  Also, here is the 
current
version of the smb.conf file:

star4:/etc/samba# cat smb.conf
[global]
     workgroup = BUTLER
     netbios name = STAR4
     passdb backend = tdbsam
     domain master = Yes
     domain logons = Yes
     wins support = yes
     os level = 40
     log level = 2
     add user script = /usr/sbin/useradd -m '%u'
     delete user script = /usr/sbin/userdel -r '%u'
     add group script = /usr/sbin/groupadd '%g'
     delete group script = /usr/sbin/groupdel '%g'
     add user to group script = /usr/sbin/usermod -G '%g' '%u'
     add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null
'%u'
#     wins server = [IP of wins server]

[files]
        comment = SAMBA File Server
        path = /home/files
        read only = No

star4:/etc/samba#

And the log.smbd file:

[2007/12/10 14:45:44, 2] smbd/reply.c:reply_special(496)
  netbios connect: name1=STAR4           name2=TULLY         
[2007/12/10 14:45:44, 2] smbd/reply.c:reply_special(503)
  netbios connect: local=star4 remote=tully, name type = 0
[2007/12/10 14:45:44, 0] lib/util_sock.c:write_data(562)
  write_data: write failure in writing to client 192.168.128.103. Error 
Connection reset by peer
[2007/12/10 14:45:44, 0] lib/util_sock.c:send_smb(769)
  Error writing 4 bytes to client. -1. (Connection reset by peer)
[2007/12/10 14:45:44, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2007/12/10 14:45:44, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2007/12/10 14:45:44, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [administrator] -> 
[administrator] -> [Administrator] succeeded
[2007/12/10 14:45:44, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2007/12/10 14:45:45, 2] smbd/reply.c:reply_special(496)
  netbios connect: name1=STAR4           name2=TULLY         
[2007/12/10 14:45:45, 2] smbd/reply.c:reply_special(503)
  netbios connect: local=star4 remote=tully, name type = 0
[2007/12/10 14:45:45, 0] lib/util_sock.c:write_data(562)
  write_data: write failure in writing to client 192.168.128.103. Error 
Connection reset by peer
[2007/12/10 14:45:45, 0] lib/util_sock.c:send_smb(769)
  Error writing 4 bytes to client. -1. (Connection reset by peer)
[2007/12/10 14:45:45, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2007/12/10 14:45:45, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2007/12/10 14:45:45, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [administrator] -> 
[administrator] -> [Administrator] succeeded
[2007/12/10 14:45:45, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2007/12/10 14:45:45, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797)
  Returning domain sid for domain BUTLER -> 
S-1-5-21-1965320917-1955335400-7473742
[2007/12/10 14:45:45, 0] passdb/pdb_tdb.c:tdbsam_open(818)
  tdbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]
[2007/12/10 14:45:45, 0] passdb/pdb_tdb.c:tdb_update_sam(1335)
  tdbsam_getsampwnam: failed to open /var/lib/samba/passdb.tdb!

You can see the the machine being added is called "TULLY" and the PDC
is
called "STAR4"
and the problem seems to be right near the end with:

tdbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]
[2007/12/10 14:45:45, 0] passdb/pdb_tdb.c:tdb_update_sam(1335)
  tdbsam_getsampwnam: failed to open /var/lib/samba/passdb.tdb!

Any ideas?  Or should I increase the log level...

Thanks,

Stephen

Stephen Vermeulen wrote:
> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux 
> server (samba 3.0.24).
>
> This was with a completely fresh install of debian.
>
> My smb.conf is pretty simple:
>
> [global]
>     workgroup = BUTLER
>     netbios name = STAR3
>     passdb backend = tdbsam
>     domain master = No
>     domain logons = Yes
>     os level = 33
>     add user script = /usr/sbin/useradd -m '%u'
>     delete user script = /usr/sbin/userdel -r '%u'
>     add group script = /usr/sbin/groupadd '%g'
>     delete group script = /usr/sbin/groupdel '%g'
>     add user to group script = /usr/sbin/usermod -G '%g'
'%u'
>     add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null 
> '%u'
> #     wins server = [IP of wins server]
>
> [files]
>        comment = SAMBA File Server
>        path = /home/files
>        read only = No
>
> In addition I have the following smbusers file:
>
> star3:/etc/samba# cat smbusers
> root = Administrator
>
>
> testparm tells me this setup will give me a BDC.
>
> I first added the samba server (star3) to the old NT4 PDC using the 
> server manager tool
> and then did a:
>
> net rpc join -S nova -UAdministrator%password
>
> This worked and I was able to access the machine from the PDC.
>
> I then did a vampire:
>
> net rpc vampire -S nova -W BUTLER -UAdministrator%password
>
> and this worked for most of the user accounts and machine accounts 
> (there were some that
> had errors, but these were mostly for old users or machines that were 
> long since gone), these
> errors look like:
What would be the best way (apart from reinstalling Linux) to clean up 
the system
between tests of this?  Deleting all the *.tdb files? What about the 
unix accounts
that the vampire produces?  What about the unix groups it creates?

Thanks,

Stephen

Stephen Vermeulen wrote:
> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux 
> server (samba 3.0.24).
>
> This was with a completely fresh install of debian.
>
> My smb.conf is pretty simple:
>
> [global]
>     workgroup = BUTLER
>     netbios name = STAR3
>     passdb backend = tdbsam
>     domain master = No
>     domain logons = Yes
>     os level = 33
>     add user script = /usr/sbin/useradd -m '%u'
>     delete user script = /usr/sbin/userdel -r '%u'
>     add group script = /usr/sbin/groupadd '%g'
>     delete group script = /usr/sbin/groupdel '%g'
>     add user to group script = /usr/sbin/usermod -G '%g'
'%u'
>     add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null 
> '%u'
> #     wins server = [IP of wins server]
>
> [files]
>        comment = SAMBA File Server
>        path = /home/files
>        read only = No
>
> In addition I have the following smbusers file:
>
> star3:/etc/samba# cat smbusers
> root = Administrator
>
>
> testparm tells me this setup will give me a BDC.
>
> I first added the samba server (star3) to the old NT4 PDC using the 
> server manager tool
> and then did a:
>
> net rpc join -S nova -UAdministrator%password
>
> This worked and I was able to access the machine from the PDC.
>
> I then did a vampire:
>
> net rpc vampire -S nova -W BUTLER -UAdministrator%password
>
> and this worked for most of the user accounts and machine accounts 
> (there were some that
> had errors, but these were mostly for old users or machines that were 
> long since gone), these
> errors look like:
>
> Creating account: chris
> [2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
>  Unable to modify passwd TDB! Error: Record does not exist occured 
> while storing the main record (USER_chris)
> Creating account: ECLIPSE$
> [2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
>  Unable to modify passwd TDB! Error: Record does not exist occured 
> while storing the main record (USER_eclipse$)
> Creating account: GALAXY$
> [2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
>  Unable to modify passwd TDB! Error: Record does not exist occured 
> while storing the main record (USER_galaxy$)
>
> In the case of GALAXY$, this is a current machine and it did seem to 
> function afterwards, though maybe
> its using stored credentials still?
>
> After the vampiring I shut down the NT4 PDC (nova) and did various 
> login and file sharing tests
> and the main accounts (including Administrator) all seemed to work. 
> The samba box was still
> functioning in BDC role.
>
> I then decided to try adding a new Windows XP Pro workstation to the 
> domain (it had previously
> been a member, but I had removed it from the old domain to experiment 
> with moving user profiles between
> domains).
>
> When I told it to join the domain it returned an error telling me that 
> it could not find the domain.
> So I thought "maybe a BDC cannot join new machines to the
domain".
> (The NT4 PDC was switched
> off at this time).
>
> So then I stopped samba and set:
>
> domain master = yes
> wins support = yes
>
> and restarted samba.
>
> Then when I tried to add the machine I got a Windows error dialog saying:
>
>   The following error occurred while attempting to join the domain 
> "Butler":
>   The user name could not be found.
>
> I was using the "Administrator" user name, and I was able to log
into
> the BUTLER domain on another Windows box as the Administrator and
> access the file share on the samba box and create new files in the folder
> owned by Administrator.
>
> I googled this for a bit last night and found quite a few references 
> to this
> error, but nothing really conclusive.
>
> Any suggestions?
>
> Thanks
>
> Stephen.
>
I believe I have this working now as I have been able to add new
machines to my samba-based PDC in a couple of tests.  I still need
to do another pass through everything to make certain, but it appears
that doing the following three commands on the Linux box as root
was all that was needed:

star4:/etc/samba# net rpc getsid -S nova -UAdministrator%password
Storing SID S-1-5-21-1965320917-1955335400-7473742 for Domain BUTLER in 
secrets.tdb

star4:/etc/samba# net setlocalsid S-1-5-21-1965320917-1955335400-7473742

star4:/etc/samba# smbpasswd

Now if you review procedure 36.1 (in Chapter 36: Migration of NT4 PDC to 
Samba-3 PDC
in the Official Samba 3.2.x HOWTO and Reference Guide) you'll see that it:

1. does not mention the need to set the "smbpasswd"
2. does not mention the need to copy the NT4 PDC SID into the BDC

and to add to the confusion the "net rpc getsid" utility SAYS is is 
storing the domain's SID
into the BDC's secrets.tdb, but when I did a "net getlocalsid" 
afterwards I found that the BDC's
SID has NOT been changed and for this reason I needed to do the "net 
setlocalsid".

Thinking about this I'm guessing that because the smbpasswd for root had 
not been
set (as that was not in the migration guide steps) the "set rpc
getsid"
actually was not
able to write to the secrets.tdb file and it should have written an 
error instead of the
incorrect success message.

Perhaps the "net rpc vampire" should have copied the domain SID into
the
BDC as well,
and perhaps that had also silently failed because the smbpasswd had not 
been set?  It
could also be that vampiring intentionally does not copy the SID, so 
that if you are vampiring
from several domains you don't get confused?

The next step for me will be to repeat these tests with a fresh Linux 
install to see what is
really missing from Procedure 36.1.  I'm thinking that a:

Step 0: smbpasswd

is required, and then I'll check the BDC's SID after step 3 (net rpc 
vampire) to see if
the domain SID was copied across, and if not, then I'll copy it across 
into the BDC
as step 3.1.

Thanks,

Stephen