There appear to be significant hurdles to migrating from a Microsoft to Samba PDC environment, something which I've been trying to do now for many months. The difficulties arise in moving user's accounts over to Samba 1. Local profiles. It does not seem to be possible to move from an NT4 PDC to a Samba PDC while retaining local profiles. NT4/W2k machines consider logons to the Samba PDC to be new users, even when the Samba machine SID is the same as the NT4 SID, and machine accounts have been ported over using pwdump2. OK, so let's try.... 2. Roaming profiles. Although these work correctly with NT4 workstations, there remains an unresolved "Access Denied" problem on logons with W2k machines, whether or not "nt acl support = no" is present in the [profiles] section of smb.conf. Various postings on the lists from people having this problem but no solutions. OK, bite the bullet and have every user start from a blank profile... 3. This results in various apps on the workstations choking because they now can't find registry keys. OK, re-install Windows on every workstation and all the apps. Alternatively forget about any of this, just keep the NT4 PDC running and enjoy a quiet life. I've trawled the lists over the last few months trying to find answers to this dilemma, as well as positing questions (back to last December) specifically on 1, which for us is by far the simplest solution. No responses, well not recently, and I don't know whether that's because a. The answer's blindingly obvious to everyone else. b. Nobody does this kind of thing. c. Nobody has a solution. d. It's impossible anyway. Any advice on this greatly appreciated. Cheers Tim Allen
Andrew Bartlett
2002-Jul-20 07:38 UTC
[Samba] Three reasons for staying with Microsoft PDC's
Tim Allen wrote:> > There appear to be significant hurdles to migrating from a Microsoft to > Samba PDC environment, something which I've been trying to do now for many > months. The difficulties arise in moving user's accounts over to Samba > > 1. Local profiles. It does not seem to be possible to move from an NT4 PDC > to a Samba PDC while retaining local profiles. NT4/W2k machines consider > logons to the Samba PDC to be new users, even when the Samba machine SID is > the same as the NT4 SID, and machine accounts have been ported over using > pwdump2.Samba does not send back 'null' strings easily - if the passdb comes up with 'null' it uses the default. Perhaps by setting 'logon path' etc to "" it might help. Or it might not.> OK, so let's try.... > > 2. Roaming profiles. Although these work correctly with NT4 workstations, > there remains an unresolved "Access Denied" problem on logons with W2k > machines, whether or not "nt acl support = no" is present in the [profiles] > section of smb.conf. Various postings on the lists from people having this > problem but no solutions.We will need a bit more detail to get anywhere on this.> OK, bite the bullet and have every user start from a blank profile... > > 3. This results in various apps on the workstations choking because they now > can't find registry keys. > > OK, re-install Windows on every workstation and all the apps. Alternatively > forget about any of this, just keep the NT4 PDC running and enjoy a quiet > life.Samba's PDC support is not complete, and migration support is almost compleatly lacking. This is a simple matter of devloper time. Without a commercial backer for Samba's PDC support, it is left to those with free time to put at the issue. For Samba HEAD, thats mostly me ATM - and others when they get time. We have new developers starting on PDC stuff, but it takes time, and this stuff is *complex*. (Samba's file and print code had the support of companies like Quantum and HP - and in particular their QA departments. Never underestimate the power of a good QA department on a product).> I've trawled the lists over the last few months trying to find answers to > this dilemma, as well as positing questions (back to last December) > specifically on 1, which for us is by far the simplest solution. No > responses, well not recently, and I don't know whether that's because > > a. The answer's blindingly obvious to everyone else. > b. Nobody does this kind of thing.Only Samba HEAD has even a start of a solution on the RID issue, so its really a matter of 'we havn't don't much here yet'. I hope this stuff will improve.> c. Nobody has a solution. > d. It's impossible anyway.We are working on it - slowly. :-) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net