samba - Mar 2004 - migration nt4 with ldap problem

hello

i try to migrate nt4 to samba. the passwd-backend is ldap.
the migration itself works fine but after that, i cannot logon from the 
windows xp clients
to the domain. -> i have to rejoin the client to the domain then it works
is this a bug or feature?
the sambaNTPassword change then in ldap data base


here is part of my smb.conf
------------------- snip    -----------------
   workgroup = holladie
   preferred master = yes
   domain master = no
   local master = yes
   security = user
   encrypt passwords = true
   passdb backend = ldapsam:ldap://localhost
   domain logons = yes
   logon path = \\%N\profiles\%U
   logon drive = Z:
   logon home = \\%N\%U
   logon script = logon.cmd
   ldap suffix = dc=schmeich,dc=tux
    ldap admin dn = cn=root,dc=schmeich,dc=tux
    ldap user suffix =ou=mitarbeiter
    ldap machine suffix =ou=rechner
    ldap group suffix =ou=gruppen
    ldap ssl = no
    ldap delete dn = no
    add user script = /usr/local/sbin/smbldap-useradd.pl  -m  "%u"
    delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
    add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
    delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
    add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m 
"%u" "%g"
    set primary group script = /usr/local/sbin/smbldap-usermod.pl -g 
"%g" "%u"
    add machine script       = /usr/local/sbin/smbldap-useradd.pl -w  -d 
/dev/null -g domcomputers  -s /bin/false "%u"
-----------------snap---------------------------------

here are the steps of my migration
1.  smbldap-groupadd.pl -g 512 -r 512 domadmins
     smbldap-groupadd.pl -g 513 -r 513 domusers
     smbldap-groupadd.pl -g 514 -r 514 domguests
     smbldap-groupadd.pl -g 515 -r 515 domcomputers

1.  smbd and nmbd don''t run
2.  net rpc join -S WALDFEE -w HOLLADIE -U administrator%blabla
3.  net rpc testjoin
     Join to 'HOLLADIE' is OK
4.  net rpc vampire -S waldfee -U Administrator%blabla
   
    works  fine and sort all user  to the right groups

5. I switch the nt pdc off

6 . i change   "domain master = yes"

7 . i restart smb and nmb

8 . i restart the client

9. i can't login to the domain


here a part of log.smb


  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/18 18:22:03, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/03/18 18:22:03, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/03/18 18:22:03, 5] smbd/uid.c:change_to_root_user(218)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/03/18 18:22:03, 2] smbd/server.c:exit_server(558)
  Closing connections
[2004/03/18 18:22:03, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2004/03/18 18:22:03, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does 
not exist.
[2004/03/18 18:22:03, 5] smbd/oplock.c:receive_local_message(107)
  receive_local_message: doing select with timeout of 1 ms
[2004/03/18 18:22:03, 3] smbd/server.c:exit_server(601)
  Server exit (normal exit)


where is my error

grettings

-- 

- thomas will -
- xinux --- networking - security - consulting - training  -
- fon 06332 44040 - fax 06332 44041 - mobil 0170 52 18 548 -
- 66482 zweibruecken - wichernstr.18 - http://www.xinux.de -

* Thomas Will <thomas.will@xinux.de> nulis:
> windows xp clients
> to the domain. -> i have to rejoin the client to the domain then it
works
> is this a bug or feature?
> the sambaNTPassword change then in ldap data base
rpc vampire seems can not retrieve machine hashes correctly.
How long the client machine has been joined to NT domain?


--beast

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Will ?rta:
| hello
|
| i try to migrate nt4 to samba. the passwd-backend is ldap.
| the migration itself works fine but after that, i cannot logon from the
| windows xp clients
| to the domain. -> i have to rejoin the client to the domain then it works
| is this a bug or feature?
| the sambaNTPassword change then in ldap data base
|
|
| here is part of my smb.conf
| ------------------- snip    -----------------
|   workgroup = holladie
|   preferred master = yes
|   domain master = no
|   local master = yes
|   security = user
|   encrypt passwords = true
|   passdb backend = ldapsam:ldap://localhost
|   domain logons = yes
|   logon path = \\%N\profiles\%U
|   logon drive = Z:
|   logon home = \\%N\%U
|   logon script = logon.cmd
|   ldap suffix = dc=schmeich,dc=tux
|    ldap admin dn = cn=root,dc=schmeich,dc=tux
|    ldap user suffix =ou=mitarbeiter
|    ldap machine suffix =ou=rechner
|    ldap group suffix =ou=gruppen
|    ldap ssl = no
|    ldap delete dn = no
|    add user script = /usr/local/sbin/smbldap-useradd.pl  -m  "%u"
|    delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
|    add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
|    delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
|    add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m
| "%u" "%g"
|    set primary group script = /usr/local/sbin/smbldap-usermod.pl -g
"%g"
| "%u"
|    add machine script       = /usr/local/sbin/smbldap-useradd.pl -w  -d
| /dev/null -g domcomputers  -s /bin/false "%u"
| -----------------snap---------------------------------
|
| here are the steps of my migration
| 1.  smbldap-groupadd.pl -g 512 -r 512 domadmins
|     smbldap-groupadd.pl -g 513 -r 513 domusers
|     smbldap-groupadd.pl -g 514 -r 514 domguests
|     smbldap-groupadd.pl -g 515 -r 515 domcomputers
|
| 1.  smbd and nmbd don''t run
| 2.  net rpc join -S WALDFEE -w HOLLADIE -U administrator%blabla
| 3.  net rpc testjoin
|     Join to 'HOLLADIE' is OK
| 4.  net rpc vampire -S waldfee -U Administrator%blabla
|      works  fine and sort all user  to the right groups
|
| 5. I switch the nt pdc off
|
| 6 . i change   "domain master = yes"
|
| 7 . i restart smb and nmb
|
| 8 . i restart the client
|
| 9. i can't login to the domain
|
It seems to me that you have missed one important step:
setting the same Domain SID for your Samba server, that your NT server
had, using net getlocalsid net setlocalsid (Please remember, that all
machines in a Windows Domain have both local security accounts and
Domain security accounts, except the DC, where local security=domain
security).

Cheers,

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAXA5P/PxuIn+i1pIRAiDnAJsGnGBbWTaKOAebKufJIKY9qE/TaACgmTXr
IPnLoty4RPZzCc5e2oeHcAE=JOec
-----END PGP SIGNATURE-----

Beast wrote:
>* Thomas Will <thomas.will@xinux.de> nulis:
>
>  
>
>>windows xp clients
>>to the domain. -> i have to rejoin the client to the domain then it
works
>>is this a bug or feature?
>>the sambaNTPassword change then in ldap data base
>>    
>>
>
>rpc vampire seems can not retrieve machine hashes correctly.
>How long the client machine has been joined to NT domain?
>
>
>--beast
>
>  
>
i have solve my problem. my mistake was that
i have configure samba first as pdc  then  as bdc
now i have delete secret.tdb and stop samba
and then i begin the procedure again
and it works

-- 
- thomas will -
- xinux --- networking - security - consulting - training  -
- fon 06332 44040 - fax 06332 44041 - mobil 0170 52 18 548 -
- 66482 zweibruecken - wichernstr.18 - http://www.xinux.de -