Ioan Caltun
2004-Aug-10 12:05 UTC
[Samba] Smbldap tools blocks when using net rpc vampire to migrate accounts from the NT4 PDC to the SambaLdap BDC
Hello, I am trying to migrate a NT4 PDC server to a linux PDC Samba3.0+openLDAP backend I have followed all the instructions in the Samba manual "The Linux Samba-openLDAP How to V.1.6. However my efforts are in vain when I have to use net rpc. It hangs up and I' m trying to find out why... So.. Here is what I did: [root@SERVRHAS smbldap-tools]# net rpc vampire -l -d 4 -S servpdc -U Administrateur%------ [2004/08/06 17:17:05, 3] param/loadparm.c:lp_load(3926) lp_load: refreshing parameters [2004/08/06 17:17:05, 3] param/loadparm.c:init_globals(1303) Initialising global parameters [2004/08/06 17:17:05, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2004/08/06 17:17:05, 3] param/loadparm.c:do_section(3429) Processing section "[global]" doing parameter name resolve order = wins lmhosts bcast doing parameter delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" doing parameter hosts allow = 127. 172. doing parameter netbios name = srvrhas [2004/08/06 17:17:05, 4] param/loadparm.c:handle_netbios_name(2721) handle_netbios_name: set global_myname to: SRVRHAS doing parameter ldap passwd sync = Yes doing parameter printing = bsd doing parameter dos charset = ISO8859-1 doing parameter display charset = ISO8859-1 doing parameter remote announce = 192.168.1.255 192.168.2.44 172.2.0.2 doing parameter local master = no doing parameter workgroup = domaine doing parameter os level = 40 doing parameter ldap admin dn = cn=manager,dc=mediteranee,dc=com doing parameter printcap name = /etc/printcap doing parameter add machine script = /usr/local/sbin/smbldap-useradd -w "%u" doing parameter max log size = 500 doing parameter log file = /var/log/samba/%m.log doing parameter load printers = yes doing parameter guest account = pcguest doing parameter ldap user suffix = ou=Users doing parameter add group script = /usr/local/sbin/smbldap-groupadd -p "%g" doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" doing parameter domain master = no doing parameter passdb backend = ldapsam:ldap://127.0.0.1 doing parameter wins support = true doing parameter ldap delete dn = Yes doing parameter server string = Red Hat AS Server Samba-Ldap Server doing parameter ldap group suffix = ou=Groups doing parameter ldap machine suffix = ou=Computers doing parameter ldap suffix = dc=mediteranee,dc=com doing parameter logon path = \\%L\Profiles\%U doing parameter add user script = /usr/local/sbin/smbldap-useradd -m "%u" doing parameter set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" doing parameter unix charset = ISO8859-1 doing parameter preferred master = no [2004/08/06 17:17:05, 4] param/loadparm.c:lp_load(3958) pm_process() returned Yes [2004/08/06 17:17:05, 2] lib/interface.c:add_interface(79) added interface ip=172.2.0.5 bcast=172.2.255.255 nmask=255.255.0.0 [2004/08/06 17:17:05, 3] libsmb/cliconnect.c:cli_start_connection(1290) Connecting to host=servpdc [2004/08/06 17:17:05, 3] lib/util_sock.c:open_socket_out(690) Connecting to 172.2.0.2 at port 445 [2004/08/06 17:17:05, 2] lib/util_sock.c:open_socket_out(726) error connecting to 172.2.0.2:445 (Connexion refus?e) [2004/08/06 17:17:05, 3] lib/util_sock.c:open_socket_out(690) Connecting to 172.2.0.2 at port 139 [2004/08/06 17:17:05, 4] lib/time.c:get_serverzone(122) Serverzone is -7200 [2004/08/06 17:17:05, 4] passdb/secrets.c:secrets_fetch_trust_account_password(255) Using cleartext machine password [2004/08/06 17:17:05, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45) cli_net_req_chal: LSA Request Challenge from SRVRHAS to servpdc: F8F60FC15E8B943C [2004/08/06 17:17:05, 4] libsmb/credentials.c:cred_session_key(59) cred_session_key [2004/08/06 17:17:05, 4] libsmb/credentials.c:cred_create(90) cred_create [2004/08/06 17:17:05, 4] rpc_client/cli_netlogon.c:cli_net_auth2(102) cli_net_auth2: srv:\\SERVPDC acct:SRVRHAS$ sc:6 mc: SRVRHAS chal F944E654EF209FCA neg: 400701ff [2004/08/06 17:17:05, 4] libsmb/credentials.c:cred_create(90) cred_create [2004/08/06 17:17:05, 4] libsmb/credentials.c:cred_assert(121) cred_assert Fetching DOMAIN database [2004/08/06 17:17:05, 4] libsmb/credentials.c:cred_create(90) cred_create [2004/08/06 17:17:06, 4] libsmb/credentials.c:cred_create(90) cred_create [2004/08/06 17:17:06, 4] libsmb/credentials.c:cred_assert(121) cred_assert SAM_DELTA_DOMAIN_INFO not handled [2004/08/06 17:17:06, 2] lib/smbldap.c:smbldap_search_domain_info(1295) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SRVRHAS))] [2004/08/06 17:17:06, 2] lib/smbldap.c:smbldap_search_suffix(1066) smbldap_search_suffix: searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SRVRHAS))] [2004/08/06 17:17:06, 2] lib/smbldap.c:smbldap_open_connection(623) smbldap_open_connection: connection opened [2004/08/06 17:17:06, 3] lib/smbldap.c:smbldap_connect_system(785) ldap_connect_system: succesful connection to the LDAP server [2004/08/06 17:17:06, 4] lib/smbldap.c:smbldap_open(836) The LDAP server is succesful connected [2004/08/06 17:17:06, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512))] [2004/08/06 17:17:06, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No such object)ldapsam_search_one_group: Query was: ou=Groups, (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512)) Creating unix group: 'Admins du domaine' Here is a question... here,in the research he usees SID sambaSID=S-1-5-21-375199814-1253531362-1423778804-512 However, in smbldap.cong, the SID I obtained after net rpc getlocalsid -S servpdc is SID="S-1-5-21-375199814-1253531362-1423778804" I also have a feeling that smbldap-useradd or groupadd do not support spaces in the Group name or accents... Did anyone encounter these problems. Thank you in advance for your help Best Regards Ioan Caltun
Lionel Beard
2004-Aug-10 15:34 UTC
[Samba] Smbldap tools blocks when using net rpc vampire to migrate accounts from the NT4 PDC to the SambaLdap BDC
Ioan Caltun a ?crit :> Hello, > > I am trying to migrate a NT4 PDC server to a linux PDC Samba3.0+openLDAP backend > > > > I have followed all the instructions in the Samba manual "The Linux Samba-openLDAP How to V.1.6. > > However my efforts are in vain when I have to use net rpc. It hangs up and I' m trying to find out why... > > So.. Here is what I did: > > > [2004/08/06 17:17:06, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) > > ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512))] > > [2004/08/06 17:17:06, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612) > > ldapsam_search_one_group: Problem during the LDAP search: LDAP error:(No such object)ldapsam_search_one_group: Query was: ou=Groups, (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512)) > > Creating unix group: 'Admins du domaine' > > > > > > Here is a question... here,in the research he usees SID sambaSID=S-1-5-21-375199814-1253531362-1423778804-512 > > However, in smbldap.cong, the SID I obtained after > > net rpc getlocalsid -S servpdc > > > > is > > SID="S-1-5-21-375199814-1253531362-1423778804"It's normal. It appends "512" to your domain SID, which is the RID of group "Domain Admins" (Admins du domaine). I think your problem come from group mapping. Do you map all your Windows groups (defined in your NT4 domain) to Unix groups with the command "net groupmap"?? (eg, for "Domain Admins" : net groupmap add sid=S-1-5-21-375199814-1253531362-1423778804-512 unixgroup="Admins du domaine" with "Admins du domaine" defined in the /etc/group of your new Samba server... NB : maybe you have to change space in "Admins du domaine" by =20 in /etc/group = admins=20du=20domaine) Another point. I saw you use 'smbldap-useradd -w "%u"' for add machine script. If you won't be able to login from a Windows workstation after the migration (with 'Workstation XX no account in domain' error), the only way I found to bypass this error is to remove the -w from the script command line. Problem : by doing this, Samba put computer account in "Users" instead of "Computers" in LDAP. A little bit annoying... Maybe someone knows how to avoid this problem... Regards, Lionel Beard