Phil Dawson
2005-Mar-16 12:48 UTC
[Samba] HELP !!! migrating from win2000 pdc to linux pdc
Hello, Second post: first had logs attached but was too big. I have a test environment with 1 windows 2000 AD domain pdc ( mixed mode install ), 1 linux server ( to become pdc ) and a win xp box to test logon when the migration was completed. The problem is no matter what I try after the migration the win xp's logonserver = windows server not linux server. I have no idea what is going on here. I've listed the process for migration just incase I'm doing something wrong. NB: Initially I had a problem with the migration because machines were not being created. The problem was due to useradd conforming to the posix standard and wouldn't allow accounts prefixed with $. Got an interim fix from RedHat which fixed this problem. i can log in using smbclient -L localhost -U% -- anonymous shares available smbclient -L //linuxpdc/public -U pdawson -- shares available plus home directory Is there anything obvious I've missed? I've been at this for weeks now and have no idea what to check next. ( logs are a blur now ). for the purpose of log entries ( supplied if requested ) Domain: TESTPDC0 Windows 2000: TESTPDC ( 192.168.44.80 ) Linux Server LINUXPDC ( RHES4 ) ( 192.168.44.81 ) WinXP ( 192.168.44.20 ) ( machine name HP96281120913 ) Added linuxpdc and testpdc to /etc/samba/lmhosts Added linuxpdc and testpdc to our DNS cleaned groups up with ------ delGrps.sh ------------ net groupmap cleanup net groupmap delete ntgroup="Print Operators" net groupmap delete ntgroup="Domain Guests" net groupmap delete ntgroup="System Operators" net groupmap delete ntgroup="DnsAdmins" net groupmap delete ntgroup="Replicator" net groupmap delete ntgroup="Guests" net groupmap delete ntgroup="Power Users" net groupmap delete ntgroup="DnsUpdateProxy" net groupmap delete ntgroup="Administrators" net groupmap delete ntgroup="Account Operators" net groupmap delete ntgroup="Backup Operators" net groupmap delete ntgroup="Users" net groupmap delete ntgroup="Domain Users" net groupmap delete ntgroup="Domain Admins" net groupmap delete ntgroup="Domain Computers" net groupmap delete ntgroup="Cert Publishers" net groupmap delete ntgroup="RAS and IAS Servers" net groupmap delete ntgroup="Pre-Windows 2000 Compatible Access" net groupmap delete ntgroup="Group Policy Creator Owners" net groupmap delete ntgroup="Enterprise Admins" net groupmap delete ntgroup="Domain Controllers" net groupmap delete ntgroup="Schema Admins" net groupmap delete ntgroup="Server Operators" ------ delGrps.sh end ------------ removed secrets.tdb and passwd.tdb set up smb.conf to be ROLE_DOMAIN_BDC < testparm showed no errors > net rpc join -S testpdc -W testpdc0 -UAdministrator%password < joined the domain ok. checked on the win2000 server and linuxpdc was listed as a domain controller > net rpc getsid -S testpdc -W testpdc0 < sid was put into secrets > net getlocalsid testpdc0 S-1-5-21-705938202-4238141491-2786779978 < showed correct sid > net getlocalsid < no sid available so used: > net setlocalsid S-1-5-21-705938202-4238141491-2786779978 net getlocalsid S-1-5-21-705938202-4238141491-2786779978 < used initGrps.sh script to add groups > ------- initGrps.sh ---------- net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Guests" unixgroup=nobody ------- initGrps.sh end ---------- net rpc vampire -S testpdc -U Administrator%password < no errors> < list the groups on win 2000 box > net group -l -S testpdc -U Administrator%password < list groups on linuxpdc > net groupmap list ----------------------------------------- Server Operators (S-1-5-32-549) -> Server Operators Domain Guests (S-1-5-21-705938202-4238141491-2786779978-514) -> nobody Enterprise Admins (S-1-5-21-705938202-4238141491-2786779978-519) -> Enterprise Admins DnsAdmins (S-1-5-21-705938202-4238141491-2786779978-1101) -> DnsAdmins Domain Controllers (S-1-5-21-705938202-4238141491-2786779978-516) -> Domain Controllers Administrators (S-1-5-21-705938202-4238141491-2786779978-1007) -> sys Schema Admins (S-1-5-21-705938202-4238141491-2786779978-518) -> Schema Admins Replicators (S-1-5-21-705938202-4238141491-2786779978-1019) -> kmem Replicator (S-1-5-32-552) -> Replicator Guests (S-1-5-32-546) -> nobody Group Policy Creator Owners (S-1-5-21-705938202-4238141491-2786779978-520) -> Group Policy Creator Owners Domain Users (S-1-5-21-705938202-4238141491-2786779978-1201) -> users Power Users (S-1-5-32-547) -> ntadmin Domain Guests (S-1-5-21-705938202-4238141491-2786779978-1199) -> nobody DnsUpdateProxy (S-1-5-21-705938202-4238141491-2786779978-1102) -> DnsUpdateProxy Print Operators (S-1-5-32-550) -> lp Administrators (S-1-5-32-544) -> Administrators Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> Pre-Windows 2000 Compatible Access Account Operators (S-1-5-32-548) -> wheel Domain Admins (S-1-5-21-705938202-4238141491-2786779978-1001) -> root Account Operators (S-1-5-21-705938202-4238141491-2786779978-1021) -> wheel Backup Operators (S-1-5-32-551) -> bin Users (S-1-5-32-545) -> public Backup Operators (S-1-5-21-705938202-4238141491-2786779978-1003) -> bin RAS and IAS Servers (S-1-5-21-705938202-4238141491-2786779978-553) -> RAS and IAS Servers Print Operators (S-1-5-21-705938202-4238141491-2786779978-1015) -> lp Domain Users (S-1-5-21-705938202-4238141491-2786779978-513) -> users System Operators (S-1-5-21-705938202-4238141491-2786779978-1005) -> daemon Domain Computers (S-1-5-21-705938202-4238141491-2786779978-515) -> Domain Computers Domain Admins (S-1-5-21-705938202-4238141491-2786779978-512) -> root Cert Publishers (S-1-5-21-705938202-4238141491-2786779978-517) -> Cert Publishers ------------------------------------------- < everything seems ok > < checked users and groups. everything migrated ok. > < added all imported users to the users group. > < changed linuxpdc to be domain master > testparm verified this < switched off win2000 pdc > < started smb with: > service smb start < switched on win xp box > < used regedit to change signorseal > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters "RequireSignOrSeal"=dword:00000000 < re-booted xp machine > < seemed to log in ok > username: pdawson password: password < opened console with cmd > < run set > < LOGONSERVER=\\TESTPDC <--- not what I was expecting > < no drive mapping and logon.bat didn't run > <<<< had to remove logs ... too big for list. could be supplied on demand>>>>Regards, Phil
John H Terpstra
2005-Mar-16 14:54 UTC
[Samba] HELP !!! migrating from win2000 pdc to linux pdc
Phil, After migrating the domain data did you change the role of the Samba server to PDC? In your smb.conf you need to set in [global]: domain master = Yes The run 'testparm' to validate your settings. - John T. On Wednesday 16 March 2005 05:39, Phil Dawson wrote:> Hello, > > Second post: first had logs attached but was too big. > > I have a test environment with 1 windows 2000 AD domain pdc ( mixed mode > install ), 1 linux server ( to become pdc ) and a win xp box to test logon > when the migration was completed. The problem is no matter what I try > after the migration the win xp's logonserver = windows server not linux > server. I have no idea what is going on here. I've listed the process > for migration just incase I'm doing something wrong. > > NB: Initially I had a problem with the migration because machines were not > being created. The problem was due to useradd conforming to the posix > standard and wouldn't allow accounts prefixed with $. Got an interim fix > from RedHat which fixed this problem. > > i can log in using > > smbclient -L localhost -U% -- anonymous shares available > smbclient -L //linuxpdc/public -U pdawson -- shares available plus home > directory > > > > Is there anything obvious I've missed? I've been at this for weeks now > and have no idea what to check next. ( logs are a blur now ). > > > for the purpose of log entries ( supplied if requested ) > > Domain: TESTPDC0 > Windows 2000: TESTPDC ( 192.168.44.80 ) > Linux Server LINUXPDC ( RHES4 ) ( 192.168.44.81 ) > WinXP ( 192.168.44.20 ) ( > machine name HP96281120913 ) > > > Added linuxpdc and testpdc to /etc/samba/lmhosts > Added linuxpdc and testpdc to our DNS > > > cleaned groups up with > > ------ delGrps.sh ------------ > > net groupmap cleanup > net groupmap delete ntgroup="Print Operators" > net groupmap delete ntgroup="Domain Guests" > net groupmap delete ntgroup="System Operators" > net groupmap delete ntgroup="DnsAdmins" > net groupmap delete ntgroup="Replicator" > net groupmap delete ntgroup="Guests" > net groupmap delete ntgroup="Power Users" > net groupmap delete ntgroup="DnsUpdateProxy" > net groupmap delete ntgroup="Administrators" > net groupmap delete ntgroup="Account Operators" > net groupmap delete ntgroup="Backup Operators" > net groupmap delete ntgroup="Users" > net groupmap delete ntgroup="Domain Users" > net groupmap delete ntgroup="Domain Admins" > net groupmap delete ntgroup="Domain Computers" > net groupmap delete ntgroup="Cert Publishers" > net groupmap delete ntgroup="RAS and IAS Servers" > net groupmap delete ntgroup="Pre-Windows 2000 Compatible Access" > net groupmap delete ntgroup="Group Policy Creator Owners" > net groupmap delete ntgroup="Enterprise Admins" > net groupmap delete ntgroup="Domain Controllers" > net groupmap delete ntgroup="Schema Admins" > net groupmap delete ntgroup="Server Operators" > > ------ delGrps.sh end ------------ > > > removed secrets.tdb and passwd.tdb > > set up smb.conf to be ROLE_DOMAIN_BDC > > < testparm showed no errors > > > net rpc join -S testpdc -W testpdc0 -UAdministrator%password > > < joined the domain ok. checked on the win2000 server and linuxpdc was > listed as a domain controller > > > net rpc getsid -S testpdc -W testpdc0 > > < sid was put into secrets > > > net getlocalsid testpdc0 > > S-1-5-21-705938202-4238141491-2786779978 > > < showed correct sid > > > net getlocalsid > > < no sid available so used: > > > net setlocalsid S-1-5-21-705938202-4238141491-2786779978 > > net getlocalsid > > S-1-5-21-705938202-4238141491-2786779978 > > < used initGrps.sh script to add groups > > > ------- initGrps.sh ---------- > > net groupmap modify ntgroup="Domain Admins" unixgroup=root > net groupmap modify ntgroup="Domain Users" unixgroup=users > net groupmap modify ntgroup="Domain Guests" unixgroup=nobody > > ------- initGrps.sh end ---------- > > net rpc vampire -S testpdc -U Administrator%password > > < no errors> > > < list the groups on win 2000 box > > > net group -l -S testpdc -U Administrator%password > > < list groups on linuxpdc > > > net groupmap list > > > ----------------------------------------- > > Server Operators (S-1-5-32-549) -> Server Operators > Domain Guests (S-1-5-21-705938202-4238141491-2786779978-514) -> nobody > Enterprise Admins (S-1-5-21-705938202-4238141491-2786779978-519) -> > Enterprise Admins > DnsAdmins (S-1-5-21-705938202-4238141491-2786779978-1101) -> DnsAdmins > Domain Controllers (S-1-5-21-705938202-4238141491-2786779978-516) -> > Domain Controllers > Administrators (S-1-5-21-705938202-4238141491-2786779978-1007) -> sys > Schema Admins (S-1-5-21-705938202-4238141491-2786779978-518) -> Schema > Admins > Replicators (S-1-5-21-705938202-4238141491-2786779978-1019) -> kmem > Replicator (S-1-5-32-552) -> Replicator > Guests (S-1-5-32-546) -> nobody > Group Policy Creator Owners (S-1-5-21-705938202-4238141491-2786779978-520) > -> Group Policy Creator Owners > Domain Users (S-1-5-21-705938202-4238141491-2786779978-1201) -> users > Power Users (S-1-5-32-547) -> ntadmin > Domain Guests (S-1-5-21-705938202-4238141491-2786779978-1199) -> nobody > DnsUpdateProxy (S-1-5-21-705938202-4238141491-2786779978-1102) -> > DnsUpdateProxy > Print Operators (S-1-5-32-550) -> lp > Administrators (S-1-5-32-544) -> Administrators > Pre-Windows 2000 Compatible Access (S-1-5-32-554) -> Pre-Windows 2000 > Compatible Access > Account Operators (S-1-5-32-548) -> wheel > Domain Admins (S-1-5-21-705938202-4238141491-2786779978-1001) -> root > Account Operators (S-1-5-21-705938202-4238141491-2786779978-1021) -> wheel > Backup Operators (S-1-5-32-551) -> bin > Users (S-1-5-32-545) -> public > Backup Operators (S-1-5-21-705938202-4238141491-2786779978-1003) -> bin > RAS and IAS Servers (S-1-5-21-705938202-4238141491-2786779978-553) -> RAS > and IAS Servers > Print Operators (S-1-5-21-705938202-4238141491-2786779978-1015) -> lp > Domain Users (S-1-5-21-705938202-4238141491-2786779978-513) -> users > System Operators (S-1-5-21-705938202-4238141491-2786779978-1005) -> daemon > Domain Computers (S-1-5-21-705938202-4238141491-2786779978-515) -> Domain > Computers > Domain Admins (S-1-5-21-705938202-4238141491-2786779978-512) -> root > Cert Publishers (S-1-5-21-705938202-4238141491-2786779978-517) -> Cert > Publishers > > > ------------------------------------------- > > > > < everything seems ok > > > < checked users and groups. everything migrated ok. > > > < added all imported users to the users group. > > > < changed linuxpdc to be domain master > > > testparm verified this > > < switched off win2000 pdc > > > < started smb with: > > > service smb start > > < switched on win xp box > > > < used regedit to change signorseal > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters > "RequireSignOrSeal"=dword:00000000 > > < re-booted xp machine > > > < seemed to log in ok > > > username: pdawson > password: password > > < opened console with cmd > > > < run set > > > < LOGONSERVER=\\TESTPDC <--- not what I was expecting > > > < no drive mapping and logon.bat didn't run > > > > > > > <<<< had to remove logs ... too big for list. could be supplied on demand > > > > > Regards, > > Phil-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.