Replying to myself:
The problem with changing the SID was that I wasn't changing the SID
everywere. I was changing the SID only on my net setlocalsid,
setdomainsid and the smbldap config file... After I did the
smbldap-populate again, everything worked (the new samba domain now
has the same sids as the AD and the windows clients recognize the
identities).
Now I need to bulk-export and import the users. I'm writing a script
to turn the ldifde output from the AD into a smbldap friendly schema.
Is there a better way?
And, what could be the smbldap-populate be changing that was required
for the sid change to work?
Thanks!
Zarrabeitia
On Sat, Mar 8, 2008 at 7:22 PM, <zarrabeitia@gmail.com>
wrote:> Hi there.
>
> [I just asked this over the irc channel, but since I got no reply, I
> decided to cross-post here. Please forgive me if that is incorrect]
>
> I'm trying to migrate an Active Directory domain (that is being used
> only for authentication) to a samba3 domain. The network is small
> enough to rejoin the clients one by one and recreate the user accounts
> if necessary. However, the new user accounts don't have access to
> their old folders. I've tried giving the new domain the same SID as
> the old domain, but in that case, the windows clients refuse to join
> the domain (they report a 'rpc error').
>
> Is there anything I can do?
>
> I think the ideal solution would be to emulate the sidHistory field
> from the AD, but a message from 2005 (i think) on this list said it
> was not possible with Samba3. Has that situation changed?
>
> I've also tried to use the moveuser.exe command, to no avail. It
> either claims that cannot find the account, or that the account
> already exists, and fails in both cases. The "profile wizard"
from
> forensit fails when trying to determine if the accounts are using
> remote profiles.
>
> I'd appreciate any advise you can give me.
>
> (BTW, if there is a way to extract the password and machine account
> information from the AD, let me know!)
>
> Thanks,
>
> Zarrabeitia.
>