samba - May 2008 - Seamless update from Samba 2 to Samba 3 on a new server

Hi,

I'm new to the list, I hope i'm posting at the right place ;)

I'm having a hard time trying to update and to move my Samba 2.2 PDC to a
new Debian server.

Currently, the PDC is using Samba 2.2.8 on a Solaris Server. My goal is to
move it to another computer, and to update it to a

newer version (3.0.24)
This must be fully transparent for the users, since I have no time to
disjoin and to rejoin the domain on all machines.
I'm using the smbpassword backend, and a NIS server. The NIS stores all
the Unix accounts, but the machine accounts are local.
The domain name is SMBDOM.
The PDC is called aldebaran, and has the Netbios name PDC.

I've caught SID of the old machine, with the smbpasswd -X SMBDOM, which is
the same than the one I get with smbpasswd -X PDC.

Now, I've installed my Samba 3 server on the new machine, which uses the
same hostname and the same Netbios name.
I've set the SID to the old domain one, using net setlocalsid
olddomainsid, and net setlocalsid olddomainsid.

I've also copied the smb.conf, and the secrets.tdb, and done the group
mappings.
Here is the result of the net groupmap list command :

testpdc:/var/log/samba# net groupmap list
Domain Admins (S-1-5-21-2616637325-650964048-2930221742-512) -> adminasr
Domain Computers (S-1-5-21-2616637325-650964048-2930221742-515) -> machines


The problem is that the old domain computers can't join the new domain.
I'm having the message "Windows can't connect... The

server might not be running, or your machine account has not been
found..." or something like that.

Here is what I can see in the logs :

[2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
  creds_server_check: credentials check failed.
[2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
  _net_auth2: creds_server_check failed. Rejecting auth request from
client CYANN machine account CYANN$
[2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
  creds_server_check: credentials check failed.
[2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
  _net_auth2: creds_server_check failed. Rejecting auth request from
client CYANN machine account CYANN$


When running pdbedit -vL with my username for example, everything seems
fine :

testpdc:/var/log/samba# pdbedit -vL marinier
Unix username:        marinier
NT username:
Account Flags:        [UX         ]
User SID:             S-1-5-21-2616637325-650964048-2930221742-3324
Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-513
Full Name:            Florian Marinier
Home Directory:       \\pdc\marinier
HomeDir Drive:        u:
Logon Script:         montage.bat marinier
Profile Path:
Domain:               SMBDOM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Fri, 04 Apr 2008 15:53:44 CEST
Password can change:  Fri, 04 Apr 2008 15:53:44 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

The SID is the right one.

When running pdbedit -vL cyann$ (which is one of my machine accounts)

testpdc:/var/log/samba# pdbedit -vL cyann$
Unix username:        cyann$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-2616637325-650964048-2930221742-2820
Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-515
Full Name:            Trust Account
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:               SMBDOM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Wed, 18 Apr 2007 18:28:27 CEST
Password can change:  Wed, 18 Apr 2007 18:28:27 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

the SID and domain are the right ones...
But I still can't log in :(

I may have an answer, but i'd be glad to have a confirmation :
On my old Solaris server, my machines group had the GID 101.
And on my new Debian Server, the GID 101 is already used by Crontab, so I
chose another GID.

May it be the source of all my problems?



PS : However, when i disjoin and rejoin the domain, everything seems Ok.

Does anyone have a clue?

Thanks,

Florian

I forgot to post the first section of my smb.conf :

[global]
        workgroup = SMBDOM
        netbios name = PDC
        smb passwd file = /etc/samba/smbpasswd
        server string = controleur du domaine SMBDOM
        encrypt passwords = Yes
        passwd program = /usr/bin/passwd %U
        unix password sync = no
;       passwd chat
*New*password*%n\n*Retype*new*password*%n\n*passwd:*all*authentification*tokens*updated*successfully*
        log level = 2
        log file = /var/log/samba/pdc-log.%m
        max log size = 250
        name resolve order = wins hosts lmhosts bcast
        logon path         logon drive = u:
        logon home = \\%L\%U
        logon script = montage.bat %U
        domain logons = Yes
        preexec = /etc/samba/netlogon/cree_dir.sh %U
        domain master = Yes
        wins support = yes
        dns proxy = yes
        socket options = TCP_NODELAY
        guest account = nobody
        os level = 65
        preferred master = Yes
;       interfaces = 163.9.34.7/255.255.255.0
;       bind interfaces only = yes
        remote announce = 163.9.100.255 192.168.24.255 192.168.23.255

Florian,

An obvious question maybe, but does your local passwd file contain the machine 
accounts? And why do you copy the secrets.tdb? I think that's not needed.

Remy



> Hi,
> 
> I'm new to the list, I hope i'm posting at the right place ;)
> 
> I'm having a hard time trying to update and to move my Samba 2.2 PDC to
a
> new Debian server.
> 
> Currently, the PDC is using Samba 2.2.8 on a Solaris Server. My goal is to
> move it to another computer, and to update it to a
> 
> newer version (3.0.24)
> This must be fully transparent for the users, since I have no time to
> disjoin and to rejoin the domain on all machines.
> I'm using the smbpassword backend, and a NIS server. The NIS stores all
> the Unix accounts, but the machine accounts are local.
> The domain name is SMBDOM.
> The PDC is called aldebaran, and has the Netbios name PDC.
> 
> I've caught SID of the old machine, with the smbpasswd -X SMBDOM, which
is
> the same than the one I get with smbpasswd -X PDC.
> 
> Now, I've installed my Samba 3 server on the new machine, which uses
the
> same hostname and the same Netbios name.
> I've set the SID to the old domain one, using net setlocalsid
> olddomainsid, and net setlocalsid olddomainsid.
> 
> I've also copied the smb.conf, and the secrets.tdb, and done the group
> mappings.
> Here is the result of the net groupmap list command :
> 
> testpdc:/var/log/samba# net groupmap list
> Domain Admins (S-1-5-21-2616637325-650964048-2930221742-512) -> adminasr
> Domain Computers (S-1-5-21-2616637325-650964048-2930221742-515) ->
machines
> 
> 
> The problem is that the old domain computers can't join the new domain.
> I'm having the message "Windows can't connect... The
> 
> server might not be running, or your machine account has not been
> found..." or something like that.
> 
> Here is what I can see in the logs :
> 
> [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
>   creds_server_check: credentials check failed.
> [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
>   _net_auth2: creds_server_check failed. Rejecting auth request from
> client CYANN machine account CYANN$
> [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
>   creds_server_check: credentials check failed.
> [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
>   _net_auth2: creds_server_check failed. Rejecting auth request from
> client CYANN machine account CYANN$
> 
> 
> When running pdbedit -vL with my username for example, everything seems
> fine :
> 
> testpdc:/var/log/samba# pdbedit -vL marinier
> Unix username:        marinier
> NT username:
> Account Flags:        [UX         ]
> User SID:             S-1-5-21-2616637325-650964048-2930221742-3324
> Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-513
> Full Name:            Florian Marinier
> Home Directory:       \\pdc\marinier
> HomeDir Drive:        u:
> Logon Script:         montage.bat marinier
> Profile Path:
> Domain:               SMBDOM
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
> Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
> Password last set:    Fri, 04 Apr 2008 15:53:44 CEST
> Password can change:  Fri, 04 Apr 2008 15:53:44 CEST
> Password must change: Tue, 19 Jan 2038 04:14:07 CET
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> The SID is the right one.
> 
> When running pdbedit -vL cyann$ (which is one of my machine accounts)
> 
> testpdc:/var/log/samba# pdbedit -vL cyann$
> Unix username:        cyann$
> NT username:
> Account Flags:        [W          ]
> User SID:             S-1-5-21-2616637325-650964048-2930221742-2820
> Primary Group SID:    S-1-5-21-2616637325-650964048-2930221742-515
> Full Name:            Trust Account
> Home Directory:
> HomeDir Drive:        (null)
> Logon Script:
> Profile Path:
> Domain:               SMBDOM
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
> Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
> Password last set:    Wed, 18 Apr 2007 18:28:27 CEST
> Password can change:  Wed, 18 Apr 2007 18:28:27 CEST
> Password must change: Tue, 19 Jan 2038 04:14:07 CET
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> the SID and domain are the right ones...
> But I still can't log in :(
> 
> I may have an answer, but i'd be glad to have a confirmation :
> On my old Solaris server, my machines group had the GID 101.
> And on my new Debian Server, the GID 101 is already used by Crontab, so I
> chose another GID.
> 
> May it be the source of all my problems?
> 
> 
> 
> PS : However, when i disjoin and rejoin the domain, everything seems Ok.
> 
> Does anyone have a clue?
> 
> Thanks,
> 
> Florian
>

Thanks for your answer Remy.

Yes, my local passwd and shadow files does contain the machine accounts.
In fact, the NIS only stores the user accounts.

I've copied the Secrets.tdb according to the Chapter 8 of the Samba doc,
and especially "Replacing a Domain Controller" part, here :
http://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html#id385896

Well, in fact, I did that because the SID was not the right one, even with
the TDB files in place.

Here is the SID I got before using net setlocalsid :

SID for domain PDC is: S-1-5-352321536-2377643675-1357696038-2929895342
SID for domain SMBDOM is: S-1-5-352321536-2377643675-1357696038-2929895342

And here's what I had on the old server :

root on aldebaran # ./smbpasswd -X PDC
SID for domain PDC is: S-1-5-21-2616637325-650964048-2930221742
root on aldebaran # ./smbpasswd -X SMBDOM
SID for domain SMBDOM is: S-1-5-21-2616637325-650964048-2930221742

I've read (but I can't remember where...), however, that the secrets.tdb
file was version-dependent
> You wrote you used 'net setlocalsid' to set the SID. According the
doc
> this
> isn't necessary.
>
> -Remy
>
>