I did not get this finished last summer, so decided to just wait and do it this summer. I have setup my new samba server and was trying to get some things tweaked to the way that I want them. I thought that I had asked this before and that I could do it, but it seems that it does not work. My new server is running as a domain server just like the old. It has the same domain name and I change the the SID using net setlocalsid to the same sid number as my old server. This new server is in a test environment right now. I was hoping that my old machines could just log into this server without having to get out of the domain and then rejoin it, but that does not work. It tells me that the domain is not there until I get out of the old one and then rejoin the new one. Is that how it has to work? I was hoping I would not have to do that if I left the domain name the same and set the SID on the new server. I just want to make sure I am not missing something before I go around to all 400 computers on campus and have them removed and rejoined to the domain. Thanks. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?
sgmayo at mail.bloomfield.k12.mo.us wrote:> I did not get this finished last summer, so decided to just wait and do it > this summer. I have setup my new samba server and was trying to get some > things tweaked to the way that I want them. I thought that I had asked > this before and that I could do it, but it seems that it does not work. > > My new server is running as a domain server just like the old. It has the > same domain name and I change the the SID using net setlocalsid to the > same sid number as my old server. This new server is in a test > environment right now. > > I was hoping that my old machines could just log into this server without > having to get out of the domain and then rejoin it, but that does not > work. It tells me that the domain is not there until I get out of the old > one and then rejoin the new one. Is that how it has to work? I was > hoping I would not have to do that if I left the domain name the same and > set the SID on the new server. I just want to make sure I am not missing > something before I go around to all 400 computers on campus and have them > removed and rejoined to the domain.Mr. Terpstra gave me a bit of help. I had done nothing to set my domainsid, but after doing the following: net getlocalsid net getdomainsid The values are the same on both the old and the new samba server. This new server will take the place of my old one. Right now it is on a network with nothing else on it besides one of my old windows clients. If I remove one of my old clients from the domain and then re-add it, then it logs in just fine. If I take an old client from my current network and put it on this new network and try to login to the new samba server then it gives me the typical: "Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear contact your System Administrator for assistance." The name of the Windows machine is business18 so I did an 'smbldap-adduser -w business18$' to make sure the machine account was added in to the directory, but the error was the same. I even changed the uid of the machine account to match the old one in case that was coming into play. Here is my samba config in case someone sees something that I don't. Which is quite possible since I forget more than I learn it seems. :) I'll be reading on the How-To to see if I can pick anything else up. [global] workgroup = BES server string = Samba Server Version %v netbios name = SCHOOL interfaces = lo eth0 hosts allow = 127. 10.0. 19 2.168.0. localhost ldap passwd sync = Yes ldap admin dn = cn=Manager,dc=school,dc=bloomfield.k12.mo.us ldap suffix = dc=school1,dc=bloomfield.k12.mo.us ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" Dos charset = 850 Unix charset = ISO8859-1 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = ldapsam:ldap://127.0.0.1 domain master = yes domain logons = yes local master = yes os level = 65 preferred master = yes wins support = yes dns proxy = no load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?
sgmayo at mail.bloomfield.k12.mo.us wrote:> > sgmayo at mail.bloomfield.k12.mo.us wrote: >> I did not get this finished last summer, so decided to just wait and do >> it this summer. I have setup my new samba server and was trying to get >> some things tweaked to the way that I want them. I thought that I had >> asked this before and that I could do it, but it seems that it doesnot >> work.>> >> My new server is running as a domain server just like the old. It has >> the same domain name and I change the the SID using net setlocalsidto >> the same sid number as my old server. This new server is in a test>> environment right now. >> >> I was hoping that my old machines could just log into this server >> without having to get out of the domain and then rejoin it, but that >> does not work. It tells me that the domain is not there until I getout >> of the old one and then rejoin the new one. Is that how it has to>> work? I was hoping I would not have to do that if I left the domain >> name the same and set the SID on the new server. I just want to make >> sure I am not missing something before I go around to all 400 computers >> on campus and have them removed and rejoined to the domain. > > Mr. Terpstra gave me a bit of help. I had done nothing to set my > domainsid, but after doing the following: > > net getlocalsid > net getdomainsid > > The values are the same on both the old and the new samba server. This > new server will take the place of my old one. Right now it is on a > network with nothing else on it besides one of my old windows clients. If > I remove one of my old clients from the domain and then re-add it, then it > logs in just fine. If I take an old client from my current network and > put it on this new network and try to login to the new samba server then > it gives me the typical: > > "Windows cannot connect to the domain either because the domain controller > is down or otherwise unavailable, or because your computer account was not > found. Please try again later. If this message continues to appear contact > your System Administrator for assistance." > > The name of the Windows machine is business18 so I did an 'smbldap-adduser > -w business18$' to make sure the machine account was added in to the > directory, but the error was the same. I even changed the uid of the > machine account to match the old one in case that was coming into play. > > Here is my samba config in case someone sees something that I don't. > Which is quite possible since I forget more than I learn it seems. :) > I'll be reading on the How-To to see if I can pick anything else up. > > [global] > workgroup = BES > server string = Samba Server Version %v > netbios name = SCHOOL > > interfaces = lo eth0 > hosts allow = 127. 10.0. 19 2.168.0. localhost > ldap passwd sync = Yes > ldap admin dn = cn=Manager,dc=school,dc=bloomfield.k12.mo.us > ldap suffix = dc=school1,dc=bloomfield.k12.mo.us > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Users > add machine script = /usr/sbin/smbldap-useradd -w "%u" > add user script = /usr/sbin/smbldap-useradd -m "%u" > ldap delete dn = Yes > add group script = /usr/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > > Dos charset = 850 > Unix charset = ISO8859-1 > > > log file = /var/log/samba/log.%m > max log size = 50 > > security = user > passdb backend = ldapsam:ldap://127.0.0.1 > > domain master = yes > domain logons = yes > > local master = yes > os level = 65 > preferred master = yes > > wins support = yes > dns proxy = no > > load printers = yes > cups options = raw > > [homes] > comment = Home Directories > browseable = no > writable = yes > > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes >Well, I am getting ready to take the other server offline and put the new one in place. I am planning on just removing all my machines from the domain and adding them back in to get everything to work, though I would prefer not to do this. I am just not sure where else to look. Thought I would post one last time. I figure that most of this comes from me not knowing a lot about ldap and how samba interacts with it. I am still learning. The passwords on the new server are different than the old. Does that have any affect on it? Do the passwords have to be the same when it comes to the new machine being added in? I did not think that would matter, but maybe it does. If it does then that would mean taht the XP machines somehow saved the password that was used when the machine joined the domain. Thanks for any info. I'll play with this some tonight, but if I don't figure it out, I'll just do as I planned and remove all mahcines from the domain and add them back in. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?