samba - Jun 2010 - Transferring PDC responsibility without LDAP

I'm using a NT4-style domain on my home network, with Samba 3.5.3 acting
as PDC.  I would like to transfer PDC responsibilty to a different
GNU/Linux machine so I can retire the original PDC.

With Windows DCs, I understand this is simple -- just create a BDC,
promote it, and remove the old.  However, an analogous approach would be
problematic here, because in Samba going from one DC to two is a massive
increase in complexity.  (Because of the LDAP requirements)

I suspect it might work, in this case, to do what the HOWTO expressly
forbids, which is to invoke "net rpc getsid" without configuring LDAP.
If I shut down the old server before starting smbd on the new, I should
avoid the synchronization risk.

The sequence would be:

1. Create configuration file on new PDC broadly similar to the old.

2. Clear out any lingering .tdb files on the new PDC from past test runs
of smbd there as an isolated server.  (smbd is not running at this
point.)

3. Run net rpc getsid on the new PDC.

4. Make sure all clients are logged out.

5. Shut down smbd/nmbd on the old PDC, hopefully for good.

6. Copy old PDC's profile directories and passdb.tdb to the new PDC.

7. Use pdbedit to update the profile directory location for each user.

8. Start smbd/nmbd on the new PDC.

9. Start logging in from clients again.

Thoughts?

---- Michael Deutschmann <michael at talamasca.ocis.net>

Is the new machine going to have the same IP address and machine name?  I
would think that in that case you should be able to copy the configuration
files, profile directories, private and locks directories over to the new
machine.     You could copy all the samba stuff over to the new machine,
take the old machine off the network, change the host name and ip of the new
machine to that off the old machine and start samba back up.

On Sat, 19 Jun 2010, I wrote:
> Can anyone answer my original question, which is whether my original
> strategy (use "net rpc getsid" without LDAP, but stop old PDC
forever
> before starting the new one) is sound?
After no one answered, last week I decided to just try it and see.

Except for the fact I needed to add a "-S" option to the getsid
command
to make it work, it seems to be holding up fine.

---- Michael Deutschmann <michael at talamasca.ocis.net>