ITSEF Admin
2011-Oct-18 15:58 UTC
[Samba] Migrating user accounts Samba 3.5.3 to Windows 2003 (2008)
Hi all, I need some help with the following problem: I need to migrate a bunch of user accounts to another domain on a Windows 2003 server (eventually to 2008R2, but that step seemed to big to do in one go). To keep all access rights etc. correct, I need to get the SID history set correctly as well. From what I've researched so far, I'm aware of http://lists.samba.org/archive/samba/2005-April/103743.html and http://lists.samba.org/archive/samba/2005-June/107028.html which basically state that this migration should be possible using ADMT. As far as I know, I have all prerequisites in places as listed in those postings, however, I still cannot get ADMT to run. It does find the Samba server and recognises it as domain controller for OLDDOMAIN, but when I ask it to migrate SID history as well, I get a rather cryptic error "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. The system cannot find the file specified." Unfortunately, Aunt Google does not have much on that one... Neither tshark nor Process Monitor nor the Samba logs provided any additional clues (that I would recognise), so this was a dead end for the time being. After having checked and re-checked domain trusts, administrator accounts (with equal passwords), SID filters being off, ... on both machines, I then tried a different approach: The "sidhist.vbs" script from the 2003 support tools, which in theory should be able to accomplish the same. However, when I try to run this script, I also get an error: "Error 0x800706BA, Unable to read the configuration information of the computer "SAMBA_DC". The error was: The RPC server is unavailable." I've done a lot of searching on this one as well, I even went as far as running tshark on the connection to see whether that would yield any clues - but came up empty yet again. Unfortunately, I'm now at the end of my - limited - knowledge of both Samba and Windows and would therefore like to ask whether anyone on this list may be able to hit me with the appropriate clue stick and/or point me in the direction of the proper TFM. Any tips for solving or even just debugging this are most welcome. Thanks in advance, Thomas
Martin Hochreiter
2011-Oct-18 17:10 UTC
[Samba] Migrating user accounts Samba 3.5.3 to Windows 2003 (2008)
Am 18.10.2011 17:58 schrieb ITSEF Admin:> Hi all, > > I need some help with the following problem: > > I need to migrate a bunch of user accounts to another domain on a Windows 2003 > server (eventually to 2008R2, but that step seemed to big to do in one go). > To keep all access rights etc. correct, I need to get the SID history set > correctly as well. > > > From what I've researched so far, I'm aware of > http://lists.samba.org/archive/samba/2005-April/103743.html > and > http://lists.samba.org/archive/samba/2005-June/107028.html > > which basically state that this migration should be possible using ADMT. As > far as I know, I have all prerequisites in places as listed in those > postings, however, I still cannot get ADMT to run. It does find the Samba > server and recognises it as domain controller for OLDDOMAIN, but when I ask > it to migrate SID history as well, I get a rather cryptic error "Could not > verify auditing and TcpipClientSupport on domains. Will not be able to > migrate Sid's. The system cannot find the file specified." Unfortunately, > Aunt Google does not have much on that one... Neither tshark nor Process > Monitor nor the Samba logs provided any additional clues (that I would > recognise), so this was a dead end for the time being. > > After having checked and re-checked domain trusts, administrator accounts > (with equal passwords), SID filters being off, ... on both machines, I then > tried a different approach: The "sidhist.vbs" script from the 2003 support > tools, which in theory should be able to accomplish the same. However, when I > try to run this script, I also get an error: "Error 0x800706BA, Unable to > read the configuration information of the computer "SAMBA_DC". The error was: > The RPC server is unavailable." I've done a lot of searching on this one as > well, I even went as far as running tshark on the connection to see whether > that would yield any clues - but came up empty yet again. > > Unfortunately, I'm now at the end of my - limited - knowledge of both Samba > and Windows and would therefore like to ask whether anyone on this list may > be able to hit me with the appropriate clue stick and/or point me in the > direction of the proper TFM. Any tips for solving or even just debugging this > are most welcome. > > Thanks in advance, > > ThomasHi Thomas! We did a complete migration from Samba 3.5.9 to Windows2008R2 - but we did not find any windows tool that was helpful to migrate the password and the sid history. So we installed a AD domain with a Win2008R2 Server and joined a Samba 4 pre 17. Then we migrated all (6000!) accounts with the windows based active directory migration tool version 2 (all higher ones are not working) and run a script that converted the hash from password in the form that Samba 4 stores it and feed that together with the sid history into the Samba 4 database directly (with ldbedit tools). Samba synced that with the win2008R2 Server and that was almost working.... "Almost" meens, that a windows 7 client can only authenticate (the user of course) if its request hits a samba server and if the "password never expire" flag is set. If a user sets its password on the new AD domain then it was working with a win2008R2 server too. WinXP does not show this behaviour. We force the users to change there passwords quickly so we could shut down the Sambas a few days after the migration. The Sid history was working without any problems, from the beginning. That is/was our working way regars Martin
Michael Wood
2011-Oct-19 07:33 UTC
[Samba] Migrating user accounts Samba 3.5.3 to Windows 2003 (2008)
On 18 October 2011 17:58, ITSEF Admin <itsef-admin at brightsight.com> wrote:> Hi all, > > I need some help with the following problem: > > I need to migrate a bunch of user accounts to another domain on a Windows 2003 > server (eventually to 2008R2, but that step seemed to big to do in one go). > To keep all access rights etc. correct, I need to get the SID history set > correctly as well.[...] Another possibility might be to upgrade to Samba 4 using: samba-tool domain samba3upgrade I am not sure if/how you would migrate them to a Win2k3 server after that if the Windows box is already set up, but if not, you could probably just join the Windows box to the Samba 4 box as a DC after the upgrade and then, if necessary, remove the Samba4 DC from the domain. People on the samba-technical list will have more information regarding Samba 4 and samba-tool domain samba3upgrade. -- Michael Wood <esiotrot at gmail.com>