samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Migrating samba domain to new computer.

Re: [Samba] Migrating samba domain to new computer.

From: Gaiseric Vandal <gaiseric.vandal_at_nospam>
Date: Mon Aug 30 2010 - 12:54:55 GMT
To: samba@lists.samba.org

The localsid on a DC should be the domain sid. You should be able to
fix this with "net setlocalsid" command.

Generally in Windows you want to assign permissions and rights to a
group rather than directly to a user. As long as your Administrator
account is in the "Domain Admins" group and that group has a sid of
"*****-512" you should be OK. I don't think Samba automatically adds
any rights or permissions to the Administrator user. I had explicitly
added some rights to my Administrator account after upgrading to Samba
3.4.8 when trying to fix some other issue- it may not have been
necessary though.

# net rpc rights list Administrator -S myserver -U Administrator
Enter Administrator's password:
SeMachineAccountPrivilege
SeAddUsersPrivilege

I am pretty sure if you run gpedit on a windows machine and look at
rights you will see that the rights are assigned to the Administrator
group not the domain administrator.

On 08/27/2010 02:56 PM, John McMonagle wrote:
> How about some more specific problems.
>
> noticed that there is no localsid.
> net getlocalsid
> [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708)
> Can't fetch domain SID for name: OSHKOSH
>
> I have seen mention that the localsid should be the same as the domainsid
> when using ldap.
> Is that true?
>
> Seen comments that the user sid for the administrator must end with -500.
> Is that true?
> Mine is not. it will be painfull to change but I can deal with it.
>
> Thanks
>
> John
>
> On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
>
>> Should have read this first:
>> http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
>>
>> Problem is I did it the wrong way on a few production systems.
>> Odds are this is the second time I did it wrong.
>>
>> Running Debian Lenny using smbldap.
>> It mostly works.
>> Existing members of the domain are working OK.
>> The first thing that got my attention is was not able to join a new xp
>> workstation to the domain.
>>
>> Also noticed that the server is not a member of the domain.
>> net rpc testjoin
>> [2010/08/26 14:20:26, 0]
>> rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
>> get_schannel_session_key: could not fetch trust account password for
>> domain 'ADVOCAP'
>> [2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87)
>> net_rpc_join_ok: failed to get schannel session key from server FONDY for
>> domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>> Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>
>> Can not join domain:
>> net join -U administrator
>> Enter administrator's password:
>> [2010/08/26 14:25:48, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(349)
>> error setting trust account password: NT_STATUS_ACCESS_DENIED
>>
>> tdbdump secrets.tdb
>> does not show any entry for the server
>>
>> Looked at one of the old servers secrets.tdb
>> and it did not have and entry for that server either.
>>
>> Any suggestions on the best way to fix this?
>>
>> John
>>
>

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba