Prev: joining windows server 2008 to samba pdc
Next: [Samba] Override PDC selection in Windows
From: Gaiseric Vandal on 12 Feb 2010 14:00
Windows 7 requires Samba 3.3.x or 3.4.x. I know between 3.4.x and 3.0.x
there are changes in how ldap and the samba group mapping. If you don't
have group mapping working for some of the key domain groups things are
not going to work. I have to think there is a whole list of other
things that could possible break.

If you really have to run samba on your RHEL5.x machine you may want to
recompile a newer version of samba.


On 02/12/2010 01:34 PM, Paul Furness wrote:
> Hi,
>
> I'm in need of some help with moving a Samba PDC with LDAP backend
> from Fedora linux to RHEL. The DNS is also running on that server and
> needs to be moved also. The DNS and LDAP migration was simple enough.
> The new server works just fine when using it's own DNS and LDAP for
> authentication, and all the users appear to be intact after the LDAP
> import. nss_ldap is working just fine. The new server has the same
> hostname and IP address as the old one (it is, of course, plugged into
> a physically separate, isolated network with no connection to the
> outside or the original network).
>
> However, when I try to migrate samba, it simply doesn't work the way
> it apparently should! However I do it, workstations which work
> perfectly on the old PDC will not authenticate to the new one (I took
> a Windows XP box from the old network, plugged it into the new net,
> booted up, tried to login, and it naturally failed).
>
> I tried setting the ldap password in samba (smbpasswd -w) and starting
> up smb. It appears to start up ok, but then won't recognize any
> workstation trusts (I actually tried a couple of workstations); when I
> attempt to log in to the workstation, it fails to connect to the DC.
> /var/log/messages gives me "_net_auth2: creds_server_check failed.
> Rejecting auth request from client..."
>
> So I stopped Samba, removed all the tdb files from /var/cache/samba
> and /etc/samba. I then copied the tdb files from the running PDC over.
> Again, Samba seems to run perfectly, stating that it's the login
> controller etc. But still I cannot log in to the existing domain
> accounts.
>
> I checked the SID is the same on the new server - it is. I checked the
> PC account still exists by using finger to check for the linux
> account, and then pdbedit -L to check what samba sees. Again, it all
> appears fine.
>
> It *may* be possible to re-join the domain with the workstation, but
> I'm fed up with doing that every time I upgrade, and I refuse to
> accept that it's necessary - the network I'm running has about 100 PCs
> on it, and it takes a long time and causes far too much disruption.
> Surely it MUST be possibly to get the new samba build to use the
> authentication information generated by the old one?!
>
> I've tried all the different guides I can find, and spent a lot of
> time googling error messages, but nobody seems to have explained the
> answer to the problem, although various people seem to have a
> variation of it, usually caused by trying to migrate Samba from one
> box to another.
>
> I've encountered almost exactly the same set of problems every time
> I've tried to migrate Samba to a new server - so I freely acknowledge
> that it may be a simple fundamental thing which I don't understand but
> should do. But I don't think it's necessarily software version related
> - I tried moving to a test build using Fedora 12 and got exactly the
> same problems, and that was using newer versions of most of the packages.
>
> I've tried the Samba documentation, google, reading mailing lists, and
> just good old working it out myself, but it still simply doesn't work.
>
> So please, is there someone who can give me a clear and concise answer
> - why is it so hard to do this? Surely all the data is stored in the
> LDAP database, which is perfectly fine. So why won't Samba
> authenticate the trusts?
>
>
> Version info:
>
> Working PDC:
> Fedora 10, kernel 2.6.27
> Samba 3.2.15, smbldap-tools 0.9.5
> openldap 2.4.12
>
> New PDC (not working):
> RHEL 5.4, kernel 2.6.18
> Samba 3.0.33, smbldap-tools 0.9.4
> openldap 2.3.43
>
>
> The workstations I tried connecting with were Windows XP (sp3) and
> Windows 7 (just didn't even bother with Vista). The Windows 7 was
> failing on the "working" PDC - would join the domain ok but then not
> be able to get trust after reboot. This is why I started trying this
> migration in the first place.
>
> On the new PDC, the Win7 workstation does exactly what it did before -
> seems to join domain ok, then trust fails.
>
> Any ideas at all would be appreciated.
>
> Thanks,
>
> Paul.
>
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Stan Hoeppner on 12 Feb 2010 16:20
Paul Furness put forth on 2/12/2010 12:34 PM:

> It *may* be possible to re-join the domain with the workstation, but I'm
> fed up with doing that every time I upgrade...

Hi Paul. Not trying to be a jerk or anything, but you didn't *upgrade* in this
scenario. You *downgraded* in a big way. Look at the revs on everything below.
Every single one dropped far back in the time machine by moving to RHEL. Any
distro with "Enterprise" or "Stable" in the name is bound to be quite a bit
behind the bleeding edge. The free community distro versions are where the edge
development occurs. You were running such an edgy distro and then went
"Enterprise". That is never a good idea, and you are learning why in this case.
You need to upgrade these packages back up to their previous revs, if you can.
If not, put the identical Fedora setup on the new machine.

> Version info:
>
> Working PDC:
> Fedora 10, kernel 2.6.27
> Samba 3.2.15, smbldap-tools 0.9.5
> openldap 2.4.12
>
> New PDC (not working):
> RHEL 5.4, kernel 2.6.18
> Samba 3.0.33, smbldap-tools 0.9.4
> openldap 2.3.43

--
Stan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Paul Furness on 15 Feb 2010 05:30
Hi, Stan,

You make a fair point, the versions of stuff are all older. I never said
I was *upgrading* (although I did mention that I often have this kind of
issue if I upgrade the PDC - perhaps I should have said "every time I
*change* the PDC") and I know darn well that moving from newer to older
versions may prove difficult. However, I did also say that I've
encountered almost exactly the same set of probelms every time I try to
migrate Samba to a new server, and this is still the case for *any* new
server, whatever version I'm going from / to. (for instance, I tried
moving it to an F12 build last month, before I tried RHEL, and it was
even more difficult to get it to work - which is why I gave up and
figured I should take a look at a commercial version).

I guess that what I'm really hoping for is that someone on this list can
clarify for me whether or not the LDAP holds all the samba account
information and passwords or not, with the notable exception of the LDAP
manager password which, as far as I can work out, is stored in
"secrets.tdb"). If that is the case, then I could really use some
suggestions as to why Samba might read the LDAP fine, but refuse trust
accounts permission.

Like I said, maybe I have missed something fundamental in my
understanding of what Samba does / how it works. But I have been running
my PDC using Samba for about 7 years now, so I guess I've at least got
some of the basics. :)

It's also become clear to me over the last day or so that, whatever else
I do, I'm going to need to upgrade to a very recent version of Samba
because I also have to support Windows 7, so I'll do this. But I still
don't know why it doesn't work with old versions of windows (XP) which
have been working fine with Samba for a whole lot of versions.

Thanks,

Paul.

Stan Hoeppner wrote:
> Paul Furness put forth on 2/12/2010 12:34 PM:
>
>
>> It *may* be possible to re-join the domain with the workstation, but I'm
>> fed up with doing that every time I upgrade...
>>
>
> Hi Paul. Not trying to be a jerk or anything, but you didn't *upgrade* in this
> scenario. You *downgraded* in a big way. Look at the revs on everything below.
> Every single one dropped far back in the time machine by moving to RHEL. Any
> distro with "Enterprise" or "Stable" in the name is bound to be quite a bit
> behind the bleeding edge. The free community distro versions are where the edge
> development occurs. You were running such an edgy distro and then went
> "Enterprise". That is never a good idea, and you are learning why in this case.
> You need to upgrade these packages back up to their previous revs, if you can.
> If not, put the identical Fedora setup on the new machine.
>
>
>> Version info:
>>
>> Working PDC:
>> Fedora 10, kernel 2.6.27
>> Samba 3.2.15, smbldap-tools 0.9.5
>> openldap 2.4.12
>>
>> New PDC (not working):
>> RHEL 5.4, kernel 2.6.18
>> Samba 3.0.33, smbldap-tools 0.9.4
>> openldap 2.3.43
>>
>
>

--
*Paul Furness BEng(Hons) MBCS*
/Systems Manager/

*MERCE UK*
20, Frederick Sanger Road
The Surrey Research Park
Guildford, Surrey GU2 7YD
/UK Registered Branch BR 003158/
*DDI Telephone: +44 1483 885826*
Tel: +44 1483 885800 Fax: +44 1483 579107
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: joining windows server 2008 to samba pdc
Next: [Samba] Override PDC selection in Windows