[Samba] Re: Renamed PDC, now user profiles don't work

2004-05-11 Thread Anthony Chavez
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I don't mean to be a pest, but I felt that I should reiterate my
questions again because I feel that it is an issue that recurrs enough
to warrant inclusion in the HOWTO (or is it there and I'm just not
seeing it?).

And I'd like to re-emphasize that I'm offering to patch it. ;-)

On Tue, 04 May 2004 10:24:05 -0600 Anthony Chavez [EMAIL PROTECTED] wrote:
 On Tue, 04 May 2004 13:58:25 +1000 Andrew Bartlett [EMAIL PROTECTED] wrote:
 On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote:
 On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote:
  I just changed the NetBIOS name of my PDC (*not* the name of the domain)
  and now the security properties of the domain user profile on my
  Win2kSP4 workstation shows S-1-5-21-... as the user rather than the
  username.
 
 It turned out that this particular machine had a very shaky network
 connection.  Please disregard my post. ;-)

 However, as a warning to others - this can happen.  There was an issue
 (and it still happens for domain members, for their 'local' users) where
 if you rename a Samba machine, it can regenerate the local SAM sid.  On
 a PDC, this is also the domain SID.

 After I had replaced the cable, I discovered that the problem was that
 the user was assigned a new SID after all.  Fortunately, the affected
 user stated that trashing the local profile was an option, so I just
 deleted the local copy and had the workstation snarf a fresh one off the
 server.

 A few questions, however:

 1) Is a patch for this issue desirable?  Do we *want* users to retain
their SIDs after a machine gets a new name?  My initial response
would be yes, but I don't consider myself a M$ administration guru.

 2a) What would be the proper procedure to follow in renaming a PDC?

 2b) During a discussion on IRC, it was suggested (after I had already
 mucked about a bit and brought about the error in the first place)
 that I configure my new server name in the NetBIOS name parameter
 and my old one in the NetBIOS alias parameter.  I wasn't told that
 this would actually fix the problem, but I was given the impression
 that if I were to do that first, then disjoin and rejoin my
 workstations to the domain, it might.  Would it?

 3) When I've got multiple workstations involved, one of my biggest
concerns is that any changes that happen to the local profile during
the name change get propagated to the server.  Is this going to have
to be done by hand if the SIDs change and the workstation doesn't
reassociate the server UID with the new SID?

 P.S.: I know what an SID is.  No, really. ;-)

 P.P.S.: Sorry for not mentioning this in my first post (I'm usually
 really good about doing so), but FWIW, I'm running 2.2.8a on FreeBSD
 4.9-STABLE.  I also apologize for not posting my smb.conf---I usually do
 that as well.  I was in a bit of a hurry at the time.

- -- 
Anthony Chavez http://www.anthonychavez.org/
mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAoSStbZTbIaRBRXERAgtLAKCBWyUvHWPoWfYCJ4eGNgL0KeV4uACfaeYP
QVHfU+FjScMdxUO67e/DucU=
=YFgh
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Renamed PDC, now user profiles don't work

2004-05-04 Thread Anthony Chavez
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 04 May 2004 13:58:25 +1000 Andrew Bartlett [EMAIL PROTECTED] wrote:
 On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote:
 On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote:
  I just changed the NetBIOS name of my PDC (*not* the name of the domain)
  and now the security properties of the domain user profile on my
  Win2kSP4 workstation shows S-1-5-21-... as the user rather than the
  username.
 
 It turned out that this particular machine had a very shaky network
 connection.  Please disregard my post. ;-)

 However, as a warning to others - this can happen.  There was an issue
 (and it still happens for domain members, for their 'local' users) where
 if you rename a Samba machine, it can regenerate the local SAM sid.  On
 a PDC, this is also the domain SID.

After I had replaced the cable, I discovered that the problem was that
the user was assigned a new SID after all.  Fortunately, the affected
user stated that trashing the local profile was an option, so I just
deleted the local copy and had the workstation snarf a fresh one off the
server.

A few questions, however:

1) Is a patch for this issue desirable?  Do we *want* users to retain
   their SIDs after a machine gets a new name?  My initial response
   would be yes, but I don't consider myself a M$ administration guru.

2a) What would be the proper procedure to follow in renaming a PDC?

2b) During a discussion on IRC, it was suggested (after I had already
mucked about a bit and brought about the error in the first place)
that I configure my new server name in the NetBIOS name parameter
and my old one in the NetBIOS alias parameter.  I wasn't told that
this would actually fix the problem, but I was given the impression
that if I were to do that first, then disjoin and rejoin my
workstations to the domain, it might.  Would it?

3) When I've got multiple workstations involved, one of my biggest
   concerns is that any changes that happen to the local profile during
   the name change get propagated to the server.  Is this going to have
   to be done by hand if the SIDs change and the workstation doesn't
   reassociate the server UID with the new SID?

P.S.: I know what an SID is.  No, really. ;-)

P.P.S.: Sorry for not mentioning this in my first post (I'm usually
really good about doing so), but FWIW, I'm running 2.2.8a on FreeBSD
4.9-STABLE.  I also apologize for not posting my smb.conf---I usually do
that as well.  I was in a bit of a hurry at the time.

- -- 
Anthony Chavez http://www.anthonychavez.org/
mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAl8OlbZTbIaRBRXERAk6gAJ0VqdwfAZo0KsZNF3ngeWWSTKUH5wCffl1e
NAP6nOh4FiUQ+EtmyB9rRlw=
=nXgN
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


[Samba] Re: Renamed PDC, now user profiles don't work

2004-05-03 Thread Anthony Chavez
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote:
 I just changed the NetBIOS name of my PDC (*not* the name of the domain)
 and now the security properties of the domain user profile on my
 Win2kSP4 workstation shows S-1-5-21-... as the user rather than the
 username.

It turned out that this particular machine had a very shaky network
connection.  Please disregard my post. ;-)

- -- 
Anthony Chavez http://www.anthonychavez.org/
mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAlvYObZTbIaRBRXERAh0SAJ4rTe7+kLCS9WudItD93WipbtXmqQCeKJwA
9qZg+T4Y+4ZiIA30y5ciQaI=
=3VD0
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Re: Renamed PDC, now user profiles don't work

2004-05-03 Thread Andrew Bartlett
On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote:
  I just changed the NetBIOS name of my PDC (*not* the name of the domain)
  and now the security properties of the domain user profile on my
  Win2kSP4 workstation shows S-1-5-21-... as the user rather than the
  username.
 
 It turned out that this particular machine had a very shaky network
 connection.  Please disregard my post. ;-)

However, as a warning to others - this can happen.  There was an issue
(and it still happens for domain members, for their 'local' users) where
if you rename a Samba machine, it can regenerate the local SAM sid.  On
a PDC, this is also the domain SID.

In current versions of Samba (3.0.1 or 3.0.2 I think) we make sure that
the 'domain' sid takes precedence, otherwise this really can happen, and
you need to get/set the domain sid.

net getlocalsid OLDNETBIOSNAME
net setlocalsid S-.

should do the job, for 3.0.  It also happens in Samba 2.2, but we don't
have 'net' there, and it's harder to fix.  I think there are details in
the archives.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba