Re: Moving a domain
On Mon, 3 Feb 2003, Tom Alsberg wrote: > > When smbd starts (and this includes at least 2.2.3, I believe, and beyond > > to 3.0.x), it checks to see if there is a SID in the secrets file with the > > key SECRET/SID/ where UCNBNAME is the uppercase NetBIOS name. > > You mean - the uppercase NetBIOS name of the server (where smbd runs) > - right? Yup > > If one does not exist, it will create a new random SID, set the machine > > SID to that, and then set the domain SID to that! If the SID changes, even > > if you have preserved the trust accounts and their current passwords, > > Windows will complain that the SID is inconsistent with what it had when > > it joined. > > OK. But if I copy the SID file[s]? If you copy the secrets file, you still need to make sure smbd runs with the same NetBIOS name. > > The SID for the old machine name is still in the secrets file, and you can > > use tdbdump to find the keys, and thus the old machine name if you need > > to. > > What do you mean by 'old machine name'? I most probably know the name > of the machines which was previously acting as the server. Yup. > > > > This is relevant to your questions below. > > > > > The question is - if any of you had experience, or theoretical facts > > > and ideas of - would this work? For users who only use it as a file > > > and print server, it most probably would. But as a domain controller > > > - the clients remember a few things, and the server remembers a few > > > things. > > > > > > The SID and secrets files should probably be copied... But then, > > > should clients who are already in the domain be able to continue using > > > it, without leaving and re-joining it? > > > > You probably only really need the secrets file and the smbpasswd or > > whatever passwd database you are using for Windows accounts. > > OK... That's not a problem to preserve, I assume... Correct. > > > > If the NetBIOS name changes, you have a couple of choices, as outlined at > > www.richardsharpe.com. > > Well, I took a look at some of the information there... Useful > advice... > But anyway, I was speaking of the NetBIOS name not changing (nmbd will > run with the -n flag to have the same NetBIOS name, no matter on what > machine it is running). That is good. > > As soon as Samba 2.2.8 ships you will retrieve the old SID and > > re-establish that as the machine SID for your Samba server and the > > domain SID. You can already do that with the net command for Samba > > 3.0.x. > > I didn't know Samba 3 had a net command... I'll look after it. > > Anyway, so now, after all - could you say - would it work? > If I kill Samba on one machine, start it on another machine, with nmbd > getting the same -n flag, and about the same configuration, and I copy > the secret files - will log-ons to the domain (from machines that have > already joined in the past) work without re-joining it? Would there > be any other problem? I expect you will be fine. However, I have not tried that. > As I understand from your message, there should not be any problem. > Is this right? I think you will be OK. Let us know :-) Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: Moving a domain
On Sun, 2 Feb 2003, Tom Alsberg wrote: > Now this is a little mess when moving to a different server. I > decided to try out the common way, and gave a CNAME alias cifserver to > the new machine, and running nmbd on it with the -n flag (-n > CIFSERVER) to use that NetBIOS name as well (the domain name is now > CS-HUJI). When smbd starts (and this includes at least 2.2.3, I believe, and beyond to 3.0.x), it checks to see if there is a SID in the secrets file with the key SECRET/SID/ where UCNBNAME is the uppercase NetBIOS name. If one does not exist, it will create a new random SID, set the machine SID to that, and then set the domain SID to that! If the SID changes, even if you have preserved the trust accounts and their current passwords, Windows will complain that the SID is inconsistent with what it had when it joined. The SID for the old machine name is still in the secrets file, and you can use tdbdump to find the keys, and thus the old machine name if you need to. This is relevant to your questions below. > The question is - if any of you had experience, or theoretical facts > and ideas of - would this work? For users who only use it as a file > and print server, it most probably would. But as a domain controller > - the clients remember a few things, and the server remembers a few > things. > > The SID and secrets files should probably be copied... But then, > should clients who are already in the domain be able to continue using > it, without leaving and re-joining it? You probably only really need the secrets file and the smbpasswd or whatever passwd database you are using for Windows accounts. If the NetBIOS name changes, you have a couple of choices, as outlined at www.richardsharpe.com. As soon as Samba 2.2.8 ships you will retrieve the old SID and re-establish that as the machine SID for your Samba server and the domain SID. You can already do that with the net command for Samba 3.0.x. HTH. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Moving a domain
Hi there. I've got a question - have not yet had the ability to try this. When machines are switched, or servers moved from machines to machines, the common solution is CNAME aliases of a symbolic name (e.g. mail, www, ftp) to the actual machine, and having clients specific to that service to use the symbolic name - this way when the machine is switched, or server moved to another machine, the alias is changed to the new machine's name, and users should be able to continue using it normally (if the clients are configured properly). I am trying this thing with Samba now. We had a Samba domain controller on a machine that will not run it anymore. Previously users where accessing CIFS shares on the machine by its name, and the domain name was prefixed with the machine's name (e.g. DEV - DEVIL, PRO - PROMIL). Now this is a little mess when moving to a different server. I decided to try out the common way, and gave a CNAME alias cifserver to the new machine, and running nmbd on it with the -n flag (-n CIFSERVER) to use that NetBIOS name as well (the domain name is now CS-HUJI). The question is - if any of you had experience, or theoretical facts and ideas of - would this work? For users who only use it as a file and print server, it most probably would. But as a domain controller - the clients remember a few things, and the server remembers a few things. The SID and secrets files should probably be copied... But then, should clients who are already in the domain be able to continue using it, without leaving and re-joining it? Thanks, any comments appreciated, -- Tom -- A man on a boat... A cat on a train. He's clearing his throat... She's smearing a stain.
