Samba upgrade part 2

We sleep, we wake, we go back to work.

When we get into work this morning we find out that some things had fallen out of the domain in all the fscking around last night. And we still don't have a working machine add to put them back in. Curse, experiment, discuss... The decision is made to try a home build of the newer Samba 3, instead of the downloaded binaries, and we are assured that all the paths are the same and everything should just work. Install, restart, and things go completely sideways. Stock samba is reinstalled, LDAP restored from a slave, and everything restarted.

This time, many things have fallen out of the domain, including our two main samba file servers. Eventually, a technique is discovered to restore some of the Windows domain trusts. It turns out that the LDAP slave chosen for the restore didn't have all the machine password changes. Restoring passwords from a different slave allowed some machines to rejoin. This worked for one of the file servers, but not the other. I spent most of the afternoon trying to get the other server back into the domain. I found an unadvertised tool to take apart the samba secrets.tdb file, but the failed server is running 2.2.8 and the working server is running 3.<mumble>, so comparing the two is only marginally helpful. Late in the afternoon, we are able to manually beat the other server back into the domain.

Things start to look vaguely better and all we're left with is these Windows machines which have fallen out of the domain. People start heading home, and only myself and our Team Lead are left sweeping up.

We're discussing the state of affairs, and I mention in stream of conciousness mode, "So, we need a samba account that maps to UNIX uid 0. The question is does <samba domain admin> have a UNIX..."

Team Lead: "Aaagh!"

Me: "...account?" The team lead turns to his computer and begins typing furiously. I start thinking while he types and realize my question is nonsensical. <samba domain admin> is in LDAP as a POSIX (and samba) account with uid 0, so UNIX will see it as uid 0. Team Lead trys a domain join and Success!

It turns out that while the sambaLMPassword and sambaNTPassword were set, the UNIX password in LDAP isn't. Apparently, this is why the account kept being disabled and the passwords deleted.

Gah! At least things are working now.