[Samba] Re: migrate profile from an old server to a new one - SID
and ntuser.dat problem
Pierre Lebrun
ple001 at artic.fr
Thu Dec 8 08:37:12 GMT 2005
christoph empl wrote:
> Hallo,
>
> i think that my problem is getting smaller, but still
> not small enough.
> In between, i reinstalled samba. Now i have the
> correct sid for the server and domain, and my users
> have correct sids (see below), the server-, netbios
> and domainname are the same as on the old server, i
> preserved the uids and gids of the old server,
> actually i copied the passwd, shadow, smbpasswd on the
> new server.
> But the problem is still: when i log onto a
> workstation as a user, his old settings from the old
> server are lost. He gets the desktop and whole
> settings of the default user. There is no clue in the
> logs why the user has (obviously) no access to his
> ntuser.dat.
>
>
> ==================
>
> wap-samba:/ # net getlocalsid SAMBA
> SID for domain SAMBA is:
> S-1-5-21-918075609-1705896514-2904333612
>
> ==================
>
> wap-samba:/ # pdbedit -Lv empl
> Unix username: empl
> NT username:
> Account Flags: [UX ]
> User SID:
> S-1-5-21-918075609-1705896514-2904333612-22120
> Primary Group SID:
> S-1-5-21-918075609-1705896514-2904333612-1203
> Full Name: Empl Christoph
> Home Directory: \\samba\empl
> HomeDir Drive:
> Logon Script:
> Profile Path: \\samba\empl\profile
> Domain: SAMBA
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: 9223372036854775807 seconds
> since the Epoch
> Kickoff time: 9223372036854775807 seconds
> since the Epoch
> Password last set: Tue, 06 Dec 2005 16:49:42 GMT
> Password can change: Tue, 06 Dec 2005 16:49:42 GMT
> Password must change: 9223372036854775807 seconds
> since the Epoch
> Last bad password : 0
> Bad password count : 0
> Logon hours :
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> =========================
>
> [2005/12/07 12:19:15, 2]
> auth/auth.c:check_ntlm_password(305)
> check_ntlm_password: authentication for user [empl]
> -> [empl] -> [empl] succeeded
> [2005/12/07 12:19:15, 2]
> auth/auth.c:check_ntlm_password(305)
> check_ntlm_password: authentication for user [empl]
> -> [empl] -> [empl] succeeded
> [2005/12/07 12:19:15, 1]
> smbd/service.c:make_connection_snum(647)
> celsius01 (129.187.97.131) connect to service empl
> initially as user empl (uid=10560, gid=101) (pid 4701)
> [2005/12/07 12:19:15, 2]
> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
> Returning domain sid for domain SAMBA ->
> S-1-5-21-918075609-1705896514-2904333612
> [2005/12/07 12:19:15, 2] smbd/open.c:open_file(245)
> empl opened file profile/NTUSER.DAT read=Yes
> write=No (numopen=1)
> [2005/12/07 12:19:15, 2] smbd/open.c:open_file(245)
> empl opened file profile/ntuser.ini read=Yes
> write=No (numopen=2)
> [2005/12/07 12:19:16, 2]
> smbd/close.c:close_normal_file(270)
> empl closed file profile/ntuser.ini (numopen=1)
> [2005/12/07 12:19:16, 2] smbd/open.c:open_file(245)
> empl opened file profile/ntuser.ini read=Yes
> write=No (numopen=2)
> [2005/12/07 12:19:16, 2] smbd/open.c:open_file(245)
> empl opened file profile/ntuser.pol read=Yes
> write=No (numopen=3)
> [2005/12/07 12:19:16, 2]
> smbd/close.c:close_normal_file(270)
> empl closed file profile/NTUSER.DAT (numopen=2)
> [2005/12/07 12:19:16, 2] smbd/open.c:open_file(245)
> empl opened file profile/NTUSER.DAT read=Yes
> write=No (numopen=3)
> [2005/12/07 12:19:17, 2] smbd/open.c:open_file(245)
> empl opened file profile/NTUSER.DAT.LOG read=Yes
> write=No (numopen=4)
> [2005/12/07 12:19:23, 2] smbd/open.c:open_file(245)
> empl opened file profile/.fonts.cache-1 read=Yes
> write=No (numopen=5)
> [2005/12/07 12:19:23, 2] smbd/open.c:open_file(245)
>
>
> thanks for your answers, Christoph
>
>
>
> Hi,
>
> thank you for your quick answer...
>
> Sorry, i forgot to tell you that i replaced the sid of
> the new server with the sid of the old server.
> But then i have the problem that the user sid (and
> gid) are structured like this:
> old-sid-from-the-new-server-uid and not
> sid-from-the-old-server-uid (the head of the users sid
> consists of the sid from the new server, the one that
> i replaced with the sid of the old server). So the
> Users don't have access rights to their profiles,
> because they don't have their original sids.
>
> thank you, Christoph
>
> Chritoph,
>
> Your problem is that while having a new server, by
> default
> you have a new server SID. The problem is that you
> want to
> manage users who own SID from your 2.2 server. As we
> can't
> imagine to lose all users profile, you have to set the
> 2.2
> samba server SID on your 3.0 samba server.
>
> This is a common migration problem.
>
> What you must do is:
>
> 1) On Samba 2.2: pick your 2.2 server SID
>
> smbpasswd -X {your_domain}
> This will give you a string like this one:
> SID for domain mydomain is:
> S-1-5-21-1547254743-587533270-2928086249
>
>
> 2) On Samba 3.0: setting 3.0 SID with SID picked on
> 2.2
> Save the current 3.0 SID for eventual recovery needs
> net getlocalsied > file_to_save_3.0_SID
>
> Set 2.2 SID on 3.0 PDC like this:
> net setlocalsid
> S-1-5-21-1547254743-587533270-2928086249
>
> Restart samba and I think things should go better.
>
> Regards,
>
> Pierre
>
> christoph empl wrote:
>> Hi,
>>
>> i did the change according to your guideline, but id
>> don't know how i can preserve the sids and gids of
> the
>> users. I am working with exact the same uids and
> gids
>> as on the old server, i have changed the sid of the
>> server (is it a problem the "net getlocalsid" shows
>> another sid as "net getlocalsid domainname" ?), but
>> the user sids differ from the user sids from the old
>> server. Is it a solution to change all sids in each
>> ntuser.dat to the new value?
>> Is it possible that the mistake is that i have to
> give
>> the new server a different hostname (routing and
>> testing reason), or why isn't it enough to change
> its
>> sid with "net setlocalsid oldSID?
>>
>> thank you very much, Christoph
>>
>>
>> On Wednesday 30 November 2005 09:49, christoph empl
>> wrote:
>>> Hi,
>>>
>>> my problem is the following:
>>> i am trying to replace an old SUSE 8.2, Samba 2.2
>>> domain controller with a SUSE 9.3 system with samba
>>> 3.0 as PDC.
>>> Everything works fine, i can join the new domain, i
>>> replaced the machine and domain sid from the new
>>> server with the old ones.
>> I hope you followed the guidance documented in
> chapter
>> 8 of my book "Samba-3
>> by Example, second edition". This book is available
>> from Amazon.Com in
>> printed form, or if you want PDF you can obtain it
>> from:
>>
>> http://www.samba.org/samba/docs/Samba3-ByExample.pdf
>>
>>> But how can reuse the profiles from the old
> machine
>>> at the new one?
>>> If i make a simple remote copy, the settings of the
>>> users are lost, i miss my german keyboard layout
> and
>>> so on.
>> On the old machine:
>>
>> cd /var/lib/samba
>> rsync -ave ssh profiles newmachine:/var/lib/samba
>>
>>> I think that this is a problem regarding the sids
> of
>>> the users. How can i find out the sids from the old
>>> machine and how can i replace the new ones with the
>>> old ones on the new server?
>> You must preserve the uids and gids - see chapter 8
>> referred to above.
>>
>>> I tried to do it with " pdbedit -u username -G
>> oldSID"
>>> (i retrieved the old SID from the logs, but i don't
>>> know how to generally get it), but it obviously
>> isn't
>>> changed, because "pdbedit -Lv username" still shows
>>> the old SID.
>> - John T.
>>
>>
>>
>>
>>
>>
>>
> _______________________________________________________
Did you check files/directories permissions and ACL after
transfert on new system ?
Pierre.
More information about the samba
mailing list