[Samba] Profiles change when migrating from NT4 to Samba PDC

Philip Washington phwashington at comcast.net
Thu Oct 13 04:33:57 GMT 2005 

Andrew Bartlett wrote:
> On Sat, 2005-10-08 at 09:29 -0500, Philip Washington wrote:
>
>   
>> I was under the impression that once the PDC was transferred then USER2 
>> could log into the MACHINE2 and not have any indication that there was a 
>> difference in the platform the PDC was running on or that there had been 
>> a change.
>>     
>
> This very much depends on what the values on the old PDC are and what
> you have set in your new smb.conf.  
>
> You haven't told us very much about how your domain is setup, what
> values you found in the replica LDAP, and in particular what you saw the
> client doing in the domain logon. 
>
> In particular, is the logon path filled in, in the SamLogon reply?
> (observed best with a level 10 debug).  Does the client attempt to
> contact the roaming profile server?  What is your logon path set to in
> NT4, and what is the value in LDAP now?  Anything else in the logs?
>
> Andrew Bartlett
>
>   
I'm redoing the samba setup again and will try to get more of this 
information.  We actually tried this a year ago with 3.0.0 and were able 
to get the logons, but the profiles were changing.  We are going to try 
again and follow the directions in the new version of Samba3 -examples.  
What I was trying to avoid was the 2 or 3 days getting it up and tested 
and then find out that USER1 on MACHINE1 has a different profile, that 
what he had before.  We do not use roaming profiles.

Also if anybody knows what is the best was to start the ldap server over 
from scratch and make sure it has been completely clean of previous 
attempts.

I'm hoping that by tomorrow I'll have the server up and running and 
begin testing
We are using smbldap-tools.tar.gz version 9.0.0
samb-3.0.10-1.4e

What if I decide to start this over from scratch.  What is the best way 
to clear out the LdAP server and start all over?   I think that  we  
are  close to having everything correct, but something just isn't quite 
right.

The latest incantation doesn't appear to be working ( we haven't back 
tested but were testing as we went along and didn't see a lot of problems.
The smb.conf 
-----------------------------------------------------------------------
/|[global]|/
/|workgroup = DOMAINA
|/
/|netbios name = MERLIN
|/
/|passdb backend = ldapsam:ldap://localhost|/
/|log level = 1|/
/|syslog = 0|/
/|log file = /var/log/samba/%m|/
/|max log size = 0|/
/|smb ports = 139 445|/
/|name resolve order = wins bcast hosts|/
/|add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'|/
/|#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'|/
/|add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'|/
/|#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'|/
/|add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' 
'%g'|/
/|#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x 
'%u' '%g'|/
/|set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' 
'%u'|/
/|add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'|/
/|logon script = scripts\logon.cmd|/
/|logon path = \\%L\profiles\%U|/
/|logon home = \\%L\%U|/
/|logon drive = X:|/
/|domain logons = Yes|/
/|#domain master = Yes
|/
/|wins support = Yes|/
/|#wins server = 192.168.1.20|/
/|ldap admin dn = cn=Manager,dc=domaina,dc=org|/
/|ldap group suffix = ou=Groups|/
/|ldap idmap suffix = ou=Idmap|/
/|ldap machine suffix = ou=People|/
/|ldap passwd sync = Yes|/
/|ldap suffix = dc=domaina,dc=com|/
/|ldap ssl = no|/
/|ldap timeout = 20|/
/|ldap user suffix = ou=People|/
/|idmap backend = ldap:ldap://localhost|/
/|idmap uid = 15000-20000|/
/|idmap gid = 15000-20000|/
/|winbind nested groups = Yes|/
/|ea support = Yes|/
/|map acl inherit = Yes|/


/|[apps]|/
/|comment = Application Data|/
/|path = /data/home/apps|/
/|read only = No|/

/|[homes]|/
/|comment = Home Directories|/
/|path = /home/users/%U/Documents|/
/|valid users = %S|/
/|read only = No|/
/|browseable = No|/

/|[printers]|/
/|comment = SMB Print Spool|/
/|path = /var/spool/samba|/
/|guest ok = Yes|/
/|printable = Yes|/
/|use client driver = No|/
/|browseable = No|/

/|[netlogon]|/
/|comment = Network Logon Service|/
/|path = /var/lib/samba/netlogon|/
/|guest ok = Yes|/
/|locking = No|/

/|[profiles]|/
/|comment = Profile Share|/
/|path = /var/lib/samba/profiles|/
/|read only = No|/
/|profile acls = Yes|/

/|[profdata]|/
/|comment = Profile Data Share|/
/|path = /var/lib/samba/profdata|/
/|read only = No|/
/|profile acls = Yes|/

/|[print$]|/
/|comment = Printer Drivers|/
/|path = /var/lib/samba/drivers|/


testparm after this looks good
After going through the steps in Ch9 to config slapd-tool and then doing 
a transfer
we get to the part where we run
net rpc vampire -S DomainAServ -UAdministrator%not24get

pbedit -Lw
and some of the data looks okay but we have some users with
User2:9:XXXXXXXXXXXXXXXXXXXXXXXXXXX.......
User3:10:XXXXXXXXXXXXXXXXXXXXXXXXXX.....


I have also been forwarded 3 emails with the same problem and there 
hoping I'll find a solution.

More information about the samba mailing list