2.0.2 SID problem?

Werner Gaubatz Werner_Gaubatz at Physik.TU-Muenchen.DE
Fri Feb 19 13:56:22 GMT 1999

Hi Chad !
You wrote: 

> In trying to move from 2.0 to 2.0.2, we found that all of our user
> profiles were rendered useless.  Anyone that logged on to the domain had
> a new profile created.  This is due to the SID fix, right?  Now that the
> SIDs have changed, NTUSER.DAT files with the old SIDs are useless.  Is
> there a workaround for this, or will we just have to start over with
> fresh profiles?

I had that problem just a week ago. I used the following procedure: 

1) copy all (more or less) useless NTUSER.DAT to a local NT machine: 
Ask all users to log in at that workstation. The profiles will be stored
locally in c:\winnt\profiles\$USER\NTUSER.DAT

2) log in as administrator on this machine. Physically DISCONNECT the 
computer from the network. Otherwise regedt32 dumps core, when it tries
to read the user names from SAMBA PDC. Now you just have to wait for a 
timeout and get a ignorable error message about a missing and incomplete
user list :-)

3) user regedt32 to load a new structure from each NTUSER.DAT of all
your users. For each structure delete the "unknown user" in the
security information. Now add "everybody" with full permissions for
the complete tree to each profile. Once this is finished, unload all 
structures and close regedt32. 

4) reconnect the computer to the network. copy recursively all 
directories from c:\winnt\profiles\$USER\ containig the modified
profiles to your server to eg. /tmp/new-profiles/$USER/ 

5) telnet into your server, where all profiles are stored and become root. 
For each of your users you'll have to copy the new profiles to the proflie-directory for this user as this user to get the UNIX-ownership 
and permissions right.

su root with root-password 

for each user do: 

su - $USER (you won't need a password here) 
cd path-to-profile-directory-for-this-user (might be ~/profile) 
cp -r /tmp/new-profiles/$USER/* . (cp -r copies recursively all files)

Whie you do all the copying back, your users shoul not be logged in. 
Otherwises the fixed profile will be overwritten by a broken one 
when the user logs out at the other NT-Machine. 

Tedious, but this will keep all your users happier, beacuse they won't
loose their customisations for WinWord, the desktop, .... 
Hope this helps a little bit. 

But there is definitely a problem: all the profiles are now world-read--
and -writable in the sense NT uses the access rights to a profile.

Werner Gaubatz                        Tel: +49 (89) 289 12182
FRM-II Bau                            Fax: +49 (89) 289 12112
Technische Universit"at M"unchen      mailto:gaubatz at physik.tu-muenchen.de
D-85747 Garching /  Germany           http://www.frm2.tu-muenchen.de

More information about the samba-ntdom mailing list