[Samba] migrate profile from an old server to a new one - SID and ntuser.dat problem

christoph empl m_itch_de at yahoo.de
Wed Dec 7 11:35:53 GMT 2005


Hallo,

i think that my problem is getting smaller, but still
not small enough.
In between, i reinstalled samba. Now i have the
correct sid for the server and domain, and my users
have correct sids (see below), the server-, netbios
and domainname are the same as on the old server, i
preserved the uids and gids of the old server,
actually i copied the passwd, shadow, smbpasswd on the
new server.
But the problem is still: when i log onto a
workstation as a user, his old settings from the old
server are lost. He gets the desktop and whole
settings of the default user. There is no clue in the
logs why the user has (obviously) no access to his
ntuser.dat.


==================

wap-samba:/ # net getlocalsid SAMBA
SID for domain SAMBA is:
S-1-5-21-918075609-1705896514-2904333612

==================

wap-samba:/ # pdbedit -Lv empl
Unix username:        empl
NT username:
Account Flags:        [UX         ]
User SID:            
S-1-5-21-918075609-1705896514-2904333612-22120
Primary Group SID:   
S-1-5-21-918075609-1705896514-2904333612-1203
Full Name:            Empl Christoph
Home Directory:       \\samba\empl
HomeDir Drive:
Logon Script:
Profile Path:         \\samba\empl\profile
Domain:               SAMBA
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          9223372036854775807 seconds
since the Epoch
Kickoff time:         9223372036854775807 seconds
since the Epoch
Password last set:    Tue, 06 Dec 2005 16:49:42 GMT
Password can change:  Tue, 06 Dec 2005 16:49:42 GMT
Password must change: 9223372036854775807 seconds
since the Epoch
Last bad password   : 0
Bad password count  : 0
Logon hours         :
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

=========================

[2005/12/07 12:19:15, 2]
auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [empl]
-> [empl] -> [empl] succeeded
[2005/12/07 12:19:15, 2]
auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [empl]
-> [empl] -> [empl] succeeded
[2005/12/07 12:19:15, 1]
smbd/service.c:make_connection_snum(647)
  celsius01 (129.187.97.131) connect to service empl
initially as user empl (uid=10560, gid=101) (pid 4701)
[2005/12/07 12:19:15, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
  Returning domain sid for domain SAMBA ->
S-1-5-21-918075609-1705896514-2904333612
[2005/12/07 12:19:15, 2] smbd/open.c:open_file(245)
  empl opened file profile/NTUSER.DAT read=Yes
write=No (numopen=1)
[2005/12/07 12:19:15, 2] smbd/open.c:open_file(245)
  empl opened file profile/ntuser.ini read=Yes
write=No (numopen=2)
[2005/12/07 12:19:16, 2]
smbd/close.c:close_normal_file(270)
  empl closed file profile/ntuser.ini (numopen=1)
[2005/12/07 12:19:16, 2] smbd/open.c:open_file(245)
  empl opened file profile/ntuser.ini read=Yes
write=No (numopen=2)
[2005/12/07 12:19:16, 2] smbd/open.c:open_file(245)
  empl opened file profile/ntuser.pol read=Yes
write=No (numopen=3)
[2005/12/07 12:19:16, 2]
smbd/close.c:close_normal_file(270)
  empl closed file profile/NTUSER.DAT (numopen=2)
[2005/12/07 12:19:16, 2] smbd/open.c:open_file(245)
  empl opened file profile/NTUSER.DAT read=Yes
write=No (numopen=3)
[2005/12/07 12:19:17, 2] smbd/open.c:open_file(245)
  empl opened file profile/NTUSER.DAT.LOG read=Yes
write=No (numopen=4)
[2005/12/07 12:19:23, 2] smbd/open.c:open_file(245)
  empl opened file profile/.fonts.cache-1 read=Yes
write=No (numopen=5)
[2005/12/07 12:19:23, 2] smbd/open.c:open_file(245)


thanks for your answers, Christoph



Hi, 

thank you for your quick answer...

Sorry, i forgot to tell you that i replaced the sid of
the new server with the sid of the old server. 
But then i have the problem that the user sid (and
gid) are structured like this:
old-sid-from-the-new-server-uid and not
sid-from-the-old-server-uid (the head of the users sid
consists of the sid from the new server, the one that
i replaced with the sid of the old server). So the
Users don't have access rights to their profiles,
because they don't have their original sids.

thank you, Christoph

Chritoph,

Your problem is that while having a new server, by
default
you have a new server SID. The problem is that you
want to
manage users who own SID from your 2.2 server. As we
can't
imagine to lose all users profile, you have to set the
2.2
samba server SID on your 3.0 samba server.

This is a common migration problem.

What you must do is:

1) On Samba 2.2: pick your 2.2 server SID

smbpasswd -X {your_domain}
This will give you a string like this one:
SID for domain mydomain is:
S-1-5-21-1547254743-587533270-2928086249


2) On Samba 3.0: setting 3.0 SID with SID picked on
2.2
Save the current 3.0 SID for eventual recovery needs
net getlocalsied > file_to_save_3.0_SID

Set 2.2 SID on 3.0 PDC like this:
net setlocalsid
S-1-5-21-1547254743-587533270-2928086249

Restart samba and I think things should go better.

Regards,

Pierre

christoph empl wrote:
> Hi,
> 
> i did the change according to your guideline, but id
> don't know how i can preserve the sids and gids of
the
> users. I am working with exact the same uids and
gids
> as on the old server, i have changed the sid of the
> server (is it a problem the "net getlocalsid" shows
> another sid as "net getlocalsid domainname" ?), but
> the user sids differ from the user sids from the old
> server. Is it a solution to change all sids in each
> ntuser.dat to the new value? 
> Is it possible that the mistake is that i have to
give
> the new server a different hostname (routing and
> testing reason), or why isn't it enough to change
its
> sid with "net setlocalsid oldSID?
>  
> thank you very much, Christoph
> 
> 
> On Wednesday 30 November 2005 09:49, christoph empl
> wrote:
>> Hi,
>>
>> my problem is the following:
>> i am trying to replace an old SUSE 8.2, Samba 2.2
>> domain controller with a SUSE 9.3 system with samba
>> 3.0 as PDC.
>> Everything works fine, i can join the new domain, i
>> replaced the machine and domain sid from the new
>> server with the old ones.
> 
> I hope you followed the guidance documented in
chapter
> 8 of my book "Samba-3 
> by Example, second edition". This book is available
> from Amazon.Com in 
> printed form, or if you want PDF you can obtain it
> from:
> 
> http://www.samba.org/samba/docs/Samba3-ByExample.pdf
> 
>> But how can  reuse the profiles from the old
machine
>> at the new one?
>> If i make a simple remote copy, the settings of the
>> users are lost, i miss my german keyboard layout
and
>> so on.
> 
> On the old machine:
> 
> 	cd /var/lib/samba
> 	rsync -ave ssh profiles newmachine:/var/lib/samba
> 
>> I think that this is a problem regarding the sids
of
>> the users. How can i find out the sids from the old
>> machine and how can i replace the new ones with the
>> old ones on the new server?
> 
> You must preserve the uids and gids - see chapter 8
> referred to above.
> 
>> I tried to do it with " pdbedit -u username -G
> oldSID"
>> (i retrieved the old SID from the logs, but i don't
>> know how to generally get it), but it obviously
> isn't
>> changed, because "pdbedit -Lv username" still shows
>> the old SID.
> 
> - John T.
> 
> 
> 	
> 
> 	
> 		
>
_______________________________________________________


	


	

	
		
___________________________________________________________ 
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de


More information about the samba mailing list