[Samba] 'profiles' command with WinXP Profiles

John H Terpstra jht at primastasys.com
Tue Mar 8 22:34:36 GMT 2005


On Friday 04 March 2005 08:59, Misty Stanley-Jones wrote:
> Hi all,
>
> I have gotten the 'profiles' command to work for NT and Win2K profiles very
> well.  In Windows XP, I am able to change the 'owner' but not the 'group'
> SID.  It gives no errors but it just doesn't change them.  A snippet of the
> profile in question is below:
>
> furnsrv:/data/samba/profiles/jon # profiles NTUSER.DAT |grep S-1-5
>   Owner SID: S-1-5-32-544
>   Group SID: S-1-5-21-2127521184-1604012920-1887927527-513
>       Perms: 000F003F, SID: S-1-5-18
>       Perms: 000F003F, SID: S-1-5-32-544
>       Perms: 10000000, SID: S-1-5-18
>       Perms: 10000000, SID: S-1-5-32-544
>   Owner SID: S-1-5-32-544
>   Group SID: S-1-5-21-1505131970-119759924-475665672-513
>       Perms: 000F003F, SID: S-1-5-18
>       Perms: 000F003F, SID: S-1-5-32-544
>       Perms: 10000000, SID: S-1-5-18
>       Perms: 10000000, SID: S-1-5-32-544
>   Owner SID: S-1-5-21-725326080-1709766072-2910717368-2060
>   Group SID: S-1-5-21-383998039-2845272951-4289691644-2061
>       Perms: 000F003F, SID:
>       Perms: 10000000, SID: S-1-5-18
>       Perms: 000F003F, SID: S-1-5-32-544
>       Perms: 10000000, SID: S-1-5-32-544
>   Owner SID: S-1-5-32-544
>
> Not only are the groups all wrong, but I don't even know where most of the
> SIDs in there came from.  The S-1-5-21-383998039-2845272951-4289691644-2061
> is from the old domain.  The others I haven't a clue.  Anyway, if I use the
> following syntax:
>
> profiles -c S-1-5-21-383998039-2845272951-4289691644-2061 -n
> S-1-5-21-725326080-1709766072-2910717368-513 /path/to/NTUSER.DAT
>
> I get no errors, but the SID doesn't really change.  The user gets "access
> denied" trying to load his profile.
>
> I would rather not have to redo this user's profile, so if anyone can give
> me some wisdom it would be great.  I did read in the man page for
> 'profiles' that only NT is supported, but I am hoping there might be a
> workaround.

You can log onto a workstation as the domain administrator (probably 'root' on  
your domain) and then start up regedt32. Then load the NTUser.DAT file as a 
branch off the HKLM hive. You can now edit the contents of the NTUser.DAT 
file to your heart's content. My advice would be to replace the foreign SIDs 
with your domain SID. You could make an intelligent guess as to what group 
the user previously belonged to and change the RID part of the SID to match 
the RID of the group in your Samba DC environment. You can get this by 
runnning: net groupmap list

PS: When you have finished editting the NTUser.DAT hive do not forget to 
unload it. Unloading will write the changes back to the NTUser.DAT file.

Hope that helps.

- John T.
-- 
John H Terpstra, CTO
PrimaStasys Inc.
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.


More information about the samba mailing list