[Samba] Profiles change when migrating from NT4 to Samba PDC

Fri Oct 14 01:35:38 GMT 2005

Craig White wrote:

>On Mon, 2005-10-10 at 12:47 -0500, Philip Washington wrote:
>  
>
>>Philip Washington wrote:
>>
>>    
>>
>>>Craig White wrote:
>>>
>>>      
>>>
>>>>On Fri, 2005-10-07 at 17:52 -0700, Craig White wrote:
>>>> 
>>>>
>>>>        
>>>>
>>>>>On Fri, 2005-10-07 at 19:22 -0500, Philip Washington wrote:
>>>>>  
>>>>>
>>>>>          
>>>>>
>>>>>>After migration of an NT4 domain to Samba we find that when users 
>>>>>>log in they have a new profile.  Since we cannot deal with this on 
>>>>>>all of the computers with all of the users we have had to stop the 
>>>>>>migration.
>>>>>>I have searched through the archive and not been able to find any 
>>>>>>answers to this issue,  I did find a relevant article though and 
>>>>>>apparently they didn't have an answer in 2002. 
>>>>>>http://lists.samba.org/archive/samba/2002-August/050163.html
>>>>>>Has anyone found a way to resolve this?
>>>>>>We are not using roaming profiles.
>>>>>>    
>>>>>>            
>>>>>>
>>>>>----
>>>>>I am hoping that you really aren't looking for wild speculation as to
>>>>>what may be the problem. Some things that you should consider sharing
>>>>>with us so that we might be able to make a useful suggestion...
>>>>>
>>>>>samba version ?
>>>>>
>>>>>SID ? 'net getlocalsid' does this match the SID of the domain that the
>>>>>machines that were already joined to the domain? Did you actually 'net
>>>>>setlocalsid' to match?
>>>>>
>>>>>from your smb.conf
>>>>>passdb ?
>>>>>logon path = ?
>>>>>security = ?
>>>>>domain logons = ?
>>>>>domain master = ?
>>>>>preferred master = ?
>>>>>
>>>>>If we took an example of one or two users who had a problem with their
>>>>>profiles...what's output of things like
>>>>>
>>>>>pdbedit -L USER_NAME ?
>>>>>
>>>>>does the profile path actually work? Is it reachable from a Windows
>>>>>system?
>>>>>privileges on profile server permit access?
>>>>>
>>>>>otherwise, I would just say that you're having a bad day.
>>>>>
>>>>>  
>>>>>          
>>>>>
>>>>----
>>>>I should have pointed out...
>>>>
>>>>logon path =
>>>>
>>>>(that's right - blank) prevents roaming profiles
>>>>
>>>>and perhaps, because I am not very smart and was trying to populate LDAP
>>>>with which I was pretty unfamiliar, I had to run through the vampire
>>>>process a lot of times before I got everything working the way I wanted
>>>>it. My second time doing the vampire thing to LDAP was considerably
>>>>easier. Even though the documentation was excellent, the devil is in the
>>>>details.
>>>>
>>>>Craig
>>>>
>>>>
>>>> 
>>>>
>>>>        
>>>>
>>>We had spent 3 days on it and got it to work without the roaming 
>>>profiles ( Using Ch 8 from Samba-3 by Example and help here).  It 
>>>sounds like we went through some of the same issues with vampire, but 
>>>it looked like we had it working with our test system.
>>>We had a test machine MACHINE1 in  NT4 DOMAINA.
>>>We transfered DOMAINA over to a SambaPDC-with LDAP.
>>>Moved MACHINE1 over to the test environment with a SambaPDC-with 
>>>LDAP.  Logged in TESTUSER1 everything looked fine, no roaming profile 
>>>(we did a jig and jumped for joy ).
>>>We then moved MACHINE2 over to the test environment logged in 
>>>TESTUSER1 (we had transfered TESTUSER1 from the original NT4 domain).  
>>>We then logged in USER2 which was the primary user for this computer 
>>>when it was in the NT4 domain.  That was when we found out that 
>>>Outlook treated the user as someone completely different, as well as 
>>>other programs on the machine, the desktop was completely changed to 
>>>default. After spending another day on it we had to move on, but we 
>>>are now willing to try again from scratch.
>>>
>>>Did  we still have something wrong?  Has/does this work with the 
>>>latest version?
>>>
>>>Goal 1: is USER1 on MACHINE1 can log into the system and not tell that 
>>>something has changed (Namely there is a different PDC platform).
>>>Goal 2: The IT department doesn't have to write a bunch of scripts to 
>>>move profile information on each computer.
>>>
>>>Is this possible, because I was of the impression that once we 
>>>finished the client MACHINE1 and user USER1 wouldn't know or act any 
>>>differently when logging into NT4 as the PDC vs logging into the 
>>>transfered DOMAINA on the Samba-LDAP PDC.
>>>
>>>      
>>>
>----
>in all fairness, I have let this go because you didn't answer any of the
>questions that I asked. I'm not sure why anyone else didn't follow up
>but perhaps they were thinking along the same lines that I was.
>
>In light of no reply, you might consider starting over, and rephrasing
>your questions.
>
>In short, I had absolutely no problems with migrating users from NT PDC
>to Samba PDC but I have always used LDAP as backend for the migration
>and roaming profiles.
>
>Craig
>
>
>  
>
Okay, I appear to have it working now. 
The first time it didn't work because we were using the old version of 
Samba3-by Examples.
The second time it didn't work because we may, may (stressed) have done 
something wrong or it may have been because we were using samba-3.0.10.
Today we recompiled from Fedora samba-3.0.20b to a RHEL4 system, because 
the new version of Samba3-by Examples is based on this book.   We went 
through everything as shown in Chapter 9.  The only difference was 
'logon path = ', so we didn't have roaming profiles (And of course our 
domain and computer names were different).   So  far we have pulled 3 
computers from our original domain and not seen any problems. Users 
login and they get there original profile.
The only difference I saw between what was in the directions and what I 
actually saw was that when you do the  'getent  passwd' and 'getent 
group' the delimiters +::0:: were not there.We pressed on to see what 
would happen and so far it appears to be working.
Next is the member servers to see how well they do (We have 2 which are 
using winbind).

Hope this helps someone else and I appreciate the help I was given here.