[Samba] Profiles change when migrating from NT4 to Samba PDC

Philip Washington phwashington at comcast.net
Fri Oct 14 20:11:50 GMT 2005 

Philip Washington wrote:

> Craig White wrote:
>
>> On Mon, 2005-10-10 at 12:47 -0500, Philip Washington wrote:
>>  
>>
>>> Philip Washington wrote:
>>>
>>>   
>>>
>>>> Craig White wrote:
>>>>
>>>>     
>>>>
>>>>> On Fri, 2005-10-07 at 17:52 -0700, Craig White wrote:
>>>>>
>>>>>
>>>>>       
>>>>>
>>>>>> On Fri, 2005-10-07 at 19:22 -0500, Philip Washington wrote:
>>>>>>  
>>>>>>
>>>>>>         
>>>>>>
>>>>>>> After migration of an NT4 domain to Samba we find that when 
>>>>>>> users log in they have a new profile.  Since we cannot deal with 
>>>>>>> this on all of the computers with all of the users we have had 
>>>>>>> to stop the migration.
>>>>>>> I have searched through the archive and not been able to find 
>>>>>>> any answers to this issue,  I did find a relevant article though 
>>>>>>> and apparently they didn't have an answer in 2002. 
>>>>>>> http://lists.samba.org/archive/samba/2002-August/050163.html
>>>>>>> Has anyone found a way to resolve this?
>>>>>>> We are not using roaming profiles.
>>>>>>>              
>>>>>>
>>>>>> ----
>>>>>> I am hoping that you really aren't looking for wild speculation 
>>>>>> as to
>>>>>> what may be the problem. Some things that you should consider 
>>>>>> sharing
>>>>>> with us so that we might be able to make a useful suggestion...
>>>>>>
>>>>>> samba version ?
>>>>>>
>>>>>> SID ? 'net getlocalsid' does this match the SID of the domain 
>>>>>> that the
>>>>>> machines that were already joined to the domain? Did you actually 
>>>>>> 'net
>>>>>> setlocalsid' to match?
>>>>>>
>>>>>> from your smb.conf
>>>>>> passdb ?
>>>>>> logon path = ?
>>>>>> security = ?
>>>>>> domain logons = ?
>>>>>> domain master = ?
>>>>>> preferred master = ?
>>>>>>
>>>>>> If we took an example of one or two users who had a problem with 
>>>>>> their
>>>>>> profiles...what's output of things like
>>>>>>
>>>>>> pdbedit -L USER_NAME ?
>>>>>>
>>>>>> does the profile path actually work? Is it reachable from a Windows
>>>>>> system?
>>>>>> privileges on profile server permit access?
>>>>>>
>>>>>> otherwise, I would just say that you're having a bad day.
>>>>>>
>>>>>>  
>>>>>>         
>>>>>
>>>>> ----
>>>>> I should have pointed out...
>>>>>
>>>>> logon path =
>>>>>
>>>>> (that's right - blank) prevents roaming profiles
>>>>>
>>>>> and perhaps, because I am not very smart and was trying to 
>>>>> populate LDAP
>>>>> with which I was pretty unfamiliar, I had to run through the vampire
>>>>> process a lot of times before I got everything working the way I 
>>>>> wanted
>>>>> it. My second time doing the vampire thing to LDAP was considerably
>>>>> easier. Even though the documentation was excellent, the devil is 
>>>>> in the
>>>>> details.
>>>>>
>>>>> Craig
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>       
>>>>
>>>> We had spent 3 days on it and got it to work without the roaming 
>>>> profiles ( Using Ch 8 from Samba-3 by Example and help here).  It 
>>>> sounds like we went through some of the same issues with vampire, 
>>>> but it looked like we had it working with our test system.
>>>> We had a test machine MACHINE1 in  NT4 DOMAINA.
>>>> We transfered DOMAINA over to a SambaPDC-with LDAP.
>>>> Moved MACHINE1 over to the test environment with a SambaPDC-with 
>>>> LDAP.  Logged in TESTUSER1 everything looked fine, no roaming 
>>>> profile (we did a jig and jumped for joy ).
>>>> We then moved MACHINE2 over to the test environment logged in 
>>>> TESTUSER1 (we had transfered TESTUSER1 from the original NT4 
>>>> domain).  We then logged in USER2 which was the primary user for 
>>>> this computer when it was in the NT4 domain.  That was when we 
>>>> found out that Outlook treated the user as someone completely 
>>>> different, as well as other programs on the machine, the desktop 
>>>> was completely changed to default. After spending another day on it 
>>>> we had to move on, but we are now willing to try again from scratch.
>>>>
>>>> Did  we still have something wrong?  Has/does this work with the 
>>>> latest version?
>>>>
>>>> Goal 1: is USER1 on MACHINE1 can log into the system and not tell 
>>>> that something has changed (Namely there is a different PDC platform).
>>>> Goal 2: The IT department doesn't have to write a bunch of scripts 
>>>> to move profile information on each computer.
>>>>
>>>> Is this possible, because I was of the impression that once we 
>>>> finished the client MACHINE1 and user USER1 wouldn't know or act 
>>>> any differently when logging into NT4 as the PDC vs logging into 
>>>> the transfered DOMAINA on the Samba-LDAP PDC.
>>>>
>>>>     
>>>
>> ----
>> in all fairness, I have let this go because you didn't answer any of the
>> questions that I asked. I'm not sure why anyone else didn't follow up
>> but perhaps they were thinking along the same lines that I was.
>>
>> In light of no reply, you might consider starting over, and rephrasing
>> your questions.
>>
>> In short, I had absolutely no problems with migrating users from NT PDC
>> to Samba PDC but I have always used LDAP as backend for the migration
>> and roaming profiles.
>>
>> Craig
>>
>>
>>  
>>
> Okay, I appear to have it working now. The first time it didn't work 
> because we were using the old version of Samba3-by Examples.
> The second time it didn't work because we may, may (stressed) have 
> done something wrong or it may have been because we were using 
> samba-3.0.10.
> Today we recompiled from Fedora samba-3.0.20b to a RHEL4 system, 
> because the new version of Samba3-by Examples is based on this book.   
> We went through everything as shown in Chapter 9.  The only difference 
> was 'logon path = ', so we didn't have roaming profiles (And of course 
> our domain and computer names were different).   So  far we have 
> pulled 3 computers from our original domain and not seen any problems. 
> Users login and they get there original profile.
> The only difference I saw between what was in the directions and what 
> I actually saw was that when you do the  'getent  passwd' and 'getent 
> group' the delimiters +::0:: were not there.We pressed on to see what 
> would happen and so far it appears to be working.
> Next is the member servers to see how well they do (We have 2 which 
> are using winbind).
>
> Hope this helps someone else and I appreciate the help I was given here.

Okay I was a bit premature, we are now getting timeout errors on ldap 
and when I run
smbclient -L //SAMBAPDC
I get session timeout.

This worked last night and the computers were on an isolated network in 
a locked lab. Don't understand what happened overnight.

More information about the samba mailing list