[Samba] Moving user accounts from a domain to another - and
changing their logins
fg at one2team.com
Sun Jun 24 12:09:37 GMT 2007
I have two domains, let's call them D1 and D2.
- heavily modified, cumbersome, Linux RH 7.3 based,
- samba 2.2 based,
- using the old LDAP samba schema,
- implementing Unix services/Windows logon SSO via the means of the LDAP
schema with Kerberos added in the picture.
- stock, clean Linux RHEL4 based,
- Samba 3.0.11 based,
- using the newer Samba SAM LDAP schema, managed with smbldap-tools,
- void of Kerberos (yay!) since LDAP now handles Unix auth.
Both domains work fine. But D1 is frankly a mess, and I want to migrate
everything to D2. That implies not only moving D1 accounts to D2, but also
changing the login names, since we now have a naming convention which didn't
exist before. Keeping the passwords of existing accounts, however, is NOT
Bare copying of user profiles and appropriate chowning don't work. That was
kind of expected, of course, but I thought the differences would be minor.
Hah! On the new domain, the keyboard turns qwerty, OutLook just won't start
at all (for people still using OutLook, but as they're important to the
company, I cannot squash the problem and say "Use Thunderbird"), some desktop
preferences are just lost, the XP start menu is a mess... So, this is not the
I don't know that much about Windows accounts, but one thing I learned is that
the SID is hugely important. As some directories/files are named after the
SID in a user's profile, I figure that they are part of the problem, if not
the main problem.
I've googled quite a bit on the subject but maybe not with the correct
vocabulary, because I couldn't find a procedure for my case. What I found out
* you could copy over a domain user profile to a local user profile with some
hacking around (local account needs admin rights in the first place, etc),
but then it isn't said in the documents I read how to copy that local user
profile to a(nother!) domain user profile afterwards;
* there's also a trust domain relationship that sounds kind of promising, but
I don't know how I could do to slurp the data from the old domain into the
new, nor how I can rename the account after I've slurped it (I think
modifying the account DN and other fields won't be enough).
Where should I start looking? Is there already a document somewhere covering
[As a side note, I've salvaged all the Samba ML archives from
http://lists.samba.org/archive/samba/ and tried and integrated them in an
mbox based mailserver (Dovecot) but the files don't look like valid mboxes!]
Francis Galiegue, fg at one2team.com
One2team - 12bis rue de la Pierre Levée - 75011 PARIS
More information about the samba