[Samba] Problems when migrating from an old machine to a new one.

Tue Dec 2 15:47:22 GMT 2008

why dont you give the new pdc the same SID as the old domain then ? 
on OLD-PDC 
net get local sid <domain> 

on new PDC
net setlocalsid SID

good luck. 

>-----Oorspronkelijk bericht-----
>Van: BOURIAUD David [mailto:david.bouriaud at ac-rouen.fr] 
>Verzonden: dinsdag 2 december 2008 16:22
>Aan: L.P.H. van Belle
>Onderwerp: Re: [Samba] Problems when migrating from an old 
>machine to a new one.
>
>Le Tuesday 02 December 2008, vous avez écrit :
>
>Hi !
>Thanks for your quick help. I've checked all you've said, but 
>everything is as 
>you expect it to be.
>
>Here are different elements of my setup :
>smb.conf contains :
>
>  preferred master = True
>  domain master = True
>  logon path = \\%L\profiles\%U
>  logon drive = P:
>  nt acl support = Yes
>  profile acls = Yes
>  passdb backend = ldapsam:ldap://ldap.server.adress/
>   ldap passwd sync = Yes
>
>[profiles]
>        path = /smbhome/profiles/
>        read only = No
>        store dos attributes = Yes
>        browseable = No
>        writeable = Yes
>        create mask = 0600
>        directory mask = 0700
>        guest ok = no
>        printable = no
>        hide files = /desktop.ini
>
>[profile]
>        path = /smbhome/profiles/%U
>        browseable = Yes
>        writeable = Yes
>        create mask = 0700
>        directory mask = 0700
>
>This should be sufficient and working. The fact is that I 
>rsync the profiles 
>from the old machine to the new one, and do a chown/chmod 
>afterward, but 
>consider that the previous PDC (let's call him OLD-PDC) have a 
>SID (called 
>OLD-SID) and the new PDC (let's call him NEW-PDC) have a new 
>SID (called NEW-
>SID).
>If I'm not mistaken, what I want to do can't be accomplished 
>with a poor rsync 
>between these machines, because when I pick up the profile on 
>OLD-PDC and copy 
>all the files in /smbhome/profiles/user/, the file named 
>NTUSER.DAT contains 
>references to OLD-SID. I've tried out to change it's content 
>with the command 
>I explained in my previous mail : profiles -c OLD-SID -n 
>NEW-SID NTUSER.DAT 
>but it doesn't work. 
>Indeed, if I check everything after having copied NTUSER.DAT.new over 
>NTUSER.DAT, with profiles -v NTUSER.DAT | grep OLD-SID, I 
>stille find entries 
>in it.
>So, I guess that the command I type in is not enough.
>You're right, this have to do with file rights, but not on the 
>filesystem 
>itself. So far as I understand what's involved in the authentification 
>process.
>This is hard to guess, because even with a lot of verbosity in 
>log files (I've 
>tried out log level = 10 in smb.conf), the error isn't shown). 
>And on the 
>workstation, the domain user isn't allowed to view the 
>security log file.
>I'm stuck at this point and don't know how to solve it...
>
>> Hi,
>>
>> after you've moved you profile folder,
>> check every right.
>> set 777 on profile it zelf.
>> set create right to 700 for every new folder in the profiles share.
>> check you users profile folder rights.
>>
>> sorry but this is a permission problem.
>>
>> my profiles share.
>> [profiles]
>>         path = /home/samba/profiles
>>         comment = Profiles
>>         read only = no
>>         create mask = 0600
>>         directory mask = 0700
>>         browseable = Yes
>>         guest ok = Yes
>>         csc policy = disable
>> 	  force user = %U
>>         valid users = %U @"Domain Admins"
>>
>> /home/samba/profiles has 777 as right.
>>
>> when this is done, correct your users profiles
>>
>> cd /home/samba/profiles
>> for x in $( ls );
>> do
>> chown -R $x:"Domain Users" $x
>> chmod -R 700 $x
>> done
>>
>> this should do it.
>>
>