[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 8 14:55:54 MST 2014


On 08/12/14 21:42, Denis BUCHER wrote:
>   
>
> Le 08.12.2014 21:06, Marc Muehlfeld a écrit :
>
>> Hello Denis,
>>
>> Am 08.12.2014 um 20:25 schrieb (lists) Denis BUCHER:
>>
>>> We have perfectly working roaming profiles on Samba 3.3.10 (SuSE) with Windows 7 clients. We configured our new server with same domain name, Samba 4.1.11 (Debian). On the new server, for newly created profiles, it works perfectly, we can login, logout, profiles are created and saved. But if we want to copy an existing profile from current server to the new one, it's impossible to login, we get the following error : "Group policy client service failed. The logon access is denied".
>> How are the IDs mapped on both servers? Do the users/groups have the
>> same IDs on both machines? E. g. if you store them in your AD / PDC
>> backend and retrive them on the fileserver, then you should be able to
>> simply copy the profiles and preserve the file permissions.
> Yes, users have the same name. User "dbucher" is still "dbucher" on the
> new server and files have their ownership and rights preserved.
>
>> If you used a local ID mapping on the old server, you have to transfer the idmapping DB, to keep UIDs/GIDs.
> Yes, no problem on this side. But the problem seems to be with Windows
> SID.
>
> Denis
>
>> Regards, Marc
>   
Hi, It sounds very much like a SID problem to me.

the user 'Fred' with the SID-RID 
'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same 
user as 'Fred' with the SID-RID 
'S-1-5-21-2025076216-3455336656-3842161122-1005'

You need to change the domain SID on the new PDC to match the SID on the 
windows machines.

Rowland


More information about the samba mailing list