[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")

Denis BUCHER dbucherml at hsolutions.ch
Tue Dec 9 09:27:59 MST 2014


Dear Rowland, 

Le 09.12.2014 12:41, Rowland Penny a écrit : 

> On 09/12/14 11:22, Denis BUCHER wrote:
> Dear Marc, Dear Rowland, Le 08.12.2014 23:01, Marc Muehlfeld a écrit : Am 08.12.2014 um 22:55 schrieb Rowland Penny: Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. Denis, is this a _new domain_ (with the same name)? Or just a _new server_ where you placed the profiles. If it's a _new domain_, then Rowland is surely right and it is an SID problem. But you talked about a _new server_. Please be more clear about your environment. Regards, Marc
 Yes, you're right, I must clarify a little more on this point: You were
right, what we *WANT* to do is simply to replace the old PDC under Samba
3 by the new PDC under Samba 4. (Simply a new server). But what we
*DID*, is in fact to configure a _new domain_ with the same name.
Therefore, I agree that it the problem is SID related, and if I
understand you correctly, this is the wrong way to do it! We should
instead configure a new server with same domain, right? Thank you very
much for your appreciated help, Best regards, Denis 

OK, If you just want to have a new replacement PDC, you need to:

A) Install your OS of choice
B) Install samba4
C) Get the Domain SID from your old PDC
D) Use your old smb.conf as a template for your new one, checking that 
all the old lines are still valid, refer to 'man smb.conf'. If you have 
a 'socket options' line in your old conf file, remove it!, you are 
likely to be making things worse.
E) run 'net setdomainsid <SID YOU GOT EARLIER>'
F) start smbd,nmbd & winbind

If it is possible, use the same ipaddress & hostname of the old server 
for the new server.


Thanks a lot for your help, it looks more clear now. 

I will try this week and come back here with feedback, but I think it
will work :-) 

I have a last question, if a user has SID "<DOMAINPART>-3038" on the old
server do we have to keep the exact same SID on the new server ? In
other words is it possible to change the "3038" (user part) or not ? 

Thank you very much ! 


More information about the samba mailing list