[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")

Rowland Penny rowlandpenny at googlemail.com
Tue Dec 9 09:43:53 MST 2014 

On 09/12/14 16:27, Denis BUCHER wrote:
>   
>
> Dear Rowland,
>
> Le 09.12.2014 12:41, Rowland Penny a écrit :
>
>> On 09/12/14 11:22, Denis BUCHER wrote:
>> Dear Marc, Dear Rowland, Le 08.12.2014 23:01, Marc Muehlfeld a écrit : Am 08.12.2014 um 22:55 schrieb Rowland Penny: Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. Denis, is this a _new domain_ (with the same name)? Or just a _new server_ where you placed the profiles. If it's a _new domain_, then Rowland is surely right and it is an SID problem. But you talked about a _new server_. Please be more clear about your environment. Regards, Marc
>   Yes, you're right, I must clarify a little more on this point: You were
> right, what we *WANT* to do is simply to replace the old PDC under Samba
> 3 by the new PDC under Samba 4. (Simply a new server). But what we
> *DID*, is in fact to configure a _new domain_ with the same name.
> Therefore, I agree that it the problem is SID related, and if I
> understand you correctly, this is the wrong way to do it! We should
> instead configure a new server with same domain, right? Thank you very
> much for your appreciated help, Best regards, Denis
>
> OK, If you just want to have a new replacement PDC, you need to:
>
> A) Install your OS of choice
> B) Install samba4
> C) Get the Domain SID from your old PDC
> D) Use your old smb.conf as a template for your new one, checking that
> all the old lines are still valid, refer to 'man smb.conf'. If you have
> a 'socket options' line in your old conf file, remove it!, you are
> likely to be making things worse.
> E) run 'net setdomainsid <SID YOU GOT EARLIER>'
> F) start smbd,nmbd & winbind
>
> If it is possible, use the same ipaddress & hostname of the old server
> for the new server.
>
> Rowland
>
> Thanks a lot for your help, it looks more clear now.
>
> I will try this week and come back here with feedback, but I think it
> will work :-)
>
> I have a last question, if a user has SID "<DOMAINPART>-3038" on the old
> server do we have to keep the exact same SID on the new server ? In
> other words is it possible to change the "3038" (user part) or not ?
>
> Thank you very much !
>
> Denis
>   
Hi, The SID identifies what domain the user is part of and RID is the 
users unique ID number. If you change the RID in the users domain 
record, the user then becomes another user, so if you do change a users 
RID, you will have to change the permissions on any files/directories 
the user owns.

Remember I posted:

   the user 'Fred' with the SID-RID 
'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same 
user as 'Fred' with the SID-RID 
'S-1-5-21-2025076216-3455336656-3842161122-1005'

I could also have posted:

the user 'Fred' with the SID-RID 
'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same 
user as 'Fred' with the SID-RID 
'S-1-5-21-4036476082-4153129556-3089177936-2375'  (not that you could 
have two users called 'Fred', but I hope you get my drift)

Rowland

More information about the samba mailing list