[Samba] [Solved] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")

Denis BUCHER dbucherml at hsolutions.ch
Mon Dec 15 12:50:33 MST 2014



Le 09.12.2014 17:43, Rowland Penny a écrit : 

> On 09/12/14 16:27, Denis BUCHER wrote:
> Dear Rowland, Le 09.12.2014 12:41, Rowland Penny a écrit : On 09/12/14 11:22, Denis BUCHER wrote: Dear Marc, Dear Rowland, Le 08.12.2014 23:01, Marc Muehlfeld a écrit : Am 08.12.2014 um 22:55 schrieb Rowland Penny: Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. Denis, is this a _new domain_ (with the same name)? Or just a _new server_ where you placed the profiles. If it's a _new domain_, then Rowland is surely right and it is an SID problem. But you talked about a _new server_. Please be more clear about your environment. Regards, Marc Yes, you're right, I must clarify a little more on this point: You were right, what we *WANT* to do is simply to replace the old PDC under Samba 3 by the new PDC unde
 r Samba
4. (Simply a new server). But what we *DID*, is in fact to configure a _new domain_ with the same name. Therefore, I agree that it the problem is SID related, and if I understand you correctly, this is the wrong way to do it! We should instead configure a new server with same domain, right? Thank you very much for your appreciated help, Best regards, Denis OK, If you just want to have a new replacement PDC, you need to: A) Install your OS of choice B) Install samba4 C) Get the Domain SID from your old PDC D) Use your old smb.conf as a template for your new one, checking that all the old lines are still valid, refer to 'man smb.conf'. If you have a 'socket options' line in your old conf file, remove it!, you are likely to be making things worse. E) run 'net setdomainsid <SID YOU GOT EARLIER>' F) start smbd,nmbd & winbind If it is possible, use the same ipaddress & hostname of the old server for the new server. Rowland Thanks a lot for your help, it looks more clear now. I will
this week and come back here with feedback, but I think it will work :-) I have a last question, if a user has SID "<DOMAINPART>-3038" on the old server do we have to keep the exact same SID on the new server ? In other words is it possible to change the "3038" (user part) or not ? Thank you very much ! Denis

Hi, The SID identifies what domain the user is part of and RID is the 
users unique ID number. If you change the RID in the users domain 
record, the user then becomes another user, so if you do change a users 
RID, you will have to change the permissions on any files/directories 
the user owns.

Remember I posted:

 the user 'Fred' with the SID-RID 
'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same 
user as 'Fred' with the SID-RID 

I could also have posted:

the user 'Fred' with the SID-RID 
'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same 
user as 'Fred' with the SID-RID 
'S-1-5-21-4036476082-4153129556-3089177936-2375' (not that you could 
have two users called 'Fred', but I hope you get my drift)


OK, the problem is solved: I can confirm that I was able to solve the
problem using the above solutions. 

Once again, thanks a lot for your help ! 

For anyone having the same problem and reading this in the future, I
will summarize the solution here : 

 	* If you want to install a new server, completely replacing the
current one,
 	* keeping the same domain name,
 	* especially if you have roaming profiles and want your users to keep
the same profile on the new server,
 	* then you should configure the new server with the same domain SID.
 	* After creating the users on the new server, you will have to change
their SID to the same SID as they had on the old server.
 	* Note : you may change the groups (including the SID) without problem
if you want.

To do the migration once everything was tested : 

 	* On each PC, quit the current server domain.
 	* Shut down the current server.
 	* Start the new server.
 	* Enter all PCs into the new domain.
 	* Copy all profiles to the new server preserving rights.
 	* There you are !
 	* P. S. I don't know if there is a way to avoid quitting and entering
the domains.

Rowland, feel free to add more details to this post or to correct it if
I said something wrong. I am quite sure someone will need this some day

Best regards, 



More information about the samba mailing list