[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Fri Aug 5 20:54:34 UTC 2016 

Hello Louis,

> Win 10, im configureing a pc now and settting up the gpo.
> When done, i'll test that and report back how that goes.

I actually set up a Win7 VM to test whether GPO sync works fine with it. 
So I installed Windows 7 Professional with the last update rollup installed.
Unfortunately I get exaclty the same errors as I get in Windows 10 Pro.

I am seriously thinking about an issue with my Samba installation or 
something which was broken during classicupgrade. I am facing the same 
issues on two additional Samba 4.2 installations, both were 
classic-upgraded.

Then I started investigating whether Samba provides some kind of 
"verification" tool.
Unfortunately I tried 'samba-tool domain provision' once where I found 
it's not only verifying but actually resetting the Samba configuration 
(Privileges, User Accounts, Machine Accounts etc.).


In fact I would be willing to re-configure my Samba installation from 
scratch. Actually there is only little data I would have to re-do and I 
did some research on whether it's possible to export this data and 
re-import it later. I did find a couple of transfer guides (how to 
transfer from one hardware to another) but here I think I would simply 
copy the /var/lib/samba and /etc/samba folders which should work.

In my case I am lookning for
- Export user database (including passwords, SID(!!), unix LDAP 
attributes etc.)
- Export group database (including SID)
- Export machine accounts (optional, I might re-join the machines)
- Keep domain SID (net getlocalsid / net setlocalsid)
- Anything else?


Actually especially the users database would be a hassle to re-create as 
I would have to inform the users and since I am using roaming profiles 
they should keep their SID as the user profile backup (mainly ntuser.dat 
registry hive) refers to the SID for security descriptors. So I would 
run into trouble if the user is assigned a new SID. Moreover some users 
have Unix attributes (UID, home directory, shell) attributes which I 
should keep as some of them need to log in to the shell too. Needless to 
say that changing the owner of all files owned by specific UID would be 
troublesome.
But assuming I could export the complete user/group database and 
re-import them (all users except built-in ones like Administrator, 
service accounts etc.) I would be fine with it.

I already tried
pdbedit -e smbpasswd:/mydir/myfile
pdbedit -i smbpasswd:/mydir/myfile
but it didn't work. The export was fine and the dump was created but 
import fails with an obscure message:
     build_sam_account: smbpasswd database is corrupt!  username <user> 
with uid <uid> is not in unix passwd database!
     Username not found!

Which is weird as of course the user does not exist when I try to import 
it. Moreover looking at the exported file it looks like only the plain 
Windows attributes are exported and especially the SID is not retained. 
So even when the user is restored it would be an issue to log on with 
its old profile assigning permissions to the old SID (e.g. in user 
registry hive). And I certainly don't want the users to start 
configuring all their profiles from scratch.


Honestly I was a bit busy restoring my Samba installation after 
accidentally scratching it and I didn't do any test on GPO sync after I 
accidentally scratched it - my bad. I will do this again and verify 
whether I can sync GPO properly on a freshly initialized installation 
using 'samba-tool domain provision' with my current smb.conf left intact.


Does anybody know whether such a migration of users and machine accounts 
to a new installation is possible?

Thanks
Rainer

More information about the samba mailing list