[Samba] Samba 4.2.14 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Fri Aug 5 20:54:34 UTC 2016
Hello Louis,
> Win 10, im configureing a pc now and settting up the gpo.
> When done, i'll test that and report back how that goes.
I actually set up a Win7 VM to test whether GPO sync works fine with it.
So I installed Windows 7 Professional with the last update rollup installed.
Unfortunately I get exaclty the same errors as I get in Windows 10 Pro.
I am seriously thinking about an issue with my Samba installation or
something which was broken during classicupgrade. I am facing the same
issues on two additional Samba 4.2 installations, both were
classic-upgraded.
Then I started investigating whether Samba provides some kind of
"verification" tool.
Unfortunately I tried 'samba-tool domain provision' once where I found
it's not only verifying but actually resetting the Samba configuration
(Privileges, User Accounts, Machine Accounts etc.).
In fact I would be willing to re-configure my Samba installation from
scratch. Actually there is only little data I would have to re-do and I
did some research on whether it's possible to export this data and
re-import it later. I did find a couple of transfer guides (how to
transfer from one hardware to another) but here I think I would simply
copy the /var/lib/samba and /etc/samba folders which should work.
In my case I am lookning for
- Export user database (including passwords, SID(!!), unix LDAP
attributes etc.)
- Export group database (including SID)
- Export machine accounts (optional, I might re-join the machines)
- Keep domain SID (net getlocalsid / net setlocalsid)
- Anything else?
Actually especially the users database would be a hassle to re-create as
I would have to inform the users and since I am using roaming profiles
they should keep their SID as the user profile backup (mainly ntuser.dat
registry hive) refers to the SID for security descriptors. So I would
run into trouble if the user is assigned a new SID. Moreover some users
have Unix attributes (UID, home directory, shell) attributes which I
should keep as some of them need to log in to the shell too. Needless to
say that changing the owner of all files owned by specific UID would be
troublesome.
But assuming I could export the complete user/group database and
re-import them (all users except built-in ones like Administrator,
service accounts etc.) I would be fine with it.
I already tried
pdbedit -e smbpasswd:/mydir/myfile
pdbedit -i smbpasswd:/mydir/myfile
but it didn't work. The export was fine and the dump was created but
import fails with an obscure message:
build_sam_account: smbpasswd database is corrupt! username <user>
with uid <uid> is not in unix passwd database!
Username not found!
Which is weird as of course the user does not exist when I try to import
it. Moreover looking at the exported file it looks like only the plain
Windows attributes are exported and especially the SID is not retained.
So even when the user is restored it would be an issue to log on with
its old profile assigning permissions to the old SID (e.g. in user
registry hive). And I certainly don't want the users to start
configuring all their profiles from scratch.
Honestly I was a bit busy restoring my Samba installation after
accidentally scratching it and I didn't do any test on GPO sync after I
accidentally scratched it - my bad. I will do this again and verify
whether I can sync GPO properly on a freshly initialized installation
using 'samba-tool domain provision' with my current smb.conf left intact.
Does anybody know whether such a migration of users and machine accounts
to a new installation is possible?
Thanks
Rainer
More information about the samba
mailing list