[Samba] NT3.x -> AD: accounts and profiles

Marcio Vogel Merlone dos Santos marcio.merlone at a1.ind.br
Thu Aug 16 18:02:30 UTC 2018


Since we cannot join a W10 machine to NT3.x domain anymore, it is time 
to move on. We have a decade-old domain 'A1CWB' and will profit from the 
situation fixing the old S-1-5-21-1234567890-1234567890-1234567890 SID 
and implementing a new domain name:

Old domain:

A1CWB, SID S-1-5-21-1234567890-1234567890-1234567890

New domain:

AD.A1.IND.BR, decent SID from net getdomainsid, two servers, one DC and 
one DM as fileserver, Ubuntu 18.04.

On my tests I was able to import old LDAP accounts using 'samba-tool 
domain classicupgrade' AFTER 'samba-tool domain provision' and proper 
LDAP database cleanup. I know this was not designed to be used this way, 
but should I expect something unexpected? :)

As for roaming profiles, new users works fine. The existing ones (a 
couple hundreds) from the old domain are rsync'ed from the old server to 
the DM and run the profiles tool:

profiles -c S-1-5-21-<123 SID> -n S-1-5-21-<new decent SID> NTUSER.DAT

This command runs fine without any error, but the resulting profile is 
unusable, with mixed erros about GPO, 'Failure on gpsvc service entry. 
Access denied' (translated from pt_BR) and such when user logs in, one 
big 'OK' button that when pressed, logs out the user. Google couldn't 
help me this time, nothing relevant on samba logs nor event viewer.

Samba logs says the workstation read all existing files on the profile, 
then closes them all, presumably when logging off.

Any tip on how to reuse those old profiles?

Thanks and best regards.

*Marcio Merlone*

More information about the samba mailing list