[Samba] NT3.x -> AD: accounts and profiles
Marcio Vogel Merlone dos Santos
marcio.merlone at a1.ind.br
Thu Aug 16 18:02:30 UTC 2018
Since we cannot join a W10 machine to NT3.x domain anymore, it is time
to move on. We have a decade-old domain 'A1CWB' and will profit from the
situation fixing the old S-1-5-21-1234567890-1234567890-1234567890 SID
and implementing a new domain name:
A1CWB, SID S-1-5-21-1234567890-1234567890-1234567890
AD.A1.IND.BR, decent SID from net getdomainsid, two servers, one DC and
one DM as fileserver, Ubuntu 18.04.
On my tests I was able to import old LDAP accounts using 'samba-tool
domain classicupgrade' AFTER 'samba-tool domain provision' and proper
LDAP database cleanup. I know this was not designed to be used this way,
but should I expect something unexpected? :)
As for roaming profiles, new users works fine. The existing ones (a
couple hundreds) from the old domain are rsync'ed from the old server to
the DM and run the profiles tool:
profiles -c S-1-5-21-<123 SID> -n S-1-5-21-<new decent SID> NTUSER.DAT
This command runs fine without any error, but the resulting profile is
unusable, with mixed erros about GPO, 'Failure on gpsvc service entry.
Access denied' (translated from pt_BR) and such when user logs in, one
big 'OK' button that when pressed, logs out the user. Google couldn't
help me this time, nothing relevant on samba logs nor event viewer.
Samba logs says the workstation read all existing files on the profile,
then closes them all, presumably when logging off.
Any tip on how to reuse those old profiles?
Thanks and best regards.
More information about the samba