[Samba] Moving roaming profiles between domains, risky?

Marco Gaiarin gaio at sv.lnf.it
Mon May 14 15:14:36 UTC 2018 

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> Sorry for the late reply, but yes, this is a risky move.

...and seems does not work, too. ;-)


> Did you make sure this the DOMAIN SID's are exact the same between old and new servers? 

No, they are different domains and so different SID.
This really astonished me, because i was sure that the SID are saved in
profiles (NTUSER.* files).

But for my user, that as Administrator probably have no ACL fuss to
fight against, my profile, printer apart, seems work as expected.


> This: 
> rsync -av --progress --xattrs --rsh=ssh  
> Does not copy the (windows) acl's. 

Sure, it is intended. For two reasons:

1) being different domains, user match but groupnames no, so i'll copy
 probably only a set of invalid group ACL.

2) i'm using on profile share, as suggested by samba wiki, the 'windows
 ACL' method (eg, 'vfs objects = acl_xattr'), and so ACL are not
sinthetized in POSIX acl but stored on XATTR as SDDL strings. eg:

 root at vdmsv1:/srv/samba/profiles# getfattr -n security.NTACL -d krystyna.V2
 # file: krystyna.V2
 security.NTACL=0sBAAEAAAAAgAEAAIAAQDG0u+Fi3xic2W4IOcSGL6lX7t95CyUv2wSq5GSPx7sVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAMbkBrFy69MBHOP48RdIuplrMlW0Ew7FMt+pW+y3fsOgohu+FokCBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJC0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAA8aGKCSrGqNaQqai6xQQAAAEFAAAAAAAFFQAAAPGhigkqxqjWkKmougECAAACAEAAAgAAAAADFAD/AR8AAQEAAAAAAAUSAAAAAAMkAP8BHwABBQAAAAAABRUAAADxoYoJKsao1pCpqLrFBAAA

unfortunately:
 root at vdmsv1:/srv/samba/profiles# samba-tool ntacl get krystyna.V2 --as-sddl
 ERROR: Unable to read domain SID from configuration files

'samba-tool ntacl' seems does not work on domain members.


So, probably, i've to:

1) define some ACL (as XATTR/SDDL) and apply to files programmatically;
 or

2) read XATTR/SDDL from old domain, mangle in some way andapply to
 files and dirs of new domain.


It take less time to copy some folders profile from old to new. ;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list