[Samba] Moving roaming profiles between domains, risky?
gaio at sv.lnf.it
Mon May 14 15:14:36 UTC 2018
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> Sorry for the late reply, but yes, this is a risky move.
...and seems does not work, too. ;-)
> Did you make sure this the DOMAIN SID's are exact the same between old and new servers?
No, they are different domains and so different SID.
This really astonished me, because i was sure that the SID are saved in
profiles (NTUSER.* files).
But for my user, that as Administrator probably have no ACL fuss to
fight against, my profile, printer apart, seems work as expected.
> rsync -av --progress --xattrs --rsh=ssh
> Does not copy the (windows) acl's.
Sure, it is intended. For two reasons:
1) being different domains, user match but groupnames no, so i'll copy
probably only a set of invalid group ACL.
2) i'm using on profile share, as suggested by samba wiki, the 'windows
ACL' method (eg, 'vfs objects = acl_xattr'), and so ACL are not
sinthetized in POSIX acl but stored on XATTR as SDDL strings. eg:
root at vdmsv1:/srv/samba/profiles# getfattr -n security.NTACL -d krystyna.V2
# file: krystyna.V2
root at vdmsv1:/srv/samba/profiles# samba-tool ntacl get krystyna.V2 --as-sddl
ERROR: Unable to read domain SID from configuration files
'samba-tool ntacl' seems does not work on domain members.
So, probably, i've to:
1) define some ACL (as XATTR/SDDL) and apply to files programmatically;
2) read XATTR/SDDL from old domain, mangle in some way andapply to
files and dirs of new domain.
It take less time to copy some folders profile from old to new. ;-)
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba