samba - Nov 2003 - Samba 2.2 -> 3.0.0 upgrade: questions + Internet Connection Wizard / Identities

Hello,

I just upgraded from Samba 2.2.7 to Samba 3.0.0 on RedHat 9.  I did this by
uninstalling the 2.2.7 samba RPM's and then applying the Samba 3.0.0 RPM
from samba.org, then putting my local changes back into smb.conf.  I have also
migrated my smb users from smbpasswd to tdbsam with the pdbedit utility as
discussed in the HOWTO.

It seems I have to rejoin my client boxes (windows 2000 pro) to the domain in
order to log in, and then I have to blow away my local users on each client
machines to allow the roving profiles to be reloaded at login.

Also, I have had to add the following to my smb.conf file to use tdbsam
successfully.

logon home = \\%L\%U
logon path = \\%L\%U\profile

I had to do this in order to get the correct string to come up in pdbedit -Lv
for the "Home Directory" and "Profile Path" variables (the
defaults cuased %N to show in place of the server name) - when I used
'smbpasswd' as the backend pdbedit -Lv showed proper values and things
worked OK.

I also had to mess around a bit with 'net groupmap' modify/list to get
the standard Windows groups to map properly to UNIX groups, as discussed in the
HOWTO.  These seemed to work fine under 2.2.7.

Everything seems to work OK now, except for the following problems.  Can anyone
tell me what I did wrong upgrading with respect to the following 3 issues:

1) I have to rejoin each client Windows 2000 box to the domain or logins fail
(says the client is not in the domain) - did the machines' SIDs change for
some reason?  Server SID?

2) I have to blow away local roving profiles, then log in to get the roving
profiles to reload from the server - error says the profile for that user
already exists on the server, but has the 'wrong security'.  Loads temp
settings.  SID problem?

3) After rejoining and reloading, regular Domain Users do not have the ability
to change their Internet Connection Settings - The "Internet Connection
Wizard" icon recreates at each login, and when the user tries to access it,
they get an access denied error.  Changes to internet settings from IE are not
recorded, and it complains about 'no identities'.  The users are
properly listed in the "Domain Users" group.  If I put the user (or
Domain Users) in the Admininistrator group on the client boxes, he successfully
gets his previously set settings (home page, etc) at login.

Thank you, and great job on 3.0!
Jeff Jones

On Thu, 6 Nov 2003, Jeferee wrote:
> Hello,
>
> I just upgraded from Samba 2.2.7 to Samba 3.0.0 on RedHat 9.  I did this
> by uninstalling the 2.2.7 samba RPM's and then applying the Samba 3.0.0
> RPM from samba.org, then putting my local changes back into smb.conf.
> I have also migrated my smb users from smbpasswd to tdbsam with the
> pdbedit utility as discussed in the HOWTO.
>
> It seems I have to rejoin my client boxes (windows 2000 pro) to the
> domain in order to log in, and then I have to blow away my local users
> on each client machines to allow the roving profiles to be reloaded at
> login.
>
> Also, I have had to add the following to my smb.conf file to use tdbsam
> successfully.
>
> logon home = \\%L\%U
> logon path = \\%L\%U\profile
>
> I had to do this in order to get the correct string to come up in
> pdbedit -Lv for the "Home Directory" and "Profile Path"
variables (the
> defaults cuased %N to show in place of the server name) - when I used
> 'smbpasswd' as the backend pdbedit -Lv showed proper values and
things
> worked OK.
>
> I also had to mess around a bit with 'net groupmap' modify/list to
get
> the standard Windows groups to map properly to UNIX groups, as discussed
> in the HOWTO.  These seemed to work fine under 2.2.7.
>
> Everything seems to work OK now, except for the following problems.
> Can anyone tell me what I did wrong upgrading with respect to the
> following 3 issues:
>
> 1) I have to rejoin each client Windows 2000 box to the domain or logins
> fail (says the client is not in the domain) - did the machines' SIDs
> change for some reason?  Server SID?
Yes. You should have saved the Domain SID before migration, then restored
it on Samba-3 using the net utility. That way your clients would have been
quite happy.
>
> 2) I have to blow away local roving profiles, then log in to get the
> roving profiles to reload from the server - error says the profile for
> that user already exists on the server, but has the 'wrong
security'.
> Loads temp settings.  SID problem?
Correct. See comment for Q1.
>
> 3) After rejoining and reloading, regular Domain Users do not have the
> ability to change their Internet Connection Settings - The "Internet
> Connection Wizard" icon recreates at each login, and when the user
tries
> to access it, they get an access denied error.  Changes to internet
> settings from IE are not recorded, and it complains about 'no
> identities'.  The users are properly listed in the "Domain
Users" group.
> If I put the user (or Domain Users) in the Admininistrator group on the
> client boxes, he successfully gets his previously set settings (home
> page, etc) at login.
Yes. Correct.
> Thank you, and great job on 3.0!
Glad to hear that the documentation was useful. Want to send me any
updates for it?

Cheers,
John T.
-- 
John H Terpstra
Email: jht@samba.org

On Fri, 7 Nov 2003 10:38 , Jeff Jones <jeferee@hotmail.com> sent:
>> Yes. You should have saved the Domain SID before migration, then
restored
>> it on Samba-3 using the net utility. That way your clients would have
been
>> quite happy.
>
>
>Ah, ok.  Is there a document explaining how to save and restore the SID?  I
>saved the contents of /etc/samba before performing the upgrade.  Can I still
>extract the SID and restore it into my Samba 3?  I still have some client
>boxes I haven't joined to the new domain.
>
>Is there any other way, at this point, to allow my domain users write access
>to their identities / accounts without them being administrators?  A way of
>moving forward with my new SID?
if you still have the old /etc/samba/secret.tdb file, you can grab the SID out
of
that.

>
>Why isn't Windows allowing the users access to their internet settings /
>identities, even though they're in the new domain and the users'
profiles
>have been reloaded from the server?  Is there any way to fix it?
>
>Thanks again,
>Jeff
>
>
>----- Original Message ----- 
>From: "John H Terpstra" jht@samba.org>
>To: "Jeferee" jeferee@hotmail.com>
>Cc: samba@lists.samba.org>
>Sent: Friday, November 07, 2003 1:15 AM
>Subject: Re: [Samba] Samba 2.2 -> 3.0.0 upgrade: questions + Internet
>Connection Wizard / Identities
>
>
>> On Thu, 6 Nov 2003, Jeferee wrote:
>>
>> > Hello,
>> >
>> > I just upgraded from Samba 2.2.7 to Samba 3.0.0 on RedHat 9.  I
did this
>> > by uninstalling the 2.2.7 samba RPM's and then applying the
Samba 3.0.0
>> > RPM from samba.org, then putting my local changes back into
smb.conf.
>> > I have also migrated my smb users from smbpasswd to tdbsam with
the
>> > pdbedit utility as discussed in the HOWTO.
>> >
>> > It seems I have to rejoin my client boxes (windows 2000 pro) to
the
>> > domain in order to log in, and then I have to blow away my local
users
>> > on each client machines to allow the roving profiles to be
reloaded at
>> > login.
>> >
>> > Also, I have had to add the following to my smb.conf file to use
tdbsam
>> > successfully.
>> >
>> > logon home = \\%L\%U
>> > logon path = \\%L\%U\profile
>> >
>> > I had to do this in order to get the correct string to come up in
>> > pdbedit -Lv for the "Home Directory" and "Profile
Path" variables (the
>> > defaults cuased %N to show in place of the server name) - when I
used
>> > 'smbpasswd' as the backend pdbedit -Lv showed proper
values and things
>> > worked OK.
>> >
>> > I also had to mess around a bit with 'net groupmap'
modify/list to get
>> > the standard Windows groups to map properly to UNIX groups, as
discussed
>> > in the HOWTO.  These seemed to work fine under 2.2.7.
>> >
>> > Everything seems to work OK now, except for the following
problems.
>> > Can anyone tell me what I did wrong upgrading with respect to the
>> > following 3 issues:
>> >
>> > 1) I have to rejoin each client Windows 2000 box to the domain or
logins
>> > fail (says the client is not in the domain) - did the
machines' SIDs
>> > change for some reason?  Server SID?
>>
>> Yes. You should have saved the Domain SID before migration, then
restored
>> it on Samba-3 using the net utility. That way your clients would have
been
>> quite happy.
>>
>> >
>> > 2) I have to blow away local roving profiles, then log in to get
the
>> > roving profiles to reload from the server - error says the profile
for
>> > that user already exists on the server, but has the 'wrong
security'.
>> > Loads temp settings.  SID problem?
>>
>> Correct. See comment for Q1.
>>
>> >
>> > 3) After rejoining and reloading, regular Domain Users do not have
the
>> > ability to change their Internet Connection Settings - The
"Internet
>> > Connection Wizard" icon recreates at each login, and when the
user tries
>> > to access it, they get an access denied error.  Changes to
internet
>> > settings from IE are not recorded, and it complains about 'no
>> > identities'.  The users are properly listed in the
"Domain Users" group.
>> > If I put the user (or Domain Users) in the Admininistrator group
on the
>> > client boxes, he successfully gets his previously set settings
(home
>> > page, etc) at login.
>>
>> Yes. Correct.
>>
>> > Thank you, and great job on 3.0!
>>
>> Glad to hear that the documentation was useful. Want to send me any
>> updates for it?
>>
>> Cheers,
>> John T.
>> -- 
>> John H Terpstra
>> Email: jht@samba.org
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba
>


---- Prudential Preferred Properties   www.prupref.com