Denis BUCHER
2014-Dec-08 21:42 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
Le 08.12.2014 21:06, Marc Muehlfeld a ?crit :> Hello Denis, > > Am 08.12.2014 um 20:25 schrieb (lists) Denis BUCHER: > >> We have perfectly working roaming profiles on Samba 3.3.10 (SuSE) with Windows 7 clients. We configured our new server with same domain name, Samba 4.1.11 (Debian). On the new server, for newly created profiles, it works perfectly, we can login, logout, profiles are created and saved. But if we want to copy an existing profile from current server to the new one, it's impossible to login, we get the following error : "Group policy client service failed. The logon access is denied". > > How are the IDs mapped on both servers? Do the users/groups have the > same IDs on both machines? E. g. if you store them in your AD / PDC > backend and retrive them on the fileserver, then you should be able to > simply copy the profiles and preserve the file permissions.Yes, users have the same name. User "dbucher" is still "dbucher" on the new server and files have their ownership and rights preserved.> If you used a local ID mapping on the old server, you have to transfer the idmapping DB, to keep UIDs/GIDs.Yes, no problem on this side. But the problem seems to be with Windows SID. Denis> Regards, Marc
Marc Muehlfeld
2014-Dec-08 21:51 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
Am 08.12.2014 um 22:42 schrieb Denis BUCHER:>> How are the IDs mapped on both servers? Do the users/groups have the >> same IDs on both machines? E. g. if you store them in your AD / PDC >> backend and retrive them on the fileserver, then you should be able to >> simply copy the profiles and preserve the file permissions. > > Yes, users have the same name. User "dbucher" is still "dbucher" on the > new server and files have their ownership and rights preserved.But does dbucher has the same ID on both hosts?>> If you used a local ID mapping on the old server, you have to >> transfer the idmapping DB, to keep UIDs/GIDs. > > Yes, no problem on this side. But the problem seems to be with Windows > SID.If this are domain users and you move the profile within the same domain, then this doesn't matter, because the SID stuff is inside the profile and doesn't change if you only move the profiles to a different host. 2 weeks ago I this at work in production too. Samba AD and moved about 25 users profiles to a new member server in a branch office, which is part of the same AD domain. The ID mapping come from RFC2307 out of the AD. Just had to copy the files to the new host (done through an SSH tunnel with preserved ACLs). Then just adapt the users profile path in AD and their folder redirection GPO. Done. Nothing else. And no SID stuff was necessary. Regards, Marc
Rowland Penny
2014-Dec-08 21:55 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
On 08/12/14 21:42, Denis BUCHER wrote:> > > Le 08.12.2014 21:06, Marc Muehlfeld a ?crit : > >> Hello Denis, >> >> Am 08.12.2014 um 20:25 schrieb (lists) Denis BUCHER: >> >>> We have perfectly working roaming profiles on Samba 3.3.10 (SuSE) with Windows 7 clients. We configured our new server with same domain name, Samba 4.1.11 (Debian). On the new server, for newly created profiles, it works perfectly, we can login, logout, profiles are created and saved. But if we want to copy an existing profile from current server to the new one, it's impossible to login, we get the following error : "Group policy client service failed. The logon access is denied". >> How are the IDs mapped on both servers? Do the users/groups have the >> same IDs on both machines? E. g. if you store them in your AD / PDC >> backend and retrive them on the fileserver, then you should be able to >> simply copy the profiles and preserve the file permissions. > Yes, users have the same name. User "dbucher" is still "dbucher" on the > new server and files have their ownership and rights preserved. > >> If you used a local ID mapping on the old server, you have to transfer the idmapping DB, to keep UIDs/GIDs. > Yes, no problem on this side. But the problem seems to be with Windows > SID. > > Denis > >> Regards, Marc >Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. Rowland
Marc Muehlfeld
2014-Dec-08 22:01 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
Am 08.12.2014 um 22:55 schrieb Rowland Penny:> Hi, It sounds very much like a SID problem to me. > > the user 'Fred' with the SID-RID > 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same > user as 'Fred' with the SID-RID > 'S-1-5-21-2025076216-3455336656-3842161122-1005' > > You need to change the domain SID on the new PDC to match the SID on the > windows machines.Denis, is this a _new domain_ (with the same name)? Or just a _new server_ where you placed the profiles. If it's a _new domain_, then Rowland is surely right and it is an SID problem. But you talked about a _new server_. Please be more clear about your environment. Regards, Marc
Maybe Matching Threads
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")