Marco Gaiarin
2018-May-11 10:38 UTC
[Samba] Moving roaming profiles between domains, risky?
OK, now i've to start to move the big part of my users from my old
NT-like domains to my new AD domain.
I've setup roaming profile in the new domain following the wiki
(https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles, 'using
windows ACL') and for new profiles works like a charm.
But i've tried to move/copy old profile to the new domain, and seems
work, with no glitch. I've done simply:
root at vdmsv1:/srv/samba/profiles# rsync -av --progress --xattrs --rsh=ssh
<oldntserver>:/srv/samba/profiles/gaio.V2 .
chown -R :"domain users" gaio.V2
<run a script that fix group permission, prevent settings ACL mask
incorrectly>
Clearly domains have different SID, and looking (some sample) at
permissions in files of a copied profiles and a created one,
effectively there's some differences (eg, the copied profiles have no
'user.SAMBA_PAI' extended attributes).
So, seems to work but it is not exactly the same thing.
Can i be confident that something strage does not brake all things
sooner or later?
Someone have some feedback on that?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2018-May-14 12:57 UTC
[Samba] Moving roaming profiles between domains, risky?
> But i've tried to move/copy old profile to the new domain, and seems > work, with no glitch. I've done simply: > root at vdmsv1:/srv/samba/profiles# rsync -av --progress --xattrs --rsh=ssh <oldntserver>:/srv/samba/profiles/gaio.V2 . > chown -R :"domain users" gaio.V2 > <run a script that fix group permission, prevent settings ACL mask incorrectly>[...]> Can i be confident that something strage does not brake all things > sooner or later?I reply myself. Does not work. Probably worked for me because i'm in 'domain admins' group, eg i'm an administrator. I've tried as a normal user, and logon failed mysteriously (error starting windows profile services, something like that) and with only some generic winlogon errors in windows events. Probably i've to sythetize correctly the ACL in 'user.SAMBA_PAI' to have it work, but... it takes less time to move 'Desktop' and some 'Appdata/Roaming/...' folders. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-May-14 13:48 UTC
[Samba] Moving roaming profiles between domains, risky?
Hai, Sorry for the late reply, but yes, this is a risky move. Did you make sure this the DOMAIN SID's are exact the same between old and new servers? This: rsync -av --progress --xattrs --rsh=ssh Does not copy the (windows) acl's. Look at https://wiki.samba.org/index.php/Bidirectional_Rsync/Unison_based_SysVol_replication_workaround Howto to this with rsync and unison, the combination catches the acl also. I suggest the following, or do the copy from a windows client or the following. Create a new user on the new server and login /logout with a pc. Check the user profile rights with getfacl Check the user homedir right with getfacl. And set the correct rights back after the copy. Its a bit the same as my "check-get-sysvol" script. https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh If you have a look, the function : Create_DC_SYVOL_ACL_FILE With the layout you want, and you need to adapt that to your users profile and home folder. I hope it explains enough. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 14 mei 2018 14:58 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Moving roaming profiles between domains, risky? > > > > But i've tried to move/copy old profile to the new domain, and seems > > work, with no glitch. I've done simply: > > root at vdmsv1:/srv/samba/profiles# rsync -av --progress > --xattrs --rsh=ssh <oldntserver>:/srv/samba/profiles/gaio.V2 . > > chown -R :"domain users" gaio.V2 > > <run a script that fix group permission, prevent > settings ACL mask incorrectly> > [...] > > Can i be confident that something strage does not brake all things > > sooner or later? > > I reply myself. Does not work. > > Probably worked for me because i'm in 'domain admins' group, eg i'm an > administrator. > > I've tried as a normal user, and logon failed mysteriously (error > starting windows profile services, something like that) and with only > some generic winlogon errors in windows events. > > Probably i've to sythetize correctly the ACL in 'user.SAMBA_PAI' to > have it work, but... it takes less time to move 'Desktop' and some > 'Appdata/Roaming/...' folders. > > > Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Marco Gaiarin
2018-May-14 15:14 UTC
[Samba] Moving roaming profiles between domains, risky?
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Sorry for the late reply, but yes, this is a risky move....and seems does not work, too. ;-)> Did you make sure this the DOMAIN SID's are exact the same between old and new servers?No, they are different domains and so different SID. This really astonished me, because i was sure that the SID are saved in profiles (NTUSER.* files). But for my user, that as Administrator probably have no ACL fuss to fight against, my profile, printer apart, seems work as expected.> This: > rsync -av --progress --xattrs --rsh=ssh > Does not copy the (windows) acl's.Sure, it is intended. For two reasons: 1) being different domains, user match but groupnames no, so i'll copy probably only a set of invalid group ACL. 2) i'm using on profile share, as suggested by samba wiki, the 'windows ACL' method (eg, 'vfs objects = acl_xattr'), and so ACL are not sinthetized in POSIX acl but stored on XATTR as SDDL strings. eg: root at vdmsv1:/srv/samba/profiles# getfattr -n security.NTACL -d krystyna.V2 # file: krystyna.V2 security.NTACL=0sBAAEAAAAAgAEAAIAAQDG0u+Fi3xic2W4IOcSGL6lX7t95CyUv2wSq5GSPx7sVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAMbkBrFy69MBHOP48RdIuplrMlW0Ew7FMt+pW+y3fsOgohu+FokCBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJC0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAA8aGKCSrGqNaQqai6xQQAAAEFAAAAAAAFFQAAAPGhigkqxqjWkKmougECAAACAEAAAgAAAAADFAD/AR8AAQEAAAAAAAUSAAAAAAMkAP8BHwABBQAAAAAABRUAAADxoYoJKsao1pCpqLrFBAAA unfortunately: root at vdmsv1:/srv/samba/profiles# samba-tool ntacl get krystyna.V2 --as-sddl ERROR: Unable to read domain SID from configuration files 'samba-tool ntacl' seems does not work on domain members. So, probably, i've to: 1) define some ACL (as XATTR/SDDL) and apply to files programmatically; or 2) read XATTR/SDDL from old domain, mangle in some way andapply to files and dirs of new domain. It take less time to copy some folders profile from old to new. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)