Hi all, I just replaced a client's SUSE 8.0/Samba 2.2 DC with a SUSE 9.2/Samba 3.0.9 DC. Drives were giving trouble, and since that box was a first attempt at a linux DC there was a lot of room for improvement. I copied the profiles and home directories over to the new machine, chowned them to the new users. I also did extracted the securid from the old DC and set it to the new one (using the net command). I expected the clients not to notice. Oh dear... First off, the Windows 98 clients, stupid as they are on a network, didn't notice at all. But the Windows 2000 and Windows XP Pro ones had trouble. They all logged in fine, but they all had all sorts of weird problems. For example, upon starting outlook, it did the whole install-the-user-specific-stuff routine you get when you run it for the first time. I ended up having to rename the profile and have it create a new one. Lot's of unhappy users.... Can anyone tell me what I did wrong? My suspicion, in hindsight, is that the local copy of the profile on each client, belongs to the domain user, as identified by it's userid (I'm sure I've seen windows refering to a "Unix user 514" or something similar before), and that the user id has changed (which it has - SUSE 8.0 maps users from 500 up, 9.2 from 1000 up). Can anyone shed some light? Thanks -- Kind regards Hans du Plooy Newington Consulting Services hansdp at newingtoncs dot co dot za
On Wednesday 12 January 2005 12:09, Hans du Plooy wrote:> Hi all, > > I just replaced a client's SUSE 8.0/Samba 2.2 DC with a SUSE 9.2/Samba > 3.0.9 DC. Drives were giving trouble, and since that box was a first > attempt at a linux DC there was a lot of room for improvement. > > I copied the profiles and home directories over to the new machine, chowned > them to the new users. I also did extracted the securid from the old DC > and set it to the new one (using the net command). I expected the clients > not to notice. Oh dear... > > First off, the Windows 98 clients, stupid as they are on a network, didn't > notice at all. But the Windows 2000 and Windows XP Pro ones had trouble. > They all logged in fine, but they all had all sorts of weird problems. For > example, upon starting outlook, it did the whole > install-the-user-specific-stuff routine you get when you run it for the > first time. I ended up having to rename the profile and have it create a > new one. Lot's of unhappy users.... > > Can anyone tell me what I did wrong? My suspicion, in hindsight, is that > the local copy of the profile on each client, belongs to the domain user, > as identified by it's userid (I'm sure I've seen windows refering to a > "Unix user 514" or something similar before), and that the user id has > changed (which it has - SUSE 8.0 maps users from 500 up, 9.2 from 1000 up). > Can anyone shed some light?Windows NT/2KX stores the Windows SID as an access control identifier inside the profile file NTUser.DAT. If you do not replace the SID inside this file with the new SID on from the new server then your users will not be able to access their profiles - i.e.: It just will not work as you have seen. You can recover the SID from the old system by running (for Samba-3): net getlocalsid You can set the SID on the new server by running: net setlocalsid S-1-5-21-XXXXX-XXXXX-XXXXXX Note: The SID must be the one you obtained from the old server. Additionally, you must ensure that each user has the same UID and GID as they were on old server. - John T.> > Thanks > -- > Kind regards > Hans du Plooy > Newington Consulting Services > hansdp at newingtoncs dot co dot za-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
On Wednesday 12 January 2005 23:06, John H Terpstra wrote:> You can recover the SID from the old system by running (for Samba-3): > > net getlocalsid > > You can set the SID on the new server by running: > > net setlocalsid S-1-5-21-XXXXX-XXXXX-XXXXXXThis I did - in fact, I was quite paranoid about it and checked it over and over just to be absolutely sure.> Note: The SID must be the one you obtained from the old server. > Additionally, you must ensure that each user has the same UID and GID as > they were on old server.I think this must have been the problem. Do you refer to UID and GID withing samba, or the unix UID and GID? Thanks -- Kind regards Hans du Plooy Newington Consulting Services hansdp at newingtoncs dot co dot za
On Wednesday 12 January 2005 14:51, Hans du Plooy wrote:> On Wednesday 12 January 2005 23:06, John H Terpstra wrote: > > You can recover the SID from the old system by running (for Samba-3): > > > > net getlocalsid > > > > You can set the SID on the new server by running: > > > > net setlocalsid S-1-5-21-XXXXX-XXXXX-XXXXXX > > This I did - in fact, I was quite paranoid about it and checked it over and > over just to be absolutely sure. > > > Note: The SID must be the one you obtained from the old server. > > Additionally, you must ensure that each user has the same UID and GID as > > they were on old server. > > I think this must have been the problem. Do you refer to UID and GID > withing samba, or the unix UID and GID?Samba maps the UID to the user SID. The user SID is made up of the Domain SID plus a RID. The RID = 2xUID + 1000. If the UID = 1234 the RID = 2468. If the SID = S-1-5-21-12345678-12345678-12345678 the user SID S-1-5-21-12345678-12345678-12345678-2468 - John T.> > Thanks > -- > Kind regards > Hans du Plooy > Newington Consulting Services > hansdp at newingtoncs dot co dot za-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.