On Friday 04 March 2005 08:59, Misty Stanley-Jones
wrote:> Hi all,
>
> I have gotten the 'profiles' command to work for NT and Win2K
profiles very
> well. In Windows XP, I am able to change the 'owner' but not the
'group'
> SID. It gives no errors but it just doesn't change them. A snippet of
the
> profile in question is below:
>
> furnsrv:/data/samba/profiles/jon # profiles NTUSER.DAT |grep S-1-5
> Owner SID: S-1-5-32-544
> Group SID: S-1-5-21-2127521184-1604012920-1887927527-513
> Perms: 000F003F, SID: S-1-5-18
> Perms: 000F003F, SID: S-1-5-32-544
> Perms: 10000000, SID: S-1-5-18
> Perms: 10000000, SID: S-1-5-32-544
> Owner SID: S-1-5-32-544
> Group SID: S-1-5-21-1505131970-119759924-475665672-513
> Perms: 000F003F, SID: S-1-5-18
> Perms: 000F003F, SID: S-1-5-32-544
> Perms: 10000000, SID: S-1-5-18
> Perms: 10000000, SID: S-1-5-32-544
> Owner SID: S-1-5-21-725326080-1709766072-2910717368-2060
> Group SID: S-1-5-21-383998039-2845272951-4289691644-2061
> Perms: 000F003F, SID:
> Perms: 10000000, SID: S-1-5-18
> Perms: 000F003F, SID: S-1-5-32-544
> Perms: 10000000, SID: S-1-5-32-544
> Owner SID: S-1-5-32-544
>
> Not only are the groups all wrong, but I don't even know where most of
the
> SIDs in there came from. The S-1-5-21-383998039-2845272951-4289691644-2061
> is from the old domain. The others I haven't a clue. Anyway, if I use
the
> following syntax:
>
> profiles -c S-1-5-21-383998039-2845272951-4289691644-2061 -n
> S-1-5-21-725326080-1709766072-2910717368-513 /path/to/NTUSER.DAT
>
> I get no errors, but the SID doesn't really change. The user gets
"access
> denied" trying to load his profile.
>
> I would rather not have to redo this user's profile, so if anyone can
give
> me some wisdom it would be great. I did read in the man page for
> 'profiles' that only NT is supported, but I am hoping there might
be a
> workaround.
You can log onto a workstation as the domain administrator (probably
'root' on
your domain) and then start up regedt32. Then load the NTUser.DAT file as a
branch off the HKLM hive. You can now edit the contents of the NTUser.DAT
file to your heart's content. My advice would be to replace the foreign SIDs
with your domain SID. You could make an intelligent guess as to what group
the user previously belonged to and change the RID part of the SID to match
the RID of the group in your Samba DC environment. You can get this by
runnning: net groupmap list
PS: When you have finished editting the NTUser.DAT hive do not forget to
unload it. Unloading will write the changes back to the NTUser.DAT file.
Hope that helps.
- John T.
--
John H Terpstra, CTO
PrimaStasys Inc.
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.