samba - Jun 2007 - Moving user accounts from a domain to another - and changing their logins

Hello everyone,

I have two domains, let's call them D1 and D2.

D1 is:
- heavily modified, cumbersome, Linux RH 7.3 based,
- samba 2.2 based,
- using the old LDAP samba schema,
- implementing Unix services/Windows logon SSO via the means of the LDAP 
schema with Kerberos added in the picture.

D2 is:
- stock, clean Linux RHEL4 based,
- Samba 3.0.11 based,
- using the newer Samba SAM LDAP schema, managed with smbldap-tools,
- void of Kerberos (yay!) since LDAP now handles Unix auth.

Both domains work fine. But D1 is frankly a mess, and I want to migrate 
everything to D2. That implies not only moving D1 accounts to D2, but also 
changing the login names, since we now have a naming convention which didn't
exist before. Keeping the passwords of existing accounts, however, is NOT 
required.

Bare copying of user profiles and appropriate chowning don't work. That was 
kind of expected, of course, but I thought the differences would be minor. 
Hah! On the new domain, the keyboard turns qwerty, OutLook just won't start 
at all (for people still using OutLook, but as they're important to the 
company, I cannot squash the problem and say "Use Thunderbird"), some
desktop
preferences are just lost, the XP start menu is a mess... So, this is not the 
solution.

I don't know that much about Windows accounts, but one thing I learned is
that
the SID is hugely important. As some directories/files are named after the 
SID in a user's profile, I figure that they are part of the problem, if not 
the main problem.

I've googled quite a bit on the subject but maybe not with the correct 
vocabulary, because I couldn't find a procedure for my case. What I found
out
was:

* you could copy over a domain user profile to a local user profile with some 
hacking around (local account needs admin rights in the first place, etc), 
but then it isn't said in the documents I read how to copy that local user 
profile to a(nother!) domain user profile afterwards;
* there's also a trust domain relationship that sounds kind of promising,
but
I don't know how I could do to slurp the data from the old domain into the 
new, nor how I can rename the account after I've slurped it (I think 
modifying the account DN and other fields won't be enough).

Where should I start looking? Is there already a document somewhere covering 
my scenario?

[As a side note, I've salvaged all the Samba ML archives from 
http://lists.samba.org/archive/samba/ and tried and integrated them in an 
mbox based mailserver (Dovecot) but the files don't look like valid mboxes!]

Have fun,
-- 
Francis Galiegue, fg@one2team.com
One2team - 12bis rue de la Pierre Lev?e - 75011 PARIS
+33683877875, +33143381980

Le Sunday 24 June 2007 13:36:15, vous avez ?crit?:
> Hello everyone,
>
Oops, sorry for the double post, I only realized too late that I used the 
wrong identity for this one :(

Please ignore,
-- 
Francis Galiegue, fg@one2team.com
One2team - 12bis rue de la Pierre Lev?e - 75011 PARIS
+33683877875, +33143381980

El Domingo, 24 de Junio de 2007 14:09, Francis Galiegue escribi?:
> Hello everyone,
>
> I have two domains, let's call them D1 and D2.
>
> D1 is:
> - heavily modified, cumbersome, Linux RH 7.3 based,
> - samba 2.2 based,
> - using the old LDAP samba schema,
> - implementing Unix services/Windows logon SSO via the means of the LDAP
> schema with Kerberos added in the picture.
>
> D2 is:
> - stock, clean Linux RHEL4 based,
> - Samba 3.0.11 based,
> - using the newer Samba SAM LDAP schema, managed with smbldap-tools,
> - void of Kerberos (yay!) since LDAP now handles Unix auth.
>
> Both domains work fine. But D1 is frankly a mess, and I want to migrate
> everything to D2. 
I've moved user profiles between domains following this HOWTO, perhaps it 
could help you.

http://marc.info/?l=samba&m=113485087304651&w=2
-- 
Asier.

Hello everyone,

I have two domains, let's call them D1 and D2.

D1 is:
- heavily modified, cumbersome, Linux RH 7.3 based,
- samba 2.2 based,
- using the old LDAP samba schema,
- implementing Unix services/Windows logon SSO via the means of the LDAP 
schema with Kerberos added in the picture.

D2 is:
- stock, clean Linux RHEL4 based,
- Samba 3.0.11 based,
- using the newer Samba SAM LDAP schema, managed with smbldap-tools,
- void of Kerberos (yay!) since LDAP now handles Unix auth.

Both domains work fine. But D1 is frankly a mess, and I want to migrate 
everything to D2. That implies not only moving D1 accounts to D2, but also 
changing the login names, since we now have a naming convention which didn't
exist before. Keeping the passwords of existing accounts, however, is NOT 
required.

Bare copying of user profiles and appropriate chowning don't work. That was 
kind of expected, of course, but I thought the differences would be minor. 
Hah! On the new domain, the keyboard turns qwerty, OutLook just won't start 
at all (for people still using OutLook, but as they're important to the 
company, I cannot squash the problem and say "Use Thunderbird"), some
desktop
preferences are just lost, the XP start menu is a mess... So, this is not the 
solution.

I don't know that much about Windows accounts, but one thing I learned is
that
the SID is hugely important. As some directories/files are named after the 
SID in a user's profile, I figure that they are part of the problem, if not 
the main problem.

I've googled quite a bit on the subject but maybe not with the correct 
vocabulary, because I couldn't find a procedure for my case. What I found
out
was:

* you could copy over a domain user profile to a local user profile with some 
hacking around (local account needs admin rights in the first place, etc), 
but then it isn't said in the documents I read how to copy that local user 
profile to a(nother!) domain user profile afterwards;
* there's also a trust domain relationship that sounds kind of promising,
but
I don't know how I could do to slurp the data from the old domain into the 
new, nor how I can rename the account after I've slurped it (I think 
modifying the account DN and other fields won't be enough).

Where should I start looking? Is there already a document somewhere covering 
my scenario?

[As a side note, I've salvaged all the Samba ML archives from 
http://lists.samba.org/archive/samba/ and tried and integrated them in an 
mbox based mailserver (Dovecot) but the files don't look like valid mboxes!]

Have fun,
-- 
Francis Galiegue, fg@one2team.net
One2team - 12bis rue de la Pierre Lev?e - 75011 PARIS
+33683877875, +33143381980