samba - Dec 2008 - Problems when migrating from an old machine to a new one.

Hello, 
I've got problems with my fresh install of samba. Here is the background :
We have an old machine on which I installed samba, release 3.0.9. It ran a 
linux from scratch system, but I was not well documented about samba at the 
time I did this install, so here is how we used to use it. The users accounts 
were both created in the system (/etc/password) and for samba (smbpasswd). All 
had groups and so on, but I wasn't well documented about both samba and 
windows when I put this machine online. So, to have users have the environment 
the needed, we used to pass on every workstation and added users to the 
machine with the local administrator's accound. We added them as belonging
to
the local Administrator's group.
Here is what we used to do. 
Now, I've got a new machine which is based on rhel 5 and runs samba version 
3.0.28. I've also installed a ldap server on another server and made them
both
communicate using the recommended settings for samba, nss, smbldap-tools and 
so on. Please, beleive me, it just works fine. The problem is somewhere else.
I've copied all datas belonging to users from the old server to the new one,
assigning the right permissions, and I get all the files at the right place.
The problem concerns the profiles I got from the old machine.
On the old machine, they were stored in /home/user/profile.
I've seen in different newsgroups that this is not a good idea and that they
should be stored in anywhere else thant in the user's home directory. So I 
created a new directory on the new machine, /home/profile in which I copied 
every profile in any directory as there are users (/home/profile/user).
I've checked permissions, they are ok.
Now, in the ldap directory, I've made for sure that every user belongs to
the
domusers group, mapped to "Domain Users" windows group.

And now, here is the problem : if I log in against this new pdc server with an 
old account, I get all the files on the shared, I can modify, delete, view 
them as I did before, but I have no rights on my profile. So, the windows 
start menu is empty (no link to internet app, neither for email program), I 
can't add the network's neighbourhood icon on the desktop, same for
"My
computer", and so on. I don't get back the desktop image background,
and the
keyboard is mapped qwerty even though I'm in france and expected a french 
layout.


If I empty the profile share and log in on the same machine (provided I've 
removed the c:\Documents and Settings\user directory, I'm considered normal 
user and everything works fine (but I've lost all my preferences I had 
before).

I've read that there is a tool named profiles that can help change domain
sid
in the NTUSER.DAT file located in the user's roaming profile. I've tryed
this
tool, and as root on the new samba machine did :
$ profiles -c OLD_SID -n NEW_SID ./NTUSER.DAT
$ mv NTUSER.DAT.new NTUSER.DAT && chown user:group NTUSER.DAT
before login in on a new windows workstation, but it doesn't help.
Could anyone help me find what's wrong here ?
I don't know what kind of informations are required to help me, so if one 
think I should give one or another information, don't hesitate to ask.
Hoping to hear from you soon.
Best regards.

Hi, 

after you've moved you profile folder, 
check every right. 
set 777 on profile it zelf.  
set create right to 700 for every new folder in the profiles share. 
check you users profile folder rights. 

sorry but this is a permission problem. 

my profiles share.
[profiles]
        path = /home/samba/profiles
        comment = Profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = Yes
        guest ok = Yes
        csc policy = disable
	  force user = %U
        valid users = %U @"Domain Admins"

/home/samba/profiles has 777 as right. 

when this is done, correct your users profiles

cd /home/samba/profiles 
for x in $( ls ); 
do 
chown -R $x:"Domain Users" $x 
chmod -R 700 $x
done

this should do it. 


>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl@lists.samba.org 
>[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens 
>BOURIAUD David
>Verzonden: dinsdag 2 december 2008 13:30
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Problems when migrating from an old machine 
>to a new one.
>
>Hello, 
>I've got problems with my fresh install of samba. Here is the 
>background :
>We have an old machine on which I installed samba, release 
>3.0.9. It ran a 
>linux from scratch system, but I was not well documented about 
>samba at the 
>time I did this install, so here is how we used to use it. The 
>users accounts 
>were both created in the system (/etc/password) and for samba 
>(smbpasswd). All 
>had groups and so on, but I wasn't well documented about both 
>samba and 
>windows when I put this machine online. So, to have users have 
>the environment 
>the needed, we used to pass on every workstation and added 
>users to the 
>machine with the local administrator's accound. We added them 
>as belonging to 
>the local Administrator's group.
>Here is what we used to do. 
>Now, I've got a new machine which is based on rhel 5 and runs 
>samba version 
>3.0.28. I've also installed a ldap server on another server 
>and made them both 
>communicate using the recommended settings for samba, nss, 
>smbldap-tools and 
>so on. Please, beleive me, it just works fine. The problem is 
>somewhere else.
>I've copied all datas belonging to users from the old server 
>to the new one, 
>assigning the right permissions, and I get all the files at 
>the right place.
>The problem concerns the profiles I got from the old machine.
>On the old machine, they were stored in /home/user/profile.
>I've seen in different newsgroups that this is not a good idea 
>and that they 
>should be stored in anywhere else thant in the user's home 
>directory. So I 
>created a new directory on the new machine, /home/profile in 
>which I copied 
>every profile in any directory as there are users (/home/profile/user).
>I've checked permissions, they are ok.
>Now, in the ldap directory, I've made for sure that every user 
>belongs to the 
>domusers group, mapped to "Domain Users" windows group.
>
>And now, here is the problem : if I log in against this new 
>pdc server with an 
>old account, I get all the files on the shared, I can modify, 
>delete, view 
>them as I did before, but I have no rights on my profile. So, 
>the windows 
>start menu is empty (no link to internet app, neither for 
>email program), I 
>can't add the network's neighbourhood icon on the desktop, 
>same for "My 
>computer", and so on. I don't get back the desktop image 
>background, and the 
>keyboard is mapped qwerty even though I'm in france and 
>expected a french 
>layout.
>
>
>If I empty the profile share and log in on the same machine 
>(provided I've 
>removed the c:\Documents and Settings\user directory, I'm 
>considered normal 
>user and everything works fine (but I've lost all my preferences I had 
>before).
>
>I've read that there is a tool named profiles that can help 
>change domain sid 
>in the NTUSER.DAT file located in the user's roaming profile. 
>I've tryed this 
>tool, and as root on the new samba machine did :
>$ profiles -c OLD_SID -n NEW_SID ./NTUSER.DAT
>$ mv NTUSER.DAT.new NTUSER.DAT && chown user:group NTUSER.DAT
>before login in on a new windows workstation, but it doesn't help.
>Could anyone help me find what's wrong here ?
>I don't know what kind of informations are required to help 
>me, so if one 
>think I should give one or another information, don't hesitate to ask.
>Hoping to hear from you soon.
>Best regards.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

why dont you give the new pdc the same SID as the old domain then ? 
on OLD-PDC 
net get local sid <domain> 

on new PDC
net setlocalsid SID

good luck. 

>-----Oorspronkelijk bericht-----
>Van: BOURIAUD David [mailto:david.bouriaud@ac-rouen.fr] 
>Verzonden: dinsdag 2 december 2008 16:22
>Aan: L.P.H. van Belle
>Onderwerp: Re: [Samba] Problems when migrating from an old 
>machine to a new one.
>
>Le Tuesday 02 December 2008, vous avez ?crit :
>
>Hi !
>Thanks for your quick help. I've checked all you've said, but 
>everything is as 
>you expect it to be.
>
>Here are different elements of my setup :
>smb.conf contains :
>
>  preferred master = True
>  domain master = True
>  logon path = \\%L\profiles\%U
>  logon drive = P:
>  nt acl support = Yes
>  profile acls = Yes
>  passdb backend = ldapsam:ldap://ldap.server.adress/
>   ldap passwd sync = Yes
>
>[profiles]
>        path = /smbhome/profiles/
>        read only = No
>        store dos attributes = Yes
>        browseable = No
>        writeable = Yes
>        create mask = 0600
>        directory mask = 0700
>        guest ok = no
>        printable = no
>        hide files = /desktop.ini
>
>[profile]
>        path = /smbhome/profiles/%U
>        browseable = Yes
>        writeable = Yes
>        create mask = 0700
>        directory mask = 0700
>
>This should be sufficient and working. The fact is that I 
>rsync the profiles 
>from the old machine to the new one, and do a chown/chmod 
>afterward, but 
>consider that the previous PDC (let's call him OLD-PDC) have a 
>SID (called 
>OLD-SID) and the new PDC (let's call him NEW-PDC) have a new 
>SID (called NEW-
>SID).
>If I'm not mistaken, what I want to do can't be accomplished 
>with a poor rsync 
>between these machines, because when I pick up the profile on 
>OLD-PDC and copy 
>all the files in /smbhome/profiles/user/, the file named 
>NTUSER.DAT contains 
>references to OLD-SID. I've tried out to change it's content 
>with the command 
>I explained in my previous mail : profiles -c OLD-SID -n 
>NEW-SID NTUSER.DAT 
>but it doesn't work. 
>Indeed, if I check everything after having copied NTUSER.DAT.new over 
>NTUSER.DAT, with profiles -v NTUSER.DAT | grep OLD-SID, I 
>stille find entries 
>in it.
>So, I guess that the command I type in is not enough.
>You're right, this have to do with file rights, but not on the 
>filesystem 
>itself. So far as I understand what's involved in the authentification 
>process.
>This is hard to guess, because even with a lot of verbosity in 
>log files (I've 
>tried out log level = 10 in smb.conf), the error isn't shown). 
>And on the 
>workstation, the domain user isn't allowed to view the 
>security log file.
>I'm stuck at this point and don't know how to solve it...
>
>> Hi,
>>
>> after you've moved you profile folder,
>> check every right.
>> set 777 on profile it zelf.
>> set create right to 700 for every new folder in the profiles share.
>> check you users profile folder rights.
>>
>> sorry but this is a permission problem.
>>
>> my profiles share.
>> [profiles]
>>         path = /home/samba/profiles
>>         comment = Profiles
>>         read only = no
>>         create mask = 0600
>>         directory mask = 0700
>>         browseable = Yes
>>         guest ok = Yes
>>         csc policy = disable
>> 	  force user = %U
>>         valid users = %U @"Domain Admins"
>>
>> /home/samba/profiles has 777 as right.
>>
>> when this is done, correct your users profiles
>>
>> cd /home/samba/profiles
>> for x in $( ls );
>> do
>> chown -R $x:"Domain Users" $x
>> chmod -R 700 $x
>> done
>>
>> this should do it.
>>
>