Rowland Penny
2014-Dec-09 11:41 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
On 09/12/14 11:22, Denis BUCHER wrote:> > > Dear Marc, Dear Rowland, > > Le 08.12.2014 23:01, Marc Muehlfeld a ?crit : > >> Am 08.12.2014 um 22:55 schrieb Rowland Penny: >> >>> Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. >> Denis, is this a _new domain_ (with the same name)? Or just a _new >> server_ where you placed the profiles. If it's a _new domain_, then >> Rowland is surely right and it is an SID problem. But you talked about a >> _new server_. Please be more clear about your environment. >> Regards, >> Marc > Yes, you're right, I must clarify a little more on this point: > > You were right, what we *WANT* to do is simply to replace the old PDC > under Samba 3 by the new PDC under Samba 4. (Simply a new server). But > what we *DID*, is in fact to configure a _new domain_ with the same > name. > > Therefore, I agree that it the problem is SID related, and if I > understand you correctly, this is the wrong way to do it! We should > instead configure a new server with same domain, right? > > Thank you very much for your appreciated help, > > Best regards, > > Denis >OK, If you just want to have a new replacement PDC, you need to: A) Install your OS of choice B) Install samba4 C) Get the Domain SID from your old PDC D) Use your old smb.conf as a template for your new one, checking that all the old lines are still valid, refer to 'man smb.conf'. If you have a 'socket options' line in your old conf file, remove it!, you are likely to be making things worse. E) run 'net setdomainsid <SID YOU GOT EARLIER>' F) start smbd,nmbd & winbind If it is possible, use the same ipaddress & hostname of the old server for the new server. Rowland
Chan Min Wai
2014-Dec-09 14:05 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
Hi Denis, Just invade if you also upgrade to AD DC. Looking and the Classical upgrade guide on wiki. You have to follow that.> Rowland Penny <rowlandpenny at googlemail.com> ? 2014?12?9? 19:41 ??? > >> On 09/12/14 11:22, Denis BUCHER wrote: >> >> Dear Marc, Dear Rowland, >> >> Le 08.12.2014 23:01, Marc Muehlfeld a ?crit : >> >>> Am 08.12.2014 um 22:55 schrieb Rowland Penny: >>> >>>> Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. >>> Denis, is this a _new domain_ (with the same name)? Or just a _new >>> server_ where you placed the profiles. If it's a _new domain_, then >>> Rowland is surely right and it is an SID problem. But you talked about a >>> _new server_. Please be more clear about your environment. >>> Regards, >>> Marc >> Yes, you're right, I must clarify a little more on this point: >> >> You were right, what we *WANT* to do is simply to replace the old PDC >> under Samba 3 by the new PDC under Samba 4. (Simply a new server). But >> what we *DID*, is in fact to configure a _new domain_ with the same >> name. >> >> Therefore, I agree that it the problem is SID related, and if I >> understand you correctly, this is the wrong way to do it! We should >> instead configure a new server with same domain, right? >> >> Thank you very much for your appreciated help, >> >> Best regards, >> >> Denis > > OK, If you just want to have a new replacement PDC, you need to: > > A) Install your OS of choice > B) Install samba4 > C) Get the Domain SID from your old PDC > D) Use your old smb.conf as a template for your new one, checking that all the old lines are still valid, refer to 'man smb.conf'. If you have a 'socket options' line in your old conf file, remove it!, you are likely to be making things worse. > E) run 'net setdomainsid <SID YOU GOT EARLIER>' > F) start smbd,nmbd & winbind > > If it is possible, use the same ipaddress & hostname of the old server for the new server. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Denis BUCHER
2014-Dec-09 16:27 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
Dear Rowland, Le 09.12.2014 12:41, Rowland Penny a ?crit :> On 09/12/14 11:22, Denis BUCHER wrote: > Dear Marc, Dear Rowland, Le 08.12.2014 23:01, Marc Muehlfeld a ?crit : Am 08.12.2014 um 22:55 schrieb Rowland Penny: Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. Denis, is this a _new domain_ (with the same name)? Or just a _new server_ where you placed the profiles. If it's a _new domain_, then Rowland is surely right and it is an SID problem. But you talked about a _new server_. Please be more clear about your environment. Regards, MarcYes, you're right, I must clarify a little more on this point: You were right, what we *WANT* to do is simply to replace the old PDC under Samba 3 by the new PDC under Samba 4. (Simply a new server). But what we *DID*, is in fact to configure a _new domain_ with the same name. Therefore, I agree that it the problem is SID related, and if I understand you correctly, this is the wrong way to do it! We should instead configure a new server with same domain, right? Thank you very much for your appreciated help, Best regards, Denis OK, If you just want to have a new replacement PDC, you need to: A) Install your OS of choice B) Install samba4 C) Get the Domain SID from your old PDC D) Use your old smb.conf as a template for your new one, checking that all the old lines are still valid, refer to 'man smb.conf'. If you have a 'socket options' line in your old conf file, remove it!, you are likely to be making things worse. E) run 'net setdomainsid <SID YOU GOT EARLIER>' F) start smbd,nmbd & winbind If it is possible, use the same ipaddress & hostname of the old server for the new server. Rowland Thanks a lot for your help, it looks more clear now. I will try this week and come back here with feedback, but I think it will work :-) I have a last question, if a user has SID "<DOMAINPART>-3038" on the old server do we have to keep the exact same SID on the new server ? In other words is it possible to change the "3038" (user part) or not ? Thank you very much ! Denis
Denis BUCHER
2014-Dec-09 16:29 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
Hello, Thank you very much, your document was very interesting! We will not upgrade to AD DC now, but maybe later. Denis Le 09.12.2014 15:05, Chan Min Wai a ?crit :> Hi Denis, > > Just invade if you also upgrade to AD DC. > > Looking and the Classical upgrade guide on wiki. You have to follow that. > Rowland Penny <rowlandpenny at googlemail.com> ? 2014?12?9? 19:41 ??? On 09/12/14 11:22, Denis BUCHER wrote: Dear Marc, Dear Rowland, Le 08.12.2014 23:01, Marc Muehlfeld a ?crit : Am 08.12.2014 um 22:55 schrieb Rowland Penny: Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. Denis, is this a _new domain_ (with the same name)? Or just a _new server_ where you placed the profiles. If it's a _new domain_, then Rowland is surely right and it is an SID problem. But you talked about a _new server_. Please be more clear about your environment. Regards, MarcYes, you're right, I must clarify a little more on this point: You were right, what we *WANT* to do is simply to replace the old PDC under Samba 3 by the new PDC under Samba 4. (Simply a new server). But what we *DID*, is in fact to configure a _new domain_ with the same name. Therefore, I agree that it the problem is SID related, and if I understand you correctly, this is the wrong way to do it! We should instead configure a new server with same domain, right? Thank you very much for your appreciated help, Best regards, Denis OK, If you just want to have a new replacement PDC, you need to: A) Install your OS of choice B) Install samba4 C) Get the Domain SID from your old PDC D) Use your old smb.conf as a template for your new one, checking that all the old lines are still valid, refer to 'man smb.conf'. If you have a 'socket options' line in your old conf file, remove it!, you are likely to be making things worse. E) run 'net setdomainsid <SID YOU GOT EARLIER>' F) start smbd,nmbd & winbind If it is possible, use the same ipaddress & hostname of the old server for the new server. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [1] Links: ------ [1] https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-Dec-09 16:43 UTC
[Samba] How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
On 09/12/14 16:27, Denis BUCHER wrote:> > > Dear Rowland, > > Le 09.12.2014 12:41, Rowland Penny a ?crit : > >> On 09/12/14 11:22, Denis BUCHER wrote: >> Dear Marc, Dear Rowland, Le 08.12.2014 23:01, Marc Muehlfeld a ?crit : Am 08.12.2014 um 22:55 schrieb Rowland Penny: Hi, It sounds very much like a SID problem to me. the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' You need to change the domain SID on the new PDC to match the SID on the windows machines. Denis, is this a _new domain_ (with the same name)? Or just a _new server_ where you placed the profiles. If it's a _new domain_, then Rowland is surely right and it is an SID problem. But you talked about a _new server_. Please be more clear about your environment. Regards, Marc > Yes, you're right, I must clarify a little more on this point: You were > right, what we *WANT* to do is simply to replace the old PDC under Samba > 3 by the new PDC under Samba 4. (Simply a new server). But what we > *DID*, is in fact to configure a _new domain_ with the same name. > Therefore, I agree that it the problem is SID related, and if I > understand you correctly, this is the wrong way to do it! We should > instead configure a new server with same domain, right? Thank you very > much for your appreciated help, Best regards, Denis > > OK, If you just want to have a new replacement PDC, you need to: > > A) Install your OS of choice > B) Install samba4 > C) Get the Domain SID from your old PDC > D) Use your old smb.conf as a template for your new one, checking that > all the old lines are still valid, refer to 'man smb.conf'. If you have > a 'socket options' line in your old conf file, remove it!, you are > likely to be making things worse. > E) run 'net setdomainsid <SID YOU GOT EARLIER>' > F) start smbd,nmbd & winbind > > If it is possible, use the same ipaddress & hostname of the old server > for the new server. > > Rowland > > Thanks a lot for your help, it looks more clear now. > > I will try this week and come back here with feedback, but I think it > will work :-) > > I have a last question, if a user has SID "<DOMAINPART>-3038" on the old > server do we have to keep the exact same SID on the new server ? In > other words is it possible to change the "3038" (user part) or not ? > > Thank you very much ! > > Denis >Hi, The SID identifies what domain the user is part of and RID is the users unique ID number. If you change the RID in the users domain record, the user then becomes another user, so if you do change a users RID, you will have to change the permissions on any files/directories the user owns. Remember I posted: the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-2025076216-3455336656-3842161122-1005' I could also have posted: the user 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-1005' is **NOT** the same user as 'Fred' with the SID-RID 'S-1-5-21-4036476082-4153129556-3089177936-2375' (not that you could have two users called 'Fred', but I hope you get my drift) Rowland
Maybe Matching Threads
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")