Marcio Vogel Merlone dos Santos
2018-Aug-16 18:02 UTC
[Samba] NT3.x -> AD: accounts and profiles
Hi, Since we cannot join a W10 machine to NT3.x domain anymore, it is time to move on. We have a decade-old domain 'A1CWB' and will profit from the situation fixing the old S-1-5-21-1234567890-1234567890-1234567890 SID and implementing a new domain name: Old domain: A1CWB, SID S-1-5-21-1234567890-1234567890-1234567890 New domain: AD.A1.IND.BR, decent SID from net getdomainsid, two servers, one DC and one DM as fileserver, Ubuntu 18.04. On my tests I was able to import old LDAP accounts using 'samba-tool domain classicupgrade' AFTER 'samba-tool domain provision' and proper LDAP database cleanup. I know this was not designed to be used this way, but should I expect something unexpected? :) As for roaming profiles, new users works fine. The existing ones (a couple hundreds) from the old domain are rsync'ed from the old server to the DM and run the profiles tool: profiles -c S-1-5-21-<123 SID> -n S-1-5-21-<new decent SID> NTUSER.DAT This command runs fine without any error, but the resulting profile is unusable, with mixed erros about GPO, 'Failure on gpsvc service entry. Access denied' (translated from pt_BR) and such when user logs in, one big 'OK' button that when pressed, logs out the user. Google couldn't help me this time, nothing relevant on samba logs nor event viewer. Samba logs says the workstation read all existing files on the profile, then closes them all, presumably when logging off. Any tip on how to reuse those old profiles? Thanks and best regards. -- *Marcio Merlone*
Mandi! Marcio Vogel Merlone dos Santos via samba In chel di` si favelave...> run the profiles tool:The 'profile' manpage say: It currently only supports NT. so probably it is needed to change the SID in the old domain, before migration?!> Any tip on how to reuse those old profiles?My experience about profiles 'reuse' is totally negative: it is not (reailably) possible, all my tryies get to errors like yours... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marcio Vogel Merlone dos Santos
2018-Aug-27 19:59 UTC
[Samba] NT3.x -> AD: accounts and profiles
Em 27/08/2018 10:31, Marco Gaiarin via samba escreveu:> Mandi! Marcio Vogel Merlone dos Santos via samba > In chel di` si favelave... >> run the profiles tool: > The 'profile' manpage say: > > It currently only supports NT. > > so probably it is needed to change the SID in the old domain, before > migration?!Not sure what you mean, I run the tool over the profile as it is on the old domain _before_ loading into a workstation (login). You cannot change the SID on a profile for a new domain on the old one. I make a copy on the new server and there I run the tool as I believe is supposed to, correct me if I am wrong. Anyway, errors remain on tool and is not usable by now. Best regards, -- *Marcio Merlone*