Web lists-archives.com

[Samba] NT3.x -> AD: accounts and profiles




Hi,

Since we cannot join a W10 machine to NT3.x domain anymore, it is time to move on. We have a decade-old domain 'A1CWB' and will profit from the situation fixing the old S-1-5-21-1234567890-1234567890-1234567890 SID and implementing a new domain name:

Old domain:

A1CWB, SID S-1-5-21-1234567890-1234567890-1234567890

New domain:

AD.A1.IND.BR, decent SID from net getdomainsid, two servers, one DC and one DM as fileserver, Ubuntu 18.04.


On my tests I was able to import old LDAP accounts using 'samba-tool domain classicupgrade' AFTER 'samba-tool domain provision' and proper LDAP database cleanup. I know this was not designed to be used this way, but should I expect something unexpected? :)


As for roaming profiles, new users works fine. The existing ones (a couple hundreds) from the old domain are rsync'ed from the old server to the DM and run the profiles tool:

profiles -c S-1-5-21-<123 SID> -n S-1-5-21-<new decent SID> NTUSER.DAT

This command runs fine without any error, but the resulting profile is unusable, with mixed erros about GPO, 'Failure on gpsvc service entry. Access denied' (translated from pt_BR) and such when user logs in, one big 'OK' button that when pressed, logs out the user. Google couldn't help me this time, nothing relevant on samba logs nor event viewer.

Samba logs says the workstation read all existing files on the profile, then closes them all, presumably when logging off.

Any tip on how to reuse those old profiles?

Thanks and best regards.

--
*Marcio Merlone*
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba