Keeping profiles intact:
A Windows XP Professional user's profile is based on his domain SID plus his user RID. When you expand out HKEY_USERS, you can find the current logged in user under the S-1-5-21- prefix. The next three set of numbers will be the number for the DOMAIN SID and the last number will be his Windows user RID. As long as the new samba server contains both the same domain SID AND the samba user has been assigned the same user RID as before, then the workstation can join the new domain without losing the user's profile. Profiles are not tied to the workstation or computer account. A computer account can be removed and recreated and the machine can rejoin the domain without losing the users profile.
here is a test to link to a particular place (bookmark or anchor) within another page (the Glossary Page) CA
So how do you ensure that your samba users will get their needed RID? It is as simple as recreating the users in the new domain using the same unix UID numbers. There is a calculation used to tie the posix UIDs to a specific Windows user RID so that you can be assured that they will get assigned the same windows RID.
A user with a unix UID of 1004, for example, will get the a Windows RID of 3008. (The user's Unix UID (1004 in this case), multply it by 2 and add 1000.)
NOTE: This is the formula is also used by the smbldap-tools scripts included with Samba. They do the same thing for groups but add 1001 instead. The result is that you can store users and groups in the same SID space and not have the UIDs and GIDs collide, because UIDs always translate to an even number and GIDs translate to an odd number.
(Reference: http://aput.net/~jheiss/samba/ldap.shtml )
A SID structure breakdown.
S-1-5-21-1607479885-249575134-1330272300-500 When this example is broken down, the SIDs structure is
S R I S1 S2 S3 S4 S5 (A) S identifies the following numbers as part of a SID R is the Revision Level of the SID, or 1 I is the Identifier Authority, or 5 S1 represents the first Subauthority, or 21 S2 represents the second Subauthority, or 1607479885 S3 represents the third Subauthority, or 249575134 S4 represents the fourth Subauthority, or 1330272300 S5 (A) is the fifth Subauthority (generally the User account RID), or 500 When a new account is created, this unique 96-bit number is concatenated with a numerical extension representing the new account. Windows NT reserves the numbers between 0-999 for its own system and group accounts, therefore requiring that all new accounts created start at 1000 and go up from there. To view text-based representations of installed SIDs, you can use NTs 32-bit Registry Editor (Figure 3.5) to view installed SIDs by browsing toHKEY_LOCAL_MACHINE\ SOFTWARE\Windows NT\CurrentVersion\ProfileList. By clicking on the SID subkey you can view the associated account.
What is with the Administrator user? Does the Administrator user still exist?? Document how to identify which user is the "Administrator" user, what account/accounts (and related passwords) are used to join the domain....and which ones are to login to manage the domain.
http://wiki.samba.org/index.php/Ldapsam_Editposix
http://lists.samba.org/archive/samba-technical/2006-March/045787.html
Ensure that there is a working LDAP server configured before adding in SAMBA.
Concerning the use of 'dns proxy = yes' (response from kukks)
An edited IRC chat paste from #samba on freenode: 'dns proxy = yes' does a very special thing. Nmbd is starting an async dns helper proxy. If wins is asked for the ip of a passed netbios name, which wins has no info about, it passes the netbios name to its asynchroneous dns helper. The dns helper is contacting the name server (usually defined in /etc/resolv.conf) for the ip of that netbios name. This must be done asynchronously, because the dns request might be blocked (e.g. dns server is down). Using this configuration only making sense, when the dns server has been setup to resolve internal host names. There are also pitfalls with 'dns proxy = yes'. Sometimes the netbios name is not the same as the hostname and netbios names are limited to 15 chars, which is not true for hostnames. Using Dynamic DNS would be helpful in this situation.
Samba post 3.0.25
- 'net idmap secret DOMAIN <password>'and
- 'net idmap secret alloc <password>'
...must be run