[Samba] Samba on Debian 8; NT4 domain, win10

Andrew Bartlett abartlet at samba.org
Tue Nov 29 08:56:21 UTC 2016 

On Mon, 2016-11-28 at 14:03 +0000, Rowland Penny via samba wrote:
> On Mon, 28 Nov 2016 14:22:00 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
> > 
> > 
> > NT4-PDC:
> > 
> > # net groupmap list
> > Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) ->
> > users
> > Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) ->
> > root
> > Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) ->
> > klienten
> > 
> > User pl13 is member of group "Domain Users":
> > 
> > # pdbedit -Lv pl13
> > Unix username:        pl13
> > NT username:
> > Account Flags:        [U          ]
> > User SID:             S-1-5-21-2940660672-4062535256-4144655499-
> > 2026
> > Primary Group SID:    S-1-5-21-2940660672-4062535256-4144655499-513
> > 
> > This group seems not to be converted, see server after classic
> > upgrade:
> > 
> > # net groupmap list
> > #
> > 
> > -> no groups
> > 
> > This puts all these users into some new group:
> 
> Yes, and the group is called 'Domain Users' ;-)
> 
> In AD, ALL users are members of 'Domain Users' but are not
> explicitly added to the 'Domain Users' object
>  
> > 
> > 
> > # pdbedit -L | grep pl
> > 
> > pl01:4294967295:
> > pl02:4294967295:
> > pl03:4294967295:
> > pl04:4294967295:
> > pl05:4294967295:
> > 
> > while on the old server this was:
> > 
> > # pdbedit -L | grep pl | sort
> > 
> > pl01:501:
> > pl02:502:
> > pl03:503:
> > pl04:504:
> > pl05:505:
> > 
> > Am I on the right track here?
> > 
> 
> Yes, you have found the reason why most of your users are being
> ignored ;-)
> 
> in the upgrade python code, there is is this:
> 
>         if entry['rid'] < 1000:
>             logger.info("  Skipping wellknown rid=%d (for
> username=%s)", entry['rid'], username)
>             continue
> 
> Which basically means, if the 'RID' is less than '1000', ignore and
> move
> to next user. what I don't fully understand is why the users are
> getting the '4294967295' number.
> 
> The cure, change all users RIDs to be more than '1000' before the
> upgrade.

G'Day Rowland, 

While your comments on the RID < 1000 issue are correct, your
interpretation of the pdbedit output is not correct.  That value is not
the RID, but in deference to the smbpasswd file format from long before
you joined Samba, it is the unix UID value for the username specified.
 That is probably also why the -1 / 4294967295 values show up, if the
user doens't exist locally where the tool is being run.

Listing with --verbose will show the full SID, and so the applicable
RID. 

Hopefully these are not below 1000, as changing the SID has annoying
implications for profiles and other things.

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list