Upgrade from S3 to a Samba4 DC [with LDAPSAM]

Adam Tauno Williams awilliam at whitemice.org
Sun Sep 11 05:57:48 MDT 2011

On Fri, 2011-09-09 at 14:27 +0200, Tarjei Huse wrote:
> On 09/08/2011 11:11 PM, Andrew Bartlett wrote:
> > On Thu, 2011-09-08 at 16:56 -0400, Adam Tauno Williams wrote:
> >> Quoting tataia <iongigixx at gmail.com>:
> >>> It happens for groups that have sambaGroupType =5
> >>> replace 5 with 4
> >> Gotcha.  And it goes much further.  Are users with the same name as  
> >> groups an issue?  There is only one uid=bie object in the LDAPSAM.
> > Users with the same name as groups have always been prohibited in
> > Windows, even with NT4.  I'm not sure there is anything we can do except
> > fail here, but I'm open to suggestions.
> Document it?

It is reasonably well documented [I knew about it].  That is just an
NT/Windows thing.  Anyone managing Windows should already know about
that [from the Microsoft documentation], IMO.  The only really issue
regarding that is that S3 LDAPSAM was pretty fast-and-loose with
enforcing rules.   Does S3 LDAPSAM even use the "cn" attribute as the
group name?  It appears to use the "description" attribute in most
places [at least that is what appears on the screen when looking at a
security descriptor].

> Would it be possible for the upgrade script to have a pre flight test
> that checks for gotchas like this and lists the offending entries with
> suggested changes?

I'm not certain that is really why the script was failing.  Renaming the
group to not be so-named did *not* resolve the issue.  The script didn't
fail with a particularly clear error messages.

Just -
passdb.error: Unable to add sam account 'bie', (-1073741725,User exists)

Which doesn't really indicate why it can't add the SAM account;  would
an already existing *group* of the same name cause a "User exists"

More information about the samba-technical mailing list