samba4 migration problems
Andrew Bartlett
abartlet at samba.org
Thu Apr 19 07:02:40 MDT 2012
On Thu, 2012-04-19 at 14:27 +0200, Marc Muehlfeld wrote:
> Am 19.04.2012 14:06, schrieb Andrew Bartlett:
> >> Also I saw lines like
> >> > Skipping wellknown rid=149 (for username=vm-02$)
> >> > ...
> >> > Skipping wellknown rid=150 (for username=test_member$)
> >> for my machine accounts. How can I check if everything was migrated?
> >
> > You have allocated SIDS with RID values from the 'well known' range (<
> > 1000). This is broken, and much be corrected before importing into
> > Samba4, as these RIDs belong to special objects in Active Directory.
>
> I just did a short search and through my production server. I have 132 entries
> in my LDAP, where the last part of the SID < 1000. It looks like just machine
> accounts are affected.
>
> smbldap-tools create the machine-accounts when joining. The UID is always high
> like 2136, but the sambaSID that was choosen was
> S-1-5-21-1362721961-1801182073-732966438-40
> For users it's calculated correct (UID * 2 + 1000)
This would appear to be a very serious issue with smbldap-tools then.
If you are using ldapsam:trusted, perhaps consider ldapsam:editposix?
Anyway, it doesn't matter much if you are moving to samba4 anyway.
> > As long as your machines do not own files, changing the SID should be
> > mostly harmless.
>
> Don't I have to rejoin the machine to the domain if I change the SID? Can I
> just rename it in LDAP?
Fixing it in LDAP should work, but test. If it fails, then rejoin.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list