samba4 migration problems

Andrew Bartlett abartlet at
Thu Apr 19 07:02:40 MDT 2012

On Thu, 2012-04-19 at 14:27 +0200, Marc Muehlfeld wrote:
> Am 19.04.2012 14:06, schrieb Andrew Bartlett:
> >> Also I saw lines like
> >>   >  Skipping wellknown rid=149 (for username=vm-02$)
> >>   >  ...
> >>   >  Skipping wellknown rid=150 (for username=test_member$)
> >> for my machine accounts. How can I check if everything was migrated?
> >
> > You have allocated SIDS with RID values from the 'well known' range (<
> > 1000).  This is broken, and much be corrected before importing into
> > Samba4, as these RIDs belong to special objects in Active Directory.
> I just did a short search and through my production server. I have 132 entries 
> in my LDAP, where the last part of the SID < 1000. It looks like just machine 
> accounts are affected.
> smbldap-tools create the machine-accounts when joining. The UID is always high 
> like 2136, but the sambaSID that was choosen was 
> S-1-5-21-1362721961-1801182073-732966438-40
> For users it's calculated correct (UID * 2 + 1000)

This would appear to be a very serious issue with smbldap-tools then.
If you are using ldapsam:trusted, perhaps consider ldapsam:editposix?
Anyway, it doesn't matter much if you are moving to samba4 anyway.

> > As long as your machines do not own files, changing the SID should be
> > mostly harmless.
> Don't I have to rejoin the machine to the domain if I change the SID? Can I 
> just rename it in LDAP?

Fixing it in LDAP should work, but test.  If it fails, then rejoin.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list