[Samba] workgroup to domain migration question

[Edmundo Valle Neto]

De Leeuw Guy escreveu:
> Hi all
>   

Hi

> I try to transform our old workgroup to a domain.
> I read a lot of doc about that and smb-ldap tools.
> I cannot use smb-ldap tools because I have a running ldap database with
> our unix accounts.
>   

Well, I think that you can continue to have it the way it is and use 
smbldap-tools with higher ids.

> I build my own script to update our database.
>
> Questions :
> - For the admin account I modify the uid=admin, uidNumber=1033 and
> gid=512 to secure the server root account. (no homeDirectory and
> loginShell).
> It is correct ?
>   

I don't understood very well what you have done, but yes, a user without 
a valid loginShell cannot log in the system.

> - For the accounts : Administrators, Account Operators, Print
> Operators, Backup Operators et Replicators which are the correct SID ?
> S-1-5-32-544 or a form like S-1-5-21-374813769-5580279-1681509432-544 ?
>   

smbldap-tools creates them in the S-1-5-32-XXX form. But really only a 
few accounts are expected to be seen by domain clients in a samba domain 
with the right RID making any difference.

See:
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#WKURIDS

> - For the sambaSID users I use the localSID + uidNumber it is ok ?
> - For the sambaSid groups unix (each user have this own group)
> I use localsid + uidNumber + 1000 The primaryGroupSID are needed ? if
> yes which ?
>
> - For hosts I use localsid + uidNumber + 2000 ok ?
>
> Could you help me to clarify that ?
>   

Smbldap-tools used to create RIDs in a odd/even algorithmic fashion, 
never clashing. Posix accounts have separate allocation spaces but in 
Windows accounts share the same RID space and users/groups cannot clash.
Your accounts will probably start to clash after 1000 created user 
accounts (as uids/gids are not reused).
primaryGroupSID is normally "Domain Users".

> Thanks in advance
> Guy
>   

Regards.

Edmundo Valle Neto