[Samba] workgroup to domain migration question

Edmundo Valle Neto edmundo.valle at terra.com.br
Wed Jul 4 02:00:58 GMT 2007

De Leeuw Guy escreveu:
> Hi all


> I try to transform our old workgroup to a domain.
> I read a lot of doc about that and smb-ldap tools.
> I cannot use smb-ldap tools because I have a running ldap database with
> our unix accounts.

Well, I think that you can continue to have it the way it is and use 
smbldap-tools with higher ids.

> I build my own script to update our database.
> Questions :
> - For the admin account I modify the uid=admin, uidNumber=1033 and
> gid=512 to secure the server root account. (no homeDirectory and
> loginShell).
> It is correct ?

I don't understood very well what you have done, but yes, a user without 
a valid loginShell cannot log in the system.

> - For the accounts : Administrators, Account Operators, Print
> Operators, Backup Operators et Replicators which are the correct SID ?
> S-1-5-32-544 or a form like S-1-5-21-374813769-5580279-1681509432-544 ?

smbldap-tools creates them in the S-1-5-32-XXX form. But really only a 
few accounts are expected to be seen by domain clients in a samba domain 
with the right RID making any difference.


> - For the sambaSID users I use the localSID + uidNumber it is ok ?
> - For the sambaSid groups unix (each user have this own group)
> I use localsid + uidNumber + 1000 The primaryGroupSID are needed ? if
> yes which ?
> - For hosts I use localsid + uidNumber + 2000 ok ?
> Could you help me to clarify that ?

Smbldap-tools used to create RIDs in a odd/even algorithmic fashion, 
never clashing. Posix accounts have separate allocation spaces but in 
Windows accounts share the same RID space and users/groups cannot clash.
Your accounts will probably start to clash after 1000 created user 
accounts (as uids/gids are not reused).
primaryGroupSID is normally "Domain Users".

> Thanks in advance
> Guy


Edmundo Valle Neto

More information about the samba mailing list