[Samba] workgroup to domain migration question
Edmundo Valle Neto
edmundo.valle at terra.com.br
Wed Jul 4 02:00:58 GMT 2007
De Leeuw Guy escreveu:
> Hi all
> I try to transform our old workgroup to a domain.
> I read a lot of doc about that and smb-ldap tools.
> I cannot use smb-ldap tools because I have a running ldap database with
> our unix accounts.
Well, I think that you can continue to have it the way it is and use
smbldap-tools with higher ids.
> I build my own script to update our database.
> Questions :
> - For the admin account I modify the uid=admin, uidNumber=1033 and
> gid=512 to secure the server root account. (no homeDirectory and
> It is correct ?
I don't understood very well what you have done, but yes, a user without
a valid loginShell cannot log in the system.
> - For the accounts : Administrators, Account Operators, Print
> Operators, Backup Operators et Replicators which are the correct SID ?
> S-1-5-32-544 or a form like S-1-5-21-374813769-5580279-1681509432-544 ?
smbldap-tools creates them in the S-1-5-32-XXX form. But really only a
few accounts are expected to be seen by domain clients in a samba domain
with the right RID making any difference.
> - For the sambaSID users I use the localSID + uidNumber it is ok ?
> - For the sambaSid groups unix (each user have this own group)
> I use localsid + uidNumber + 1000 The primaryGroupSID are needed ? if
> yes which ?
> - For hosts I use localsid + uidNumber + 2000 ok ?
> Could you help me to clarify that ?
Smbldap-tools used to create RIDs in a odd/even algorithmic fashion,
never clashing. Posix accounts have separate allocation spaces but in
Windows accounts share the same RID space and users/groups cannot clash.
Your accounts will probably start to clash after 1000 created user
accounts (as uids/gids are not reused).
primaryGroupSID is normally "Domain Users".
> Thanks in advance
Edmundo Valle Neto
More information about the samba