[Samba] SAMBA4: pdbedit not changing SID

Andrew Bartlett abartlet at samba.org
Mon Apr 1 16:14:23 MDT 2013

On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
> 2013-04-01 02:36 keltezéssel, simon+samba at matthews.eu írta:
> > Since I don't seem to be having any luck with the classicupgrade, I 
> > decided to try starting from scratch and then adding users.
> >
> > I ran the command:
> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \ 
> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc  \
> > --dns-backend=BIND9_DLZ
> >
> > Then I tried both adding and changing users. In neither case can I 
> > change the SID with pdbedit. It seems to be added with a 
> > system-defined SID, irrespective of what I specify. pdbedit -v is able 
> > to list the user's parameters, including the SID.
> >
> > Any suggestions? I am pretty much stuck here trying to figure out how 
> > to migrate from an existing SAMBA3 domain to SAMBA4.
> >
> >
> Hi,
> Trying to add users one by one (preserving SID) is IMHO a lot harder 
> (you would probably need to ldbmodify the user record of each one) to 
> do, than fixing your samba3 install to have it classicupgraded.

Indeed.  The only way to safely import a list of users who already have
SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
migration tools.

These are 'samba-tool domain join dc' and 'samba-tool domain

The reason is that we have to ensure that we never re-allocate the same
SID to a new user later.  For that reason, we have protection in the
domain controller code to prevent the administrator specifying the SID.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list