[Samba] SAMBA4: pdbedit not changing SID
Andrew Bartlett
abartlet at samba.org
Mon Apr 1 16:14:23 MDT 2013
On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
> 2013-04-01 02:36 keltezéssel, simon+samba at matthews.eu írta:
> > Since I don't seem to be having any luck with the classicupgrade, I
> > decided to try starting from scratch and then adding users.
> >
> > I ran the command:
> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
> > --dns-backend=BIND9_DLZ
> >
> > Then I tried both adding and changing users. In neither case can I
> > change the SID with pdbedit. It seems to be added with a
> > system-defined SID, irrespective of what I specify. pdbedit -v is able
> > to list the user's parameters, including the SID.
> >
> > Any suggestions? I am pretty much stuck here trying to figure out how
> > to migrate from an existing SAMBA3 domain to SAMBA4.
> >
> >
> Hi,
>
> Trying to add users one by one (preserving SID) is IMHO a lot harder
> (you would probably need to ldbmodify the user record of each one) to
> do, than fixing your samba3 install to have it classicupgraded.
Indeed. The only way to safely import a list of users who already have
SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
migration tools.
These are 'samba-tool domain join dc' and 'samba-tool domain
classicupgrade'.
The reason is that we have to ensure that we never re-allocate the same
SID to a new user later. For that reason, we have protection in the
domain controller code to prevent the administrator specifying the SID.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list