[Samba] SAMBA4: pdbedit not changing SID

simon+samba at matthews.eu simon+samba at matthews.eu
Mon Apr 1 21:35:11 MDT 2013

On Mon, 1 Apr 2013, simon+samba at matthews.eu wrote:

> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>>   On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
>> >   2013-04-01 02:36 keltezéssel, simon+samba at matthews.eu írta:
>> > >   Since I don't seem to be having any luck with the classicupgrade, I 
>> > >   decided to try starting from scratch and then adding users.
>> > > 
>> > >   I ran the command:
>> > >   /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \ 
>> > >   --domain=<mydomain> --adminpass 'mypass' --server-role=dc  \
>> > >   --dns-backend=BIND9_DLZ
>> > > 
>> > >   Then I tried both adding and changing users. In neither case can I 
>> > >   change the SID with pdbedit. It seems to be added with a 
>> > >   system-defined SID, irrespective of what I specify. pdbedit -v is 
>> > >   able to list the user's parameters, including the SID.
>> > > 
>> > >   Any suggestions? I am pretty much stuck here trying to figure out how 
>> > >   to migrate from an existing SAMBA3 domain to SAMBA4.
>> > > 
>> > > 
>> >   Hi,
>> > 
>> >   Trying to add users one by one (preserving SID) is IMHO a lot harder 
>> >   (you would probably need to ldbmodify the user record of each one) to 
>> >   do, than fixing your samba3 install to have it classicupgraded.
>>   Indeed.  The only way to safely import a list of users who already have
>>   SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
>>   migration tools.
>>   These are 'samba-tool domain join dc' and 'samba-tool domain
>>   classicupgrade'.
> Perhaps I need to address why the "classicupgrade" did not work. I see now 
> that I did not pass the --dbdir option when running it before. I'll try 
> again.

I went back to trying to get the classicupgrade to work:
/usr/local/samba/bin/samba-tool domain classicupgrade  \
--dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b  \
/etc/samba/smb.conf --use-xattrs=yes

For the realm, I used a subdomain of one of the two existing dns domains 
in the LAN. It appears to be processing the information from the old 
domain tdb files, although I see some errors:
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Importing groups
Could not add group name=Remote Desktop Users ((68, "samldb: Account name 
(sAMAccountName) 'Remote Desktop Users' already in use!"))
Could not modify AD idmap entry for 
sid=S-1-5-21-4254857281-3346836279-4152649156-555, id=5077, 
type=ID_TYPE_GID ((32, "Base-DN 
'<SID=S-1-5-21-4254857281-3346836279-4152649156-555>' not found"))
Could not add posix attrs for AD entry for 
sid=S-1-5-21-4254857281-3346836279-4152649156-555, ((32, "Base-DN 
'<SID=S-1-5-21-4254857281-3346836279-4152649156-555>' not found"))
Group already exists sid=S-1-5-21-4254857281-3346836279-4152649156-512, 
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.

However, after this, all I get from pdbedit -L is:
# pdbedit -L
[root at samba ~]# pdbedit -L
krbtgt:4294967295:--dbdir=/var/lib/samba/ --realm=a.b

Any ideas? What information might help debug this?


More information about the samba mailing list