[Samba] Help with fixing users and groups with the same SID in LDAP
jonathan at buzzard.me.uk
Mon Dec 2 13:39:34 MST 2013
On 02/12/13 19:45, Tim wrote:
> Hi -
> I am working through the migration from samba3+ldap to samba4 ads and
> discovered some inconsistencies in our data in the process. We have several
> user/group pairs that have the same SID because somehow uidNumber and
> gidNumber were set to the same number.
There is absolutely nothing wrong with a uidNumber and gidNumber being
the same numerical value as they are two entirely different sets of
numbers. What is not possible in the Windows world is to have a username
and a group with the same text name. What looks to be at issue is that
you have been generating SID's based on the uidNumber or gidNumber which
has never been a sensible idea.
> Obviously this must be corrected for us to use the migration tool - I am just
> a little unsure of how best to fix this. My first thought is to change the
> gidNumbers to something unique and update the SID appropriately (by fixing the
> last part of the SID using gidNumber * 2 + 1000).
There should be no reason to change the gidNumber, just change the SID.
I would have the directory servers offline to the users while the
changes where made and restart any domain joined machines after
restarting the samba3+ldap combination.
However problems could occur if the SID for that group is stored
anywhere on a Windows machine, as any security based on the SID will be
a bust, though of course it is a bust at the moment...
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba