[Samba] Help with fixing users and groups with the same SID in LDAP

Jonathan Buzzard jonathan at buzzard.me.uk
Mon Dec 2 13:39:34 MST 2013


On 02/12/13 19:45, Tim wrote:
>
> Hi -
>
> I am working through the migration from samba3+ldap to samba4 ads and
> discovered some inconsistencies in our data in the process. We have several
> user/group pairs that have the same SID because somehow uidNumber and
> gidNumber were set to the same number.

There is absolutely nothing wrong with a uidNumber and gidNumber being 
the same numerical value as they are two entirely different sets of 
numbers. What is not possible in the Windows world is to have a username 
and a group with the same text name. What looks to be at issue is that 
you have been generating SID's based on the uidNumber or gidNumber which 
has never been a sensible idea.

>
> Obviously this must be corrected for us to use the migration tool - I am just
> a little unsure of how best to fix this. My first thought is to change the
> gidNumbers to something unique and update the SID appropriately (by fixing the
> last part of the SID using gidNumber * 2 + 1000).

There should be no reason to change the gidNumber, just change the SID. 
I would have the directory servers offline to the users while the 
changes where made and restart any domain joined machines after 
restarting the samba3+ldap combination.

However problems could occur if the SID for that group is stored 
anywhere on a Windows machine, as any security based on the SID will be 
a bust, though of course it is a bust at the moment...


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


More information about the samba mailing list