[Samba] How to change objectSid?

Diego Woitasen diego at woitasen.com.ar
Wed Feb 5 05:18:33 MST 2014

I'm migrating from Samba3 o Samba4 in en environment where I have a
central location and branches. Every branch with its own Samba3, using
OpenLDAP. I can't migrate all the locations at the same time. I'm
going to migrate the central site and then I'm one site per week
(around 10 locations).

In the meantime, users and groups will be created in Samba3, so I was
thinking about injecting the new users and groups in the Samba4 until
we eliminate Samba3 definitely.

I've already done it with users, with a modified version of
classicupgrade but I can't do the same for groups. So groups are
created, the SID is assiged by Samba4, but I want to keep it in sync
with the SIDs in Samba3.


On Tue, Feb 4, 2014 at 10:06 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2014-02-04 at 20:50 -0300, Diego Woitasen wrote:
>> Hi,
>>  I'm trying to modify the objectSid of a group using python-ldap. I've
>> found that I need a server control to do it but doesn't work. The code
>> that I'm using:
>>         modlist = [ (ldap.MOD_REPLACE, 'objectSid', s3sid_packed) ]
>>         LDB_CONTROL_RELAX_OID = ""
>>         controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID, criticality=0),
>>                 LDAPControl(LDB_CONTROL_RELAX_OID, criticality=0) ]
>>         s4ldap.modify_ext_s(s4dn, modlist, serverctrls=controls,
>>             clientctrls=controls)
>> I'm using the domain administrator to bind to the server.
>> The error that I get:
>> ldap.UNWILLING_TO_PERFORM: {'info': '00002035: samldb: objectSid must
>> not be specified!', 'desc': 'Server is unwilling to perform'}
>> Is there a way to do it? I know that it is not something to be done
>> usually, but trust me, I need it :)
> You can't do this over LDAP, you would have to use our ldb bindings and
> do it directly on the sam.ldb.  We don't allow these controls over the
> LDAP connection, because of the dangerous things they can do.
> You must also ensure you have adjusted your RID allocation pools to
> ensure this RID is never allocated by Samba.
> Finally, if you could detail a little more than 'trust me', I might be
> able to help you find a different way to solve the problem, or at least
> understand how we could help our users better deal with these kinds of
> difficult situations.
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net

More information about the samba mailing list