[Samba] How to change objectSid?

Diego Woitasen diego at woitasen.com.ar
Wed Feb 5 12:46:28 MST 2014

On Wed, Feb 5, 2014 at 3:43 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2014-02-05 at 09:18 -0300, Diego Woitasen wrote:
>> I'm migrating from Samba3 o Samba4 in en environment where I have a
>> central location and branches. Every branch with its own Samba3, using
>> OpenLDAP.
> In each of these locations, did Samba have it's own domain, or was this
> one big domain?

One big domain.

>> I can't migrate all the locations at the same time. I'm
>> going to migrate the central site and then I'm one site per week
>> (around 10 locations).
> OK.
>> In the meantime, users and groups will be created in Samba3, so I was
>> thinking about injecting the new users and groups in the Samba4 until
>> we eliminate Samba3 definitely.
> Could you create them into Samba4, and instead back-populate them into
> Samba3?

Yes, I like that solution. I'm going to do it in that way.

The only remaining issue are the new workstations. I'll need to copy
the new machines from S3 to S4. If we don't do it, it's not a serious
issue, but it would be great. I think our client is not going to buy a
lot of machine in the middle of the migration :)

My modified classsicupgrade works to copy wks, but I'd prefer
something more simple. I'll open another thread about an script that
I've tried to do without success.

>> I've already done it with users, with a modified version of
>> classicupgrade but I can't do the same for groups.
> Can you explain a big more about what worked and what didn't?  I don't
> see why groups would be much different to users in this regard.

I don't have the information now. :(

>> So groups are
>> created, the SID is assiged by Samba4, but I want to keep it in sync
>> with the SIDs in Samba3.
> If you do it this way, have you modified the classicupgrade to pass in a
> higher next_rid parameter (like --next-rid would for a normal
> provision), so you have room for the groups?

I prefer the s4->s3 solution.

> I'm certain we can help you handle this, one way or another,
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net

More information about the samba mailing list