[Samba] How to change objectSid?

Diego Woitasen diego at woitasen.com.ar
Wed Feb 5 18:12:38 MST 2014

On Wed, Feb 5, 2014 at 6:17 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2014-02-05 at 16:46 -0300, Diego Woitasen wrote:
>> On Wed, Feb 5, 2014 at 3:43 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> > On Wed, 2014-02-05 at 09:18 -0300, Diego Woitasen wrote:
>> >> I'm migrating from Samba3 o Samba4 in en environment where I have a
>> >> central location and branches. Every branch with its own Samba3, using
>> >> OpenLDAP.
>> >
>> > In each of these locations, did Samba have it's own domain, or was this
>> > one big domain?
>> One big domain.
>> >
>> >> I can't migrate all the locations at the same time. I'm
>> >> going to migrate the central site and then I'm one site per week
>> >> (around 10 locations).
>> >
>> > OK.
>> >
>> >> In the meantime, users and groups will be created in Samba3, so I was
>> >> thinking about injecting the new users and groups in the Samba4 until
>> >> we eliminate Samba3 definitely.
>> >
>> > Could you create them into Samba4, and instead back-populate them into
>> > Samba3?
>> Yes, I like that solution. I'm going to do it in that way.
>> The only remaining issue are the new workstations. I'll need to copy
>> the new machines from S3 to S4. If we don't do it, it's not a serious
>> issue, but it would be great. I think our client is not going to buy a
>> lot of machine in the middle of the migration :)
> It should be pretty easy to rejoin those machines, if that helps avoid
> another special case to handle.

By rejoin, you mean that I can rejoin the machines without going one
by one typing user and password? Could you explain this better?

>> My modified classsicupgrade works to copy wks, but I'd prefer
>> something more simple. I'll open another thread about an script that
>> I've tried to do without success.
> OK.  I would like to understand how to make this tool and Samba in
> general more helpful for those doing complex migrations, particularly
> those for whom a once-over cut just isn't practical.

Something like this?

s3_passdb = get_s3_db()
s4_passdb = get_s4_db()

wkslist = s3db.search_users(0)
for entry in wkslist:
    machine_name = entry['account_name']
    machine = s3db.getsampwnam(machine_name)
    acct_type = get_account_type(machine)
    if acct_type == (samr.ACB_WSTRUST) and machine_name[-1] == '$':
            userentry = s4_passdb.getsampwnam(user)
        except passdb.error:

For some reason I can't connect to s3 and s4 like classicupgrade does,
I'll post about this tomorrow. Anyway, We need something simple like
that to inject workstations created in the middle of the migration

User and password from S4 to S3 using LDAP/LDB like we discuss, and I
think that's all.

If this works, I'll document the sucess story :)

> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net

More information about the samba mailing list