[Samba] How to change objectSid?

Andrew Bartlett abartlet at samba.org
Wed Feb 5 22:13:00 MST 2014

On Wed, 2014-02-05 at 22:14 -0300, Diego Woitasen wrote:
> On Wed, Feb 5, 2014 at 6:43 PM, Michael Brown <michael at netdirect.ca> wrote:
> > On 14-02-05 04:17 PM, Andrew Bartlett wrote:
> >> Yes, I like that solution. I'm going to do it in that way.
> >>
> >> The only remaining issue are the new workstations. I'll need to copy
> >> the new machines from S3 to S4. If we don't do it, it's not a serious
> >> issue, but it would be great. I think our client is not going to buy a
> >> lot of machine in the middle of the migration :)
> >> It should be pretty easy to rejoin those machines, if that helps avoid
> >> another special case to handle.
> > Speaking as someone who had to delete a bunch of computer accounts prior
> > to his 3→4 migration and rejoin them to the realm afterwards (yeah… a
> > lot of them had duplicate SIDs or a blank last part of the SID
> > (interpreted as -0)), rejoining them is pretty easy and works just fine.
> >
> > You could even precreate the accounts or delegate that right.
> >
> > As long as the domain SID isn't changing you should be fine.
> >
> Could you clarify this? Andrew mentioned the same. How does the rejoin
> work? Or the "precreate" process that you mention.
> I have 500> in some sites, if rejoin means to go one by one, I don't
> like that solution :)

Rejoin was referring to rejoining only the machines added to the network
during the time between now and the end of the migration.  Surely that's
less machines than is worth scripting a solution for?

If it is still too much work, then ensure the next_rid is set high
enough to allow additional machines to be joined before the first Samba4
allocated RID.  (A patch to allow --next-rid to be specified to
classicupgrade would be very useful). 

Finally, it seems what you and a number of other folks want is a
'samba-tool domain classicupgrade --update', that instead of wiping the
AD domain, simply imports new accounts (where there is RID space) and
syncs passwords based on the last change time.  It really shouldn't be
too hard to write, but someone would need to add the code for it. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list