[Samba] duplicate sids against classicupgrade

Marc Muehlfeld mmuehlfeld at samba.org
Fri May 23 02:29:54 MDT 2014

Hello Tamas,

Am 22.05.2014 15:29, schrieb Pisch Tamás:
> I have a working Samba3 domain with 3.6 servers. Samba runs on Debian
> Wheezy and has openldap backend. I'm going to upgrade to Sernet Samba 4.1.
> I copied the pdc to a virtual machine to test the upgrade process.
> According to the wiki I cannot have duplicate sids, but I have about
> fourty. It seems they are the same that the net groupmap list command gives.
> Some smb.conf parameters:
> ldap idmap suffix = ou=idmap
> idmap config * : default = yes
> idmap config * : range = 10000-20000
> idmap config * : backend = ldap
> idmap config * : ldap_base_dn = ou=Idmap,dc=my,dc=site
> net groupmap list
> ...
> Domain Users (S-1-....-513) -> Domain Users
> ...
> How can I eliminate the duplicate entries?

You can change a duplicate SID directly in LDAP. Simply use an LDAP
browser of your choice (like http://jxplorer.org/).

BUT: Windows uses only SIDs to identicate users/groups/machines!

This means if you change the SID of an machine account, this machine
won't be able to login any more (you have to re-join)!

If you change the SID of an user or group that is nowhere linked (like
in other domain groups, local groups/policies, etc.), then it should be
save to simply change the SID. But e. g. if your domain user account is
member of the local administrators group and you change the SID, then
you will see an unresolvable SID entry in the local administrators group
and the account doesn't have this privileges any more, because the old
SID that was linked, does not exist any more.

That's why I would e. g. never change the SID of "Domain users". This
one is surely somewhere linked in your network.

So be carefully what you change and test it!


More information about the samba mailing list