[Samba] duplicate sids against classicupgrade

Pisch Tamás pischta at gmail.com
Fri May 23 05:51:17 MDT 2014


Thanks for your answer.
​I understand more-less why id mappings needed, and what SID means. ​I'm
aware of the dangers changing SIDs.
​In the database I see that there​ are entries in the Groups ou, and the
Idmap ou with the same SID.
​​
>
> You can change a duplicate SID directly in LDAP. Simply use an LDAP
> browser of your choice (like http://jxplorer.org/).
>
>
>
> BUT: Windows uses only SIDs to identicate users/groups/machines!
>
> This means if you change the SID of an machine account, this machine
> won't be able to login any more (you have to re-join)!
>
> If you change the SID of an user or group that is nowhere linked (like
> in other domain groups, local groups/policies, etc.), then it should be
> save to simply change the SID. But e. g. if your domain user account is
> member of the local administrators group and you change the SID, then
> you will see an unresolvable SID entry in the local administrators group
> and the account doesn't have this privileges any more, because the old
> SID that was linked, does not exist any more.
>
> That's why I would e. g. never change the SID of "Domain users". This
> one is surely somewhere linked in your network.
>
> So be carefully what you change and test it!
>
>
>
> Regards,
> Marc
>


More information about the samba mailing list