[Samba] classicupgrade - resolving group conflicts

Robert Moulton rmoulton at uw.edu
Thu Nov 6 13:20:31 MST 2014


Greetings -

In an offline-test environment, I just took a first crack at a classic
upgrade of our Samba 3.6.9 (389-DS LDAP backend) environment to Samba
4.1.13 AD. Among other issues, I see that we have some group/SID issues
to address. From the upgrade output:

Could not add group name=guests ((68, "samldb: Account name
(sAMAccountName) 'guests' already in use!"))
Could not add group name=Domain Admins ((68, "samldb: Account name
(sAMAccountName) 'Domain Admins' already in use!"))
Could not add group name=Domain Users ((68, "samldb: Account name
(sAMAccountName) 'Domain Users' already in use!"))
Could not add group name=Domain Guests ((68, "samldb: Account name
(sAMAccountName) 'Domain Guests' already in use!"))
Could not add group name=Domain Computers ((68, "samldb: Account name
(sAMAccountName) 'Domain Computers' already in use!"))

The relevant groups and their current SIDs in our current Samba 3
environment:

[root at sack ~]# net groupmap list
[...]
guests (S-1-5-21-XXXdomainXXX-1040) -> guests
[...]
Domain Admins (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins
Domain Users (S-1-5-21-XXXdomainXXX-2513) -> Domain Users
Domain Guests (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests
Domain Computers (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers
[...]

And the appropriate SIDs, according to Microsoft:

http://support.microsoft.com/kb/243330

SID: S-1-5-32-546
Name: Guests

SID: S-1-5-21domain-512
Name: Domain Admins

SID: S-1-5-21domain-513
Name: Domain Users

SID: S-1-5-21domain-514
Name: Domain Guests

SID: S-1-5-21domain-515
Name: Domain Computers

I assume that our SIDs can be changed to match the Microsoft-specified
SIDs relatively easily. Am I right about that? If so, could someone
describe how to do so, or direct me to appropriate documentation?

The "guests" group conflict poses an additional problem for us, because
we happen to use it as one of our "primary" groups -- along with such
groups as "staff", "faculty", "students", etc ... How would you suggest
that I address the Guests conflict? Would it be a simple matter of
renaming the group or ... ?

thanks,
-r


More information about the samba mailing list