[Samba] classicupgrade - resolving group conflicts

John Yocum jtyocum at uw.edu
Thu Nov 6 13:32:27 MST 2014 

On 11/06/2014 12:20 PM, Robert Moulton wrote:
> Greetings -
> 
> In an offline-test environment, I just took a first crack at a classic
> upgrade of our Samba 3.6.9 (389-DS LDAP backend) environment to Samba
> 4.1.13 AD. Among other issues, I see that we have some group/SID issues
> to address. From the upgrade output:
> 
> Could not add group name=guests ((68, "samldb: Account name
> (sAMAccountName) 'guests' already in use!"))
> Could not add group name=Domain Admins ((68, "samldb: Account name
> (sAMAccountName) 'Domain Admins' already in use!"))
> Could not add group name=Domain Users ((68, "samldb: Account name
> (sAMAccountName) 'Domain Users' already in use!"))
> Could not add group name=Domain Guests ((68, "samldb: Account name
> (sAMAccountName) 'Domain Guests' already in use!"))
> Could not add group name=Domain Computers ((68, "samldb: Account name
> (sAMAccountName) 'Domain Computers' already in use!"))
> 
> The relevant groups and their current SIDs in our current Samba 3
> environment:
> 
> [root at sack ~]# net groupmap list
> [...]
> guests (S-1-5-21-XXXdomainXXX-1040) -> guests
> [...]
> Domain Admins (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins
> Domain Users (S-1-5-21-XXXdomainXXX-2513) -> Domain Users
> Domain Guests (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests
> Domain Computers (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers
> [...]
> 
> And the appropriate SIDs, according to Microsoft:
> 
> http://support.microsoft.com/kb/243330
> 
> SID: S-1-5-32-546
> Name: Guests
> 
> SID: S-1-5-21domain-512
> Name: Domain Admins
> 
> SID: S-1-5-21domain-513
> Name: Domain Users
> 
> SID: S-1-5-21domain-514
> Name: Domain Guests
> 
> SID: S-1-5-21domain-515
> Name: Domain Computers
> 
> I assume that our SIDs can be changed to match the Microsoft-specified
> SIDs relatively easily. Am I right about that? If so, could someone
> describe how to do so, or direct me to appropriate documentation?
> 
> The "guests" group conflict poses an additional problem for us, because
> we happen to use it as one of our "primary" groups -- along with such
> groups as "staff", "faculty", "students", etc ... How would you suggest
> that I address the Guests conflict? Would it be a simple matter of
> renaming the group or ... ?
> 
> thanks,
> -r
> 

Robert,

Ah, someone else at UW making the switch from Samba3 to Samba4.

As for the guests group, we face the same issue. Our solution is to
rename the group before upgrading. In my testing, renaming it via an
LDIF works fine so long as Samba is stopped at the time the change is made.

-- 
John Yocum, Systems Administrator, DEOHS

More information about the samba mailing list