[Samba] classicupgrade - resolving group conflicts

Stefan Kania stefan at kania-online.de
Fri Nov 7 03:02:54 MST 2014

Hash: SHA1

Hi Robert,

you don't have to worry about the groups "domain admins" RID=512
"domain users" RID=513, "Domain guests" RID 514 and "Domain Computers"
RID 515. These are default groups und will be rebuild during the
provisioning with clasicupgrade. You can't migrate these groups.


Am 06.11.2014 um 21:20 schrieb Robert Moulton:
> Greetings -
> In an offline-test environment, I just took a first crack at a
> classic upgrade of our Samba 3.6.9 (389-DS LDAP backend)
> environment to Samba 4.1.13 AD. Among other issues, I see that we
> have some group/SID issues to address. From the upgrade output:
> Could not add group name=guests ((68, "samldb: Account name 
> (sAMAccountName) 'guests' already in use!")) Could not add group
> name=Domain Admins ((68, "samldb: Account name (sAMAccountName)
> 'Domain Admins' already in use!")) Could not add group name=Domain
> Users ((68, "samldb: Account name (sAMAccountName) 'Domain Users'
> already in use!")) Could not add group name=Domain Guests ((68,
> "samldb: Account name (sAMAccountName) 'Domain Guests' already in
> use!")) Could not add group name=Domain Computers ((68, "samldb:
> Account name (sAMAccountName) 'Domain Computers' already in
> use!"))
> The relevant groups and their current SIDs in our current Samba 3 
> environment:
> [root at sack ~]# net groupmap list [...] guests
> (S-1-5-21-XXXdomainXXX-1040) -> guests [...] Domain Admins
> (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins Domain Users
> (S-1-5-21-XXXdomainXXX-2513) -> Domain Users Domain Guests
> (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests Domain Computers
> (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers [...]
> And the appropriate SIDs, according to Microsoft:
> http://support.microsoft.com/kb/243330
> SID: S-1-5-32-546 Name: Guests
> SID: S-1-5-21domain-512 Name: Domain Admins
> SID: S-1-5-21domain-513 Name: Domain Users
> SID: S-1-5-21domain-514 Name: Domain Guests
> SID: S-1-5-21domain-515 Name: Domain Computers
> I assume that our SIDs can be changed to match the
> Microsoft-specified SIDs relatively easily. Am I right about that?
> If so, could someone describe how to do so, or direct me to
> appropriate documentation?
> The "guests" group conflict poses an additional problem for us,
> because we happen to use it as one of our "primary" groups -- along
> with such groups as "staff", "faculty", "students", etc ... How
> would you suggest that I address the Guests conflict? Would it be a
> simple matter of renaming the group or ... ?
> thanks, -r

Version: GnuPG v1


More information about the samba mailing list