[Samba] classicupgrade - resolving group conflicts

Robert Moulton rmoulton at uw.edu
Fri Nov 7 10:23:38 MST 2014 

John Yocum wrote, on 11/6/14, 12:32 PM:
> On 11/06/2014 12:20 PM, Robert Moulton wrote:
>> Greetings -
>>
>> In an offline-test environment, I just took a first crack at a classic
>> upgrade of our Samba 3.6.9 (389-DS LDAP backend) environment to Samba
>> 4.1.13 AD. Among other issues, I see that we have some group/SID issues
>> to address. From the upgrade output:
>>
>> Could not add group name=guests ((68, "samldb: Account name
>> (sAMAccountName) 'guests' already in use!"))
>> Could not add group name=Domain Admins ((68, "samldb: Account name
>> (sAMAccountName) 'Domain Admins' already in use!"))
>> Could not add group name=Domain Users ((68, "samldb: Account name
>> (sAMAccountName) 'Domain Users' already in use!"))
>> Could not add group name=Domain Guests ((68, "samldb: Account name
>> (sAMAccountName) 'Domain Guests' already in use!"))
>> Could not add group name=Domain Computers ((68, "samldb: Account name
>> (sAMAccountName) 'Domain Computers' already in use!"))
>>
>> The relevant groups and their current SIDs in our current Samba 3
>> environment:
>>
>> [root at sack ~]# net groupmap list
>> [...]
>> guests (S-1-5-21-XXXdomainXXX-1040) -> guests
>> [...]
>> Domain Admins (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins
>> Domain Users (S-1-5-21-XXXdomainXXX-2513) -> Domain Users
>> Domain Guests (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests
>> Domain Computers (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers
>> [...]
>>
>> And the appropriate SIDs, according to Microsoft:
>>
>> http://support.microsoft.com/kb/243330
>>
>> SID: S-1-5-32-546
>> Name: Guests
>>
>> SID: S-1-5-21domain-512
>> Name: Domain Admins
>>
>> SID: S-1-5-21domain-513
>> Name: Domain Users
>>
>> SID: S-1-5-21domain-514
>> Name: Domain Guests
>>
>> SID: S-1-5-21domain-515
>> Name: Domain Computers
>>
>> I assume that our SIDs can be changed to match the Microsoft-specified
>> SIDs relatively easily. Am I right about that? If so, could someone
>> describe how to do so, or direct me to appropriate documentation?
>>
>> The "guests" group conflict poses an additional problem for us, because
>> we happen to use it as one of our "primary" groups -- along with such
>> groups as "staff", "faculty", "students", etc ... How would you suggest
>> that I address the Guests conflict? Would it be a simple matter of
>> renaming the group or ... ?
>>
>> thanks,
>> -r
>>
> 
> Robert,
> 
> Ah, someone else at UW making the switch from Samba3 to Samba4.
> 
> As for the guests group, we face the same issue. Our solution is to
> rename the group before upgrading. In my testing, renaming it via an
> LDIF works fine so long as Samba is stopped at the time the change is made.
> 

thanks John. Applying an LDIF adjustment (comprised of appropriate
commands to modify 'displayName' and set a corresponding 'newrdn') to
change the name of the "guests" group worked nicely.

More information about the samba mailing list