[Samba] classicupgrade - resolving group conflicts
rmoulton at uw.edu
Fri Nov 7 10:24:25 MST 2014
thanks! I sort of suspected that I could ignore the warnings about those
four groups, since they're unused in our current S3 world.
Stefan Kania wrote, on 11/7/14, 2:02 AM:
> Hi Robert,
> you don't have to worry about the groups "domain admins" RID=512
> "domain users" RID=513, "Domain guests" RID 514 and "Domain Computers"
> RID 515. These are default groups und will be rebuild during the
> provisioning with clasicupgrade. You can't migrate these groups.
> Am 06.11.2014 um 21:20 schrieb Robert Moulton:
>> Greetings -
>> In an offline-test environment, I just took a first crack at a
>> classic upgrade of our Samba 3.6.9 (389-DS LDAP backend)
>> environment to Samba 4.1.13 AD. Among other issues, I see that we
>> have some group/SID issues to address. From the upgrade output:
>> Could not add group name=guests ((68, "samldb: Account name
>> (sAMAccountName) 'guests' already in use!")) Could not add group
>> name=Domain Admins ((68, "samldb: Account name (sAMAccountName)
>> 'Domain Admins' already in use!")) Could not add group name=Domain
>> Users ((68, "samldb: Account name (sAMAccountName) 'Domain Users'
>> already in use!")) Could not add group name=Domain Guests ((68,
>> "samldb: Account name (sAMAccountName) 'Domain Guests' already in
>> use!")) Could not add group name=Domain Computers ((68, "samldb:
>> Account name (sAMAccountName) 'Domain Computers' already in
>> The relevant groups and their current SIDs in our current Samba 3
>> [root at sack ~]# net groupmap list [...] guests
>> (S-1-5-21-XXXdomainXXX-1040) -> guests [...] Domain Admins
>> (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins Domain Users
>> (S-1-5-21-XXXdomainXXX-2513) -> Domain Users Domain Guests
>> (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests Domain Computers
>> (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers [...]
>> And the appropriate SIDs, according to Microsoft:
>> SID: S-1-5-32-546 Name: Guests
>> SID: S-1-5-21domain-512 Name: Domain Admins
>> SID: S-1-5-21domain-513 Name: Domain Users
>> SID: S-1-5-21domain-514 Name: Domain Guests
>> SID: S-1-5-21domain-515 Name: Domain Computers
>> I assume that our SIDs can be changed to match the
>> Microsoft-specified SIDs relatively easily. Am I right about that?
>> If so, could someone describe how to do so, or direct me to
>> appropriate documentation?
>> The "guests" group conflict poses an additional problem for us,
>> because we happen to use it as one of our "primary" groups -- along
>> with such groups as "staff", "faculty", "students", etc ... How
>> would you suggest that I address the Guests conflict? Would it be a
>> simple matter of renaming the group or ... ?
>> thanks, -r
More information about the samba