[Samba] classicupgrade - resolving group conflicts

Robert Moulton rmoulton at uw.edu
Fri Nov 7 10:24:25 MST 2014 

thanks! I sort of suspected that I could ignore the warnings about those
four groups, since they're unused in our current S3 world.

Stefan Kania wrote, on 11/7/14, 2:02 AM:
> Hi Robert,
> 
> you don't have to worry about the groups "domain admins" RID=512
> "domain users" RID=513, "Domain guests" RID 514 and "Domain Computers"
> RID 515. These are default groups und will be rebuild during the
> provisioning with clasicupgrade. You can't migrate these groups.
> 
> Stefan
> 
> Am 06.11.2014 um 21:20 schrieb Robert Moulton:
>> Greetings -
> 
>> In an offline-test environment, I just took a first crack at a
>> classic upgrade of our Samba 3.6.9 (389-DS LDAP backend)
>> environment to Samba 4.1.13 AD. Among other issues, I see that we
>> have some group/SID issues to address. From the upgrade output:
> 
>> Could not add group name=guests ((68, "samldb: Account name 
>> (sAMAccountName) 'guests' already in use!")) Could not add group
>> name=Domain Admins ((68, "samldb: Account name (sAMAccountName)
>> 'Domain Admins' already in use!")) Could not add group name=Domain
>> Users ((68, "samldb: Account name (sAMAccountName) 'Domain Users'
>> already in use!")) Could not add group name=Domain Guests ((68,
>> "samldb: Account name (sAMAccountName) 'Domain Guests' already in
>> use!")) Could not add group name=Domain Computers ((68, "samldb:
>> Account name (sAMAccountName) 'Domain Computers' already in
>> use!"))
> 
>> The relevant groups and their current SIDs in our current Samba 3 
>> environment:
> 
>> [root at sack ~]# net groupmap list [...] guests
>> (S-1-5-21-XXXdomainXXX-1040) -> guests [...] Domain Admins
>> (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins Domain Users
>> (S-1-5-21-XXXdomainXXX-2513) -> Domain Users Domain Guests
>> (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests Domain Computers
>> (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers [...]
> 
>> And the appropriate SIDs, according to Microsoft:
> 
>> http://support.microsoft.com/kb/243330
> 
>> SID: S-1-5-32-546 Name: Guests
> 
>> SID: S-1-5-21domain-512 Name: Domain Admins
> 
>> SID: S-1-5-21domain-513 Name: Domain Users
> 
>> SID: S-1-5-21domain-514 Name: Domain Guests
> 
>> SID: S-1-5-21domain-515 Name: Domain Computers
> 
>> I assume that our SIDs can be changed to match the
>> Microsoft-specified SIDs relatively easily. Am I right about that?
>> If so, could someone describe how to do so, or direct me to
>> appropriate documentation?
> 
>> The "guests" group conflict poses an additional problem for us,
>> because we happen to use it as one of our "primary" groups -- along
>> with such groups as "staff", "faculty", "students", etc ... How
>> would you suggest that I address the Guests conflict? Would it be a
>> simple matter of renaming the group or ... ?
> 
>> thanks, -r
> 
> 
>

More information about the samba mailing list