[Samba] change local & domain sids and implications

Rowland penny rpenny at samba.org
Thu Mar 24 11:14:21 UTC 2016

On 24/03/16 09:36, lejeczek wrote:
> On 23/03/16 19:40, Marc Muehlfeld wrote:
>> Hello,
>> Am 21.03.2016 um 17:45 schrieb lejeczek:
>>> I'm thinking I'll grab whole lot of my ldap backend and change SID -
>>> what will this cause to workstation/machine members?
>>> I'm guessing users account should be fine and people would be able to
>>> log in but machine would probably have to rejoin (if I can call it 
>>> that,
>>> because domain name is different).
>> If you change the domain SID, everything is affected, because you're
>> having a new domain. This means all workstations need to be rejoined.
>> Also if your domain users are linked e. g. on Windows ACLs or are
>> members of local groups, etc. this won't be resolved any more and needs
>> to be fixed.
>> What is the reason for this?
> I have to change both samba workgroup name & DN under which all samba 
> resides in ldap, and I hope I can preserve as much as possible.
> I there a best practice for this?
> many thanks.
> L.
>> Regards,
>> Marc

After some thought, I do not think this is as easy as you think it will 
be. Yes, you could dump your ldap content into an ldif and then alter 
this with a new SID, RootDSE etc and use this to propogate your new 
Samba domain in ldap. this alone will take some work, removing the lines 
you don't need, changing all instances of the SID etc.

If you do get the ldap setup correctly, you will then have to alter your 
smb.conf with a new workgroup name etc.

So you have the new Samba server running, you will then have to turn to 
the windows workstations, all of these will have to leave the old domain 
and then join the new domain, this will involve rebooting each of them 

So your windows workstations are now members of your new domain, what 
about the users ?
They exist in the new domain and this is where you will hit your next 
problem 'OLDDOMAIN\userA' != 'NEWDOMAIN\UserA' i.e. when UserA logins 
into the new domain, they will get a new profile and *will not* be able 
to access their old profile.

It will probably be easier to start again from scratch and this time set 
up an AD domain.


More information about the samba mailing list