[Samba] change local & domain sids and implications
rpenny at samba.org
Thu Mar 24 11:14:21 UTC 2016
On 24/03/16 09:36, lejeczek wrote:
> On 23/03/16 19:40, Marc Muehlfeld wrote:
>> Am 21.03.2016 um 17:45 schrieb lejeczek:
>>> I'm thinking I'll grab whole lot of my ldap backend and change SID -
>>> what will this cause to workstation/machine members?
>>> I'm guessing users account should be fine and people would be able to
>>> log in but machine would probably have to rejoin (if I can call it
>>> because domain name is different).
>> If you change the domain SID, everything is affected, because you're
>> having a new domain. This means all workstations need to be rejoined.
>> Also if your domain users are linked e. g. on Windows ACLs or are
>> members of local groups, etc. this won't be resolved any more and needs
>> to be fixed.
>> What is the reason for this?
> I have to change both samba workgroup name & DN under which all samba
> resides in ldap, and I hope I can preserve as much as possible.
> I there a best practice for this?
> many thanks.
After some thought, I do not think this is as easy as you think it will
be. Yes, you could dump your ldap content into an ldif and then alter
this with a new SID, RootDSE etc and use this to propogate your new
Samba domain in ldap. this alone will take some work, removing the lines
you don't need, changing all instances of the SID etc.
If you do get the ldap setup correctly, you will then have to alter your
smb.conf with a new workgroup name etc.
So you have the new Samba server running, you will then have to turn to
the windows workstations, all of these will have to leave the old domain
and then join the new domain, this will involve rebooting each of them
So your windows workstations are now members of your new domain, what
about the users ?
They exist in the new domain and this is where you will hit your next
problem 'OLDDOMAIN\userA' != 'NEWDOMAIN\UserA' i.e. when UserA logins
into the new domain, they will get a new profile and *will not* be able
to access their old profile.
It will probably be easier to start again from scratch and this time set
up an AD domain.
More information about the samba