[Samba] Samba on Debian 8; NT4 domain, win10

Stefan G. Weichinger lists at xunil.at
Mon Nov 28 14:20:46 UTC 2016 

Am 2016-11-28 um 15:03 schrieb Rowland Penny via samba:
> On Mon, 28 Nov 2016 14:22:00 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
>>
>> NT4-PDC:
>>
>> # net groupmap list
>> Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> users
>> Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> root
>> Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> klienten
>>
>> User pl13 is member of group "Domain Users":
>>
>> # pdbedit -Lv pl13
>> Unix username:        pl13
>> NT username:
>> Account Flags:        [U          ]
>> User SID:             S-1-5-21-2940660672-4062535256-4144655499-2026
>> Primary Group SID:    S-1-5-21-2940660672-4062535256-4144655499-513
>>
>> This group seems not to be converted, see server after classic
>> upgrade:
>>
>> # net groupmap list
>> #
>>
>> -> no groups
>>
>> This puts all these users into some new group:
> 
> Yes, and the group is called 'Domain Users' ;-)
> 
> In AD, ALL users are members of 'Domain Users' but are not
> explicitly added to the 'Domain Users' object
>  
>>
>> # pdbedit -L | grep pl
>>
>> pl01:4294967295:
>> pl02:4294967295:
>> pl03:4294967295:
>> pl04:4294967295:
>> pl05:4294967295:
>>
>> while on the old server this was:
>>
>> # pdbedit -L | grep pl | sort
>>
>> pl01:501:
>> pl02:502:
>> pl03:503:
>> pl04:504:
>> pl05:505:
>>
>> Am I on the right track here?
>>
> 
> Yes, you have found the reason why most of your users are being
> ignored ;-)
> 
> in the upgrade python code, there is is this:
> 
>         if entry['rid'] < 1000:
>             logger.info("  Skipping wellknown rid=%d (for username=%s)", entry['rid'], username)
>             continue
> 
> Which basically means, if the 'RID' is less than '1000', ignore and move
> to next user. what I don't fully understand is why the users are
> getting the '4294967295' number.
> 
> The cure, change all users RIDs to be more than '1000' before the
> upgrade.

I see.

To fully understand: do I *need* to do that or is it *optional*, if I am
OK with the fact that they get into "Domain Users" anyway?

(In this case it's enough for me to have them all in one group after the
upgrade. I would just assign them into 2 groups after then.)

Thanks!

More information about the samba mailing list