[Samba] Samba on Debian 8; NT4 domain, win10
Stefan G. Weichinger
lists at xunil.at
Mon Nov 28 14:20:46 UTC 2016
Am 2016-11-28 um 15:03 schrieb Rowland Penny via samba:
> On Mon, 28 Nov 2016 14:22:00 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
>>
>> NT4-PDC:
>>
>> # net groupmap list
>> Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> users
>> Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> root
>> Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> klienten
>>
>> User pl13 is member of group "Domain Users":
>>
>> # pdbedit -Lv pl13
>> Unix username: pl13
>> NT username:
>> Account Flags: [U ]
>> User SID: S-1-5-21-2940660672-4062535256-4144655499-2026
>> Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513
>>
>> This group seems not to be converted, see server after classic
>> upgrade:
>>
>> # net groupmap list
>> #
>>
>> -> no groups
>>
>> This puts all these users into some new group:
>
> Yes, and the group is called 'Domain Users' ;-)
>
> In AD, ALL users are members of 'Domain Users' but are not
> explicitly added to the 'Domain Users' object
>
>>
>> # pdbedit -L | grep pl
>>
>> pl01:4294967295:
>> pl02:4294967295:
>> pl03:4294967295:
>> pl04:4294967295:
>> pl05:4294967295:
>>
>> while on the old server this was:
>>
>> # pdbedit -L | grep pl | sort
>>
>> pl01:501:
>> pl02:502:
>> pl03:503:
>> pl04:504:
>> pl05:505:
>>
>> Am I on the right track here?
>>
>
> Yes, you have found the reason why most of your users are being
> ignored ;-)
>
> in the upgrade python code, there is is this:
>
> if entry['rid'] < 1000:
> logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username)
> continue
>
> Which basically means, if the 'RID' is less than '1000', ignore and move
> to next user. what I don't fully understand is why the users are
> getting the '4294967295' number.
>
> The cure, change all users RIDs to be more than '1000' before the
> upgrade.
I see.
To fully understand: do I *need* to do that or is it *optional*, if I am
OK with the fact that they get into "Domain Users" anyway?
(In this case it's enough for me to have them all in one group after the
upgrade. I would just assign them into 2 groups after then.)
Thanks!
More information about the samba
mailing list