[Samba] Samba on Debian 8; NT4 domain, win10

Rowland Penny rpenny at samba.org
Mon Nov 28 14:38:40 UTC 2016 

On Mon, 28 Nov 2016 15:20:46 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2016-11-28 um 15:03 schrieb Rowland Penny via samba:
> > On Mon, 28 Nov 2016 14:22:00 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> > 
> >>
> >> NT4-PDC:
> >>
> >> # net groupmap list
> >> Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) ->
> >> users Domain-Admins
> >> (S-1-5-21-2940660672-4062535256-4144655499-512) -> root Klienten
> >> (S-1-5-21-2940660672-4062535256-4144655499-1010) -> klienten
> >>
> >> User pl13 is member of group "Domain Users":
> >>
> >> # pdbedit -Lv pl13
> >> Unix username:        pl13
> >> NT username:
> >> Account Flags:        [U          ]
> >> User SID:
> >> S-1-5-21-2940660672-4062535256-4144655499-2026 Primary Group
> >> SID:    S-1-5-21-2940660672-4062535256-4144655499-513
> >>
> >> This group seems not to be converted, see server after classic
> >> upgrade:
> >>
> >> # net groupmap list
> >> #
> >>
> >> -> no groups
> >>
> >> This puts all these users into some new group:
> > 
> > Yes, and the group is called 'Domain Users' ;-)
> > 
> > In AD, ALL users are members of 'Domain Users' but are not
> > explicitly added to the 'Domain Users' object
> >  
> >>
> >> # pdbedit -L | grep pl
> >>
> >> pl01:4294967295:
> >> pl02:4294967295:
> >> pl03:4294967295:
> >> pl04:4294967295:
> >> pl05:4294967295:
> >>
> >> while on the old server this was:
> >>
> >> # pdbedit -L | grep pl | sort
> >>
> >> pl01:501:
> >> pl02:502:
> >> pl03:503:
> >> pl04:504:
> >> pl05:505:
> >>
> >> Am I on the right track here?
> >>
> > 
> > Yes, you have found the reason why most of your users are being
> > ignored ;-)
> > 
> > in the upgrade python code, there is is this:
> > 
> >         if entry['rid'] < 1000:
> >             logger.info("  Skipping wellknown rid=%d (for
> > username=%s)", entry['rid'], username) continue
> > 
> > Which basically means, if the 'RID' is less than '1000', ignore and
> > move to next user. what I don't fully understand is why the users
> > are getting the '4294967295' number.
> > 
> > The cure, change all users RIDs to be more than '1000' before the
> > upgrade.
> 
> I see.
> 
> To fully understand: do I *need* to do that or is it *optional*, if I
> am OK with the fact that they get into "Domain Users" anyway?
> 
> (In this case it's enough for me to have them all in one group after
> the upgrade. I would just assign them into 2 groups after then.)
> 
> Thanks!
> 
> 

Sorry, I should have made that more obvious, even though the users are
in pdbedit, they will not make it to AD!!!

You will have to change any normal users RID if it is less than '1000'

Whatever you do after the upgrade, do not remove users from 'Domain
Users'. If you need two groups after the upgrade, create new ones and
then add your users to these and use ACLs to allow/deny connection.

Rowland

More information about the samba mailing list