[Samba] Samba on Debian 8; NT4 domain, win10
Rowland Penny
rpenny at samba.org
Tue Nov 29 11:10:20 UTC 2016
On Tue, 29 Nov 2016 21:56:21 +1300
Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2016-11-28 at 14:03 +0000, Rowland Penny via samba wrote:
> > On Mon, 28 Nov 2016 14:22:00 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >
> > >
> > >
> > > NT4-PDC:
> > >
> > > # net groupmap list
> > > Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) ->
> > > users
> > > Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) ->
> > > root
> > > Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) ->
> > > klienten
> > >
> > > User pl13 is member of group "Domain Users":
> > >
> > > # pdbedit -Lv pl13
> > > Unix username: pl13
> > > NT username:
> > > Account Flags: [U ]
> > > User SID: S-1-5-21-2940660672-4062535256-4144655499-
> > > 2026
> > > Primary Group
> > > SID: S-1-5-21-2940660672-4062535256-4144655499-513
> > >
> > > This group seems not to be converted, see server after classic
> > > upgrade:
> > >
> > > # net groupmap list
> > > #
> > >
> > > -> no groups
> > >
> > > This puts all these users into some new group:
> >
> > Yes, and the group is called 'Domain Users' ;-)
> >
> > In AD, ALL users are members of 'Domain Users' but are not
> > explicitly added to the 'Domain Users' object
> >
> > >
> > >
> > > # pdbedit -L | grep pl
> > >
> > > pl01:4294967295:
> > > pl02:4294967295:
> > > pl03:4294967295:
> > > pl04:4294967295:
> > > pl05:4294967295:
> > >
> > > while on the old server this was:
> > >
> > > # pdbedit -L | grep pl | sort
> > >
> > > pl01:501:
> > > pl02:502:
> > > pl03:503:
> > > pl04:504:
> > > pl05:505:
> > >
> > > Am I on the right track here?
> > >
> >
> > Yes, you have found the reason why most of your users are being
> > ignored ;-)
> >
> > in the upgrade python code, there is is this:
> >
> > if entry['rid'] < 1000:
> > logger.info(" Skipping wellknown rid=%d (for
> > username=%s)", entry['rid'], username)
> > continue
> >
> > Which basically means, if the 'RID' is less than '1000', ignore and
> > move
> > to next user. what I don't fully understand is why the users are
> > getting the '4294967295' number.
> >
> > The cure, change all users RIDs to be more than '1000' before the
> > upgrade.
>
> G'Day Rowland,
>
> While your comments on the RID < 1000 issue are correct, your
> interpretation of the pdbedit output is not correct. That value is
> not the RID, but in deference to the smbpasswd file format from long
> before you joined Samba, it is the unix UID value for the username
> specified. That is probably also why the -1 / 4294967295 values show
> up, if the user doens't exist locally where the tool is being run.
>
> Listing with --verbose will show the full SID, and so the applicable
> RID.
>
> Hopefully these are not below 1000, as changing the SID has annoying
> implications for profiles and other things.
>
> I hope this helps,
>
> Andrew Bartlett
>
OK, thanks for explaining that, but the users are highly likely not to
exist locally, most people do as the wiki recommends and test the
upgrade on a new machine.
Rowland
More information about the samba
mailing list