[Samba] Samba on Debian 8; NT4 domain, win10

Andrew Bartlett abartlet at samba.org
Tue Nov 29 18:12:45 UTC 2016 

On Tue, 2016-11-29 at 10:16 +0100, Stefan G. Weichinger wrote:
> Am 2016-11-29 um 09:56 schrieb Andrew Bartlett:
> 
> > 
> > While your comments on the RID < 1000 issue are correct, your
> > interpretation of the pdbedit output is not correct.  That value is
> > not
> > the RID, but in deference to the smbpasswd file format from long
> > before
> > you joined Samba, it is the unix UID value for the username
> > specified.
> >  That is probably also why the -1 / 4294967295 values show up, if
> > the
> > user doens't exist locally where the tool is being run.
> > 
> > Listing with --verbose will show the full SID, and so the
> > applicable
> > RID. 
> > 
> > Hopefully these are not below 1000, as changing the SID has
> > annoying
> > implications for profiles and other things.
> > 
> > I hope this helps,
> > 
> > Andrew Bartlett
> 
> thanks, Andrew
> 
> as it dawns on me it is the fact that some of the users there are
> very
> very old. I think we started with samba-2.x there.
> 
> As I understand this you point me at:
> 
> # pdbedit -L --verbose pl04
> Unix username:        pl04
> [..]
> User SID:             S-1-5-21-2940660672-4062535256-4144655499-2008
> 
> ----------------------------------------------------------------^^^^
> ?
> 
> When I run
> 
> # pdbedit -L --verbose | grep "User SID"
> 
> I only get one user with that part <1000, and that is "nobody".

Good.  That user will be replaced by the guest account in AD, so that
should be fine. 

> -
> 
> I think that these "pl??" users there aren't used much anymore, maybe
> I
> can get rid of most of them or simply recreate them after the
> conversion
> (just some minor services related, I hope).
> 
> Thanks, Stefan, the "we never had this before" guy ;-)

I'll let you choose the way forward for your site, but if you can just
re-create what fails to convert because it is just a service account,
that seems quite reasonable. 

In the days of passdb on the NT4-like domain controller, there wasn't
and still isn't any kind of fsck for the database.  That means that all
manner of incorrect, odd or unexpected combinations of entries can
persist, without warning or notice.  Duplicate SIDs, which is not an
issue you have faced thankfully, are quite common it seems. 

I suspect Rowland jumped on the rid < 1000 suggestion quite reasonably
because we have seen that too, but usually just because of confusion
around the Administrator account.  (Samba won't normally create such
sids).

When users are transferred to Samba's AD DC, they get put into a quite
strict database.  The reason why we strictly suggest migration on an
isolated test network is that this almost never goes smoothly, and
manual intervention is almost always required. 

I wish you all the best with your migration.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list