[Samba] samba 4 migration (doamin admins & domain users renamed)
Marc Muehlfeld
mmuehlfeld at samba.org
Tue Oct 11 08:45:32 UTC 2016
Hi,
Am 11.10.2016 um 09:58 schrieb Trenta sis via samba:
> I'm trying to migrate a samba 3 domain, and I have detected that our domain
> users and doamin admins are migrated/renamed during migration, we have this
> grousp in other language than english and ater migration are migrated to
> domain admin and domain users.
> Members of this groups are migrated correctly, only question is this change
> in name could genereate a problem and if this is an issue or I can ignore?
if your well-known groups use the official security identifiers [1] in
your NT4 domain, they will be identical in AD, because the groups are
recreated and populated by samba-tool.
However, I saw installations where the Admin created the two groups with
{Domain-SID}-{Random-RID} instead of:
Domain Admins:
S-1-5-21-{Domain-SID}-512
Domain Users:
S-1-5-21-{Domain-SID}-513
In this case, the objectSID is different and thus it's a different
group. To fix:
- Create the groups with the correct objectSIDs (don't rename the
attribute. Otherwise it's a different group for your clients).
- Switch the groups to the new ones wherever you used it.
- Remove the groups with the wrong objectSID.
- Start the migration.
I will add this to the Wiki page later this week. I have this one anyway
on my list for a major update.
Regards,
Marc
[1] https://support.microsoft.com/en-us/kb/243330
More information about the samba
mailing list