[Samba] samba 4 migration (doamin admins & domain users renamed)

Trenta sis trenta.sis at gmail.com
Mon Oct 17 12:34:32 UTC 2016


I have checked sambaSID (from samba-ldap 3) and compared with ObjectSID in
samba 4 (after migration) and this value is the same, without any
For me it is not a problem, but if in the futur I'will keep old name, I can
rename this group after the migration is make...?


2016-10-11 10:45 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:

> Hi,
> Am 11.10.2016 um 09:58 schrieb Trenta sis via samba:
> > I'm trying to migrate a samba 3 domain, and I have detected that our
> domain
> > users and doamin admins are migrated/renamed during migration, we have
> this
> > grousp in other language than english and ater migration are migrated to
> > domain admin and domain users.
> > Members of this groups are migrated correctly, only question is this
> change
> > in name could genereate a problem and if this is an issue or I can
> ignore?
> if your well-known groups use the official security identifiers [1] in
> your NT4 domain, they will be identical in AD, because the groups are
> recreated and populated by samba-tool.
> However, I saw installations where the Admin created the two groups with
> {Domain-SID}-{Random-RID} instead of:
> Domain Admins:
> S-1-5-21-{Domain-SID}-512
> Domain Users:
> S-1-5-21-{Domain-SID}-513
> In this case, the objectSID is different and thus it's a different
> group. To fix:
> - Create the groups with the correct objectSIDs (don't rename the
> attribute. Otherwise it's a different group for your clients).
> - Switch the groups to the new ones wherever you used it.
> - Remove the groups with the wrong objectSID.
> - Start the migration.
> I will add this to the Wiki page later this week. I have this one anyway
> on my list for a major update.
> Regards,
> Marc
> [1] https://support.microsoft.com/en-us/kb/243330

More information about the samba mailing list