[Samba] Provision new domain keeping users and passwords

Rowland Penny rpenny at samba.org
Wed Mar 29 14:06:32 UTC 2017

On Wed, 29 Mar 2017 17:30:28 +0400
Mike Lykov via samba <samba at lists.samba.org> wrote:

> 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> > Hello,
> > Is this procedure for samba as DC?
> I'm in doubt about it, it looks like it for old-style NT Domain...
> Maybe more skiiled people comment it.

I don't think creating a new domain and using the users and passwords
is going to work.

There are several problems:

Windows identifies the users etc by the RID, but this is to be found at
the end of the domain SID, so if user 'fred' has the RID 1107 and you
create a new Samba AD domain and create the user 'fred' with the same
RID, this would be a different user 'fred', because the SID would be

The users password is stored in an hidden attribute which is supposed
to be unreadable, but you can read it on a Samba DC, but it is heavily
encoded. You may be able to obtain some of the users password with
pdbedit, but can you get them all ?

If you create a new domain, it will be just that, a new domain and you
will need to join all your machines to it.

Bearing all this in mind, it will probably be easier to obtain a list
of your users and groups, also get a list of which user
is a member of which group.
Create the new domain, add the users, give them a temporary password
and set the user to change their password at first logon. Add the
groups and reset the group membership.
Email the new password to the users and then one weekend, change over
to the new DC.


More information about the samba mailing list