[Samba] Provision new domain keeping users and passwords
abartlet at samba.org
Thu Mar 30 06:09:59 UTC 2017
On Thu, 2017-03-30 at 08:10 +0400, Mike Lykov via samba wrote:
> 29.03.2017 21:31, Jeanderson Soares via samba пишет:
> > I created a user 'fred' in the old DC Domain and exported/imported
> > to the
> > new Domain (using pdbedit) and I was able to login on a windows
> > machine(member of the new domain) normally (except that the user
> > account
> > has expired).
> > (old dc domain)# pdbedit -v fred
> > User SID: S-1-5-21-*3914450021-4001743833-916707020*-
> > 45772
> > (new dc domain)# pdbedit -v fred
> > User SID: S-1-5-21-*1365935180-2367880061-2796624718*-
> > 45772
> > The SID really changed. Maybe i can get troubles in the future.
Yes, it will cause you trouble. You can set the domain SID during the
provision, but this illustrates why I don't recommend this approach.
> > > If you create a new domain, it will be just that, a new domain
> > > and you
> > > will need to join all your machines to it.
> If you can transfer user with password to the new domain as
> above, is this method applicable to machine's accounts?
> What can i do (if i want) export/import machine accounts to the new
> For example, I have a machine joined to live domain DOM1, and with
> server DOM1.dc.com
> I change dns to DOM2.dc.com, then import/export machine account to
> (reboot the machine if needed). Is this machine was "joined" to the
> domain already?
No, a machine is only joined to the same domain name and SID as it
started with. Machines should be re-joined (perhaps using remote
> By the way, if I accidently delete the machine account from domain,
> i restore it (in samba 4.5), or only rejoin it?
No, you must re-join it.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba