[Samba] Classic Upgrade changes domain SID

Andrew Bartlett abartlet at samba.org
Sun Aug 27 20:53:28 UTC 2023

On Sun, 2023-08-27 at 22:37 +0200, Peter Koch via samba wrote:
> Hi Roland,
> I did some investigations about why the classic upgrade
> script creates an AD-DC with a domain SID different from
> my old NT4-DC.
> .../samba/lib64/python3.9/site-packages/samba/upgrade.py
> reads variable domainsid in line 494 via:
> domainsid = passdb.get_global_sam_sid()
> I inserted line 495 into upgrade.py, namely:
> raise Exception(domainsid);
> Now classic upgrade script fails with:
>  >ERROR(exception): uncaught exception - 
> S-1-5-352321536-3589954388-2200284306-183212708
> My NT4 domains SID is:
>  ># net getdomainsid
>  >SID for local machine SERV00 is: S-1-5-21-1415314133-2460755331-
> 2761616138
>  >SID for domain NAV is: S-1-5-21-1415314133-2460755331-2761616138
> So why in the world does passdb.get_global_sam_sid()
> reads a different domain SID from passwd.tlb?

Thanks so much for doing this deep debugging Peter.  

I can't explain it, but I agree this is the nub of the problem.  I
wonder if they are reading different databases?

Some work with strace might help confirm which files are being
opened.  Both of these calls are very thin wrappers around the C
get_global_sam_sid() function. 

So I suspect the issue with paths, reading a different private dir.

Are you upgrading from LDAP?   The pdb_ldap code reads the SID from
LDAP.  Does the SID in LDAP match either of these values?

I'm sorry, I've not read the entire thread closely, but which of these
is the correct one?

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list