[Samba] Evaluation of the Samba-tools rename functionality

itdept_head itdept_head at grown-up.com
Wed Feb 15 05:10:23 UTC 2023 


HI,

Just an update on this  samba-tool  (V4.17.4) ..rename functionality, against a 2008SP2 level AD.

(also in case anyone else is mad enough to want to attempt this.)



The rename tool, seems to do a fairly good job,

However there are a couple of other fields that could do with being flushed/fixed during the rename.





This one which breaks MS tools(with continuous looping & modal dialog box):

(because it has the old domain hard coded into a string block, updating them fixes the MS maintenance tools.)





objectCatagory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC={host name}

gPLink:



and there is one delimited string  in each "OU" that has any GPO set.

gPLink: [LDAP://cn={59A490CC-59A6-4920-96A2-94A51F8EA1C3},cn=policies,cn=system,DC{old domain ref};0]



either flushing the string to null or in situ replacement, is a fix,

null  just means you have to add them to the container again, but the  MS tools are functional.

String replacement ,means all the GPO are correctly in the right object on rebuild.







Then this one specifically is a pain:



mS-DS-CreatorSID:



this  data field is added to a machine record  joined to an AD  in certain situations.





MS issued a client side patch in the name of “security” that checks for this data:

"KB5020276"

The machine  re-join goes pear shaped if it is found and if you have NOT  applied an unapproved  local machine registry mod…



Which then means you have to delete the old record out of the LDAP OR change the name of the machine for the re-join, which is a real pain…





If there was an option in the “Samba-tool rename”  that prevented copy over  of  this field  into the  new  migration data & print any workstations it was applied to

It would go a long way to allowing machines to just be automatically re-joined to the old domain & keep all the preconfigured data.



It seems all the  domain specific data related to the domain name gets  “flushed”/updated to the new domain details on re-join.



But important items like the: “primaryGroupID”, “whenCreated”, “ objectSid”,etc-  that you might have GPO policy attached to or NAS access rights remains, which is a good enough reason to not rename machines.

Other that and a very simple script to  do string substitution in the LDAP & it seems the tool is perfectly functional.

More information about the samba mailing list