[Samba] Evaluation of the Samba-tools rename functionality
itdept_head
itdept_head at grown-up.com
Wed Feb 15 05:10:23 UTC 2023
HI,
Just an update on this samba-tool (V4.17.4) ..rename functionality, against a 2008SP2 level AD.
(also in case anyone else is mad enough to want to attempt this.)
The rename tool, seems to do a fairly good job,
However there are a couple of other fields that could do with being flushed/fixed during the rename.
This one which breaks MS tools(with continuous looping & modal dialog box):
(because it has the old domain hard coded into a string block, updating them fixes the MS maintenance tools.)
objectCatagory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC={host name}
gPLink:
and there is one delimited string in each "OU" that has any GPO set.
gPLink: [LDAP://cn={59A490CC-59A6-4920-96A2-94A51F8EA1C3},cn=policies,cn=system,DC{old domain ref};0]
either flushing the string to null or in situ replacement, is a fix,
null just means you have to add them to the container again, but the MS tools are functional.
String replacement ,means all the GPO are correctly in the right object on rebuild.
Then this one specifically is a pain:
mS-DS-CreatorSID:
this data field is added to a machine record joined to an AD in certain situations.
MS issued a client side patch in the name of “security” that checks for this data:
"KB5020276"
The machine re-join goes pear shaped if it is found and if you have NOT applied an unapproved local machine registry mod…
Which then means you have to delete the old record out of the LDAP OR change the name of the machine for the re-join, which is a real pain…
If there was an option in the “Samba-tool rename” that prevented copy over of this field into the new migration data & print any workstations it was applied to
It would go a long way to allowing machines to just be automatically re-joined to the old domain & keep all the preconfigured data.
It seems all the domain specific data related to the domain name gets “flushed”/updated to the new domain details on re-join.
But important items like the: “primaryGroupID”, “whenCreated”, “ objectSid”,etc- that you might have GPO policy attached to or NAS access rights remains, which is a good enough reason to not rename machines.
Other that and a very simple script to do string substitution in the LDAP & it seems the tool is perfectly functional.
More information about the samba
mailing list