Tim
2013-Dec-02 19:45 UTC
[Samba] Help with fixing users and groups with the same SID in LDAP
Hi - I am working through the migration from samba3+ldap to samba4 ads and discovered some inconsistencies in our data in the process. We have several user/group pairs that have the same SID because somehow uidNumber and gidNumber were set to the same number. Obviously this must be corrected for us to use the migration tool - I am just a little unsure of how best to fix this. My first thought is to change the gidNumbers to something unique and update the SID appropriately (by fixing the last part of the SID using gidNumber * 2 + 1000). If that is the proper approach are there any other concerns should I be aware of? Is this safe to update on the production server while users may be accessing it? I also have a samba3 file server that authenticates against the same ldap directory... should samba and/or winbindd be restarted on that machine after the updates are complete? Thanks for any help! Cheers, Tim
Jonathan Buzzard
2013-Dec-02 20:39 UTC
[Samba] Help with fixing users and groups with the same SID in LDAP
On 02/12/13 19:45, Tim wrote:> > Hi - > > I am working through the migration from samba3+ldap to samba4 ads and > discovered some inconsistencies in our data in the process. We have several > user/group pairs that have the same SID because somehow uidNumber and > gidNumber were set to the same number.There is absolutely nothing wrong with a uidNumber and gidNumber being the same numerical value as they are two entirely different sets of numbers. What is not possible in the Windows world is to have a username and a group with the same text name. What looks to be at issue is that you have been generating SID's based on the uidNumber or gidNumber which has never been a sensible idea.> > Obviously this must be corrected for us to use the migration tool - I am just > a little unsure of how best to fix this. My first thought is to change the > gidNumbers to something unique and update the SID appropriately (by fixing the > last part of the SID using gidNumber * 2 + 1000).There should be no reason to change the gidNumber, just change the SID. I would have the directory servers offline to the users while the changes where made and restart any domain joined machines after restarting the samba3+ldap combination. However problems could occur if the SID for that group is stored anywhere on a Windows machine, as any security based on the SID will be a bust, though of course it is a bust at the moment... JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.