Greetings - In an offline-test environment, I just took a first crack at a classic upgrade of our Samba 3.6.9 (389-DS LDAP backend) environment to Samba 4.1.13 AD. Among other issues, I see that we have some group/SID issues to address. From the upgrade output: Could not add group name=guests ((68, "samldb: Account name (sAMAccountName) 'guests' already in use!")) Could not add group name=Domain Admins ((68, "samldb: Account name (sAMAccountName) 'Domain Admins' already in use!")) Could not add group name=Domain Users ((68, "samldb: Account name (sAMAccountName) 'Domain Users' already in use!")) Could not add group name=Domain Guests ((68, "samldb: Account name (sAMAccountName) 'Domain Guests' already in use!")) Could not add group name=Domain Computers ((68, "samldb: Account name (sAMAccountName) 'Domain Computers' already in use!")) The relevant groups and their current SIDs in our current Samba 3 environment: [root at sack ~]# net groupmap list [...] guests (S-1-5-21-XXXdomainXXX-1040) -> guests [...] Domain Admins (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins Domain Users (S-1-5-21-XXXdomainXXX-2513) -> Domain Users Domain Guests (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests Domain Computers (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers [...] And the appropriate SIDs, according to Microsoft: http://support.microsoft.com/kb/243330 SID: S-1-5-32-546 Name: Guests SID: S-1-5-21domain-512 Name: Domain Admins SID: S-1-5-21domain-513 Name: Domain Users SID: S-1-5-21domain-514 Name: Domain Guests SID: S-1-5-21domain-515 Name: Domain Computers I assume that our SIDs can be changed to match the Microsoft-specified SIDs relatively easily. Am I right about that? If so, could someone describe how to do so, or direct me to appropriate documentation? The "guests" group conflict poses an additional problem for us, because we happen to use it as one of our "primary" groups -- along with such groups as "staff", "faculty", "students", etc ... How would you suggest that I address the Guests conflict? Would it be a simple matter of renaming the group or ... ? thanks, -r
On 11/06/2014 12:20 PM, Robert Moulton wrote:> Greetings - > > In an offline-test environment, I just took a first crack at a classic > upgrade of our Samba 3.6.9 (389-DS LDAP backend) environment to Samba > 4.1.13 AD. Among other issues, I see that we have some group/SID issues > to address. From the upgrade output: > > Could not add group name=guests ((68, "samldb: Account name > (sAMAccountName) 'guests' already in use!")) > Could not add group name=Domain Admins ((68, "samldb: Account name > (sAMAccountName) 'Domain Admins' already in use!")) > Could not add group name=Domain Users ((68, "samldb: Account name > (sAMAccountName) 'Domain Users' already in use!")) > Could not add group name=Domain Guests ((68, "samldb: Account name > (sAMAccountName) 'Domain Guests' already in use!")) > Could not add group name=Domain Computers ((68, "samldb: Account name > (sAMAccountName) 'Domain Computers' already in use!")) > > The relevant groups and their current SIDs in our current Samba 3 > environment: > > [root at sack ~]# net groupmap list > [...] > guests (S-1-5-21-XXXdomainXXX-1040) -> guests > [...] > Domain Admins (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins > Domain Users (S-1-5-21-XXXdomainXXX-2513) -> Domain Users > Domain Guests (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests > Domain Computers (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers > [...] > > And the appropriate SIDs, according to Microsoft: > > http://support.microsoft.com/kb/243330 > > SID: S-1-5-32-546 > Name: Guests > > SID: S-1-5-21domain-512 > Name: Domain Admins > > SID: S-1-5-21domain-513 > Name: Domain Users > > SID: S-1-5-21domain-514 > Name: Domain Guests > > SID: S-1-5-21domain-515 > Name: Domain Computers > > I assume that our SIDs can be changed to match the Microsoft-specified > SIDs relatively easily. Am I right about that? If so, could someone > describe how to do so, or direct me to appropriate documentation? > > The "guests" group conflict poses an additional problem for us, because > we happen to use it as one of our "primary" groups -- along with such > groups as "staff", "faculty", "students", etc ... How would you suggest > that I address the Guests conflict? Would it be a simple matter of > renaming the group or ... ? > > thanks, > -r >Robert, Ah, someone else at UW making the switch from Samba3 to Samba4. As for the guests group, we face the same issue. Our solution is to rename the group before upgrading. In my testing, renaming it via an LDIF works fine so long as Samba is stopped at the time the change is made. -- John Yocum, Systems Administrator, DEOHS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robert, you don't have to worry about the groups "domain admins" RID=512 "domain users" RID=513, "Domain guests" RID 514 and "Domain Computers" RID 515. These are default groups und will be rebuild during the provisioning with clasicupgrade. You can't migrate these groups. Stefan Am 06.11.2014 um 21:20 schrieb Robert Moulton:> Greetings - > > In an offline-test environment, I just took a first crack at a > classic upgrade of our Samba 3.6.9 (389-DS LDAP backend) > environment to Samba 4.1.13 AD. Among other issues, I see that we > have some group/SID issues to address. From the upgrade output: > > Could not add group name=guests ((68, "samldb: Account name > (sAMAccountName) 'guests' already in use!")) Could not add group > name=Domain Admins ((68, "samldb: Account name (sAMAccountName) > 'Domain Admins' already in use!")) Could not add group name=Domain > Users ((68, "samldb: Account name (sAMAccountName) 'Domain Users' > already in use!")) Could not add group name=Domain Guests ((68, > "samldb: Account name (sAMAccountName) 'Domain Guests' already in > use!")) Could not add group name=Domain Computers ((68, "samldb: > Account name (sAMAccountName) 'Domain Computers' already in > use!")) > > The relevant groups and their current SIDs in our current Samba 3 > environment: > > [root at sack ~]# net groupmap list [...] guests > (S-1-5-21-XXXdomainXXX-1040) -> guests [...] Domain Admins > (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins Domain Users > (S-1-5-21-XXXdomainXXX-2513) -> Domain Users Domain Guests > (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests Domain Computers > (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers [...] > > And the appropriate SIDs, according to Microsoft: > > http://support.microsoft.com/kb/243330 > > SID: S-1-5-32-546 Name: Guests > > SID: S-1-5-21domain-512 Name: Domain Admins > > SID: S-1-5-21domain-513 Name: Domain Users > > SID: S-1-5-21domain-514 Name: Domain Guests > > SID: S-1-5-21domain-515 Name: Domain Computers > > I assume that our SIDs can be changed to match the > Microsoft-specified SIDs relatively easily. Am I right about that? > If so, could someone describe how to do so, or direct me to > appropriate documentation? > > The "guests" group conflict poses an additional problem for us, > because we happen to use it as one of our "primary" groups -- along > with such groups as "staff", "faculty", "students", etc ... How > would you suggest that I address the Guests conflict? Would it be a > simple matter of renaming the group or ... ? > > thanks, -r >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRcmMYACgkQ2JOGcNAHDTYf7wCfYDWayzBSgY7TjIkiGtrv4le0 dpMAoON5IYBMbzn/ql8a3vTa0/CX28nP =5cXQ -----END PGP SIGNATURE-----
Possibly Parallel Threads
- Samba on Debian 8; NT4 domain, win10
- Samba on Debian 8; NT4 domain, win10
- userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"
- Samba4.6 - Groups creation/import fails
- samba-tool classicupgrade throws uncaught exception