samba - Nov 2014 - classicupgrade - resolving group conflicts

Greetings -

In an offline-test environment, I just took a first crack at a classic
upgrade of our Samba 3.6.9 (389-DS LDAP backend) environment to Samba
4.1.13 AD. Among other issues, I see that we have some group/SID issues
to address. From the upgrade output:

Could not add group name=guests ((68, "samldb: Account name
(sAMAccountName) 'guests' already in use!"))
Could not add group name=Domain Admins ((68, "samldb: Account name
(sAMAccountName) 'Domain Admins' already in use!"))
Could not add group name=Domain Users ((68, "samldb: Account name
(sAMAccountName) 'Domain Users' already in use!"))
Could not add group name=Domain Guests ((68, "samldb: Account name
(sAMAccountName) 'Domain Guests' already in use!"))
Could not add group name=Domain Computers ((68, "samldb: Account name
(sAMAccountName) 'Domain Computers' already in use!"))

The relevant groups and their current SIDs in our current Samba 3
environment:

[root at sack ~]# net groupmap list
[...]
guests (S-1-5-21-XXXdomainXXX-1040) -> guests
[...]
Domain Admins (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins
Domain Users (S-1-5-21-XXXdomainXXX-2513) -> Domain Users
Domain Guests (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests
Domain Computers (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers
[...]

And the appropriate SIDs, according to Microsoft:

http://support.microsoft.com/kb/243330

SID: S-1-5-32-546
Name: Guests

SID: S-1-5-21domain-512
Name: Domain Admins

SID: S-1-5-21domain-513
Name: Domain Users

SID: S-1-5-21domain-514
Name: Domain Guests

SID: S-1-5-21domain-515
Name: Domain Computers

I assume that our SIDs can be changed to match the Microsoft-specified
SIDs relatively easily. Am I right about that? If so, could someone
describe how to do so, or direct me to appropriate documentation?

The "guests" group conflict poses an additional problem for us,
because
we happen to use it as one of our "primary" groups -- along with such
groups as "staff", "faculty", "students", etc ...
How would you suggest
that I address the Guests conflict? Would it be a simple matter of
renaming the group or ... ?

thanks,
-r

On 11/06/2014 12:20 PM, Robert Moulton wrote:
> Greetings -
> 
> In an offline-test environment, I just took a first crack at a classic
> upgrade of our Samba 3.6.9 (389-DS LDAP backend) environment to Samba
> 4.1.13 AD. Among other issues, I see that we have some group/SID issues
> to address. From the upgrade output:
> 
> Could not add group name=guests ((68, "samldb: Account name
> (sAMAccountName) 'guests' already in use!"))
> Could not add group name=Domain Admins ((68, "samldb: Account name
> (sAMAccountName) 'Domain Admins' already in use!"))
> Could not add group name=Domain Users ((68, "samldb: Account name
> (sAMAccountName) 'Domain Users' already in use!"))
> Could not add group name=Domain Guests ((68, "samldb: Account name
> (sAMAccountName) 'Domain Guests' already in use!"))
> Could not add group name=Domain Computers ((68, "samldb: Account name
> (sAMAccountName) 'Domain Computers' already in use!"))
> 
> The relevant groups and their current SIDs in our current Samba 3
> environment:
> 
> [root at sack ~]# net groupmap list
> [...]
> guests (S-1-5-21-XXXdomainXXX-1040) -> guests
> [...]
> Domain Admins (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins
> Domain Users (S-1-5-21-XXXdomainXXX-2513) -> Domain Users
> Domain Guests (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests
> Domain Computers (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers
> [...]
> 
> And the appropriate SIDs, according to Microsoft:
> 
> http://support.microsoft.com/kb/243330
> 
> SID: S-1-5-32-546
> Name: Guests
> 
> SID: S-1-5-21domain-512
> Name: Domain Admins
> 
> SID: S-1-5-21domain-513
> Name: Domain Users
> 
> SID: S-1-5-21domain-514
> Name: Domain Guests
> 
> SID: S-1-5-21domain-515
> Name: Domain Computers
> 
> I assume that our SIDs can be changed to match the Microsoft-specified
> SIDs relatively easily. Am I right about that? If so, could someone
> describe how to do so, or direct me to appropriate documentation?
> 
> The "guests" group conflict poses an additional problem for us,
because
> we happen to use it as one of our "primary" groups -- along with
such
> groups as "staff", "faculty", "students", etc
... How would you suggest
> that I address the Guests conflict? Would it be a simple matter of
> renaming the group or ... ?
> 
> thanks,
> -r
> 
Robert,

Ah, someone else at UW making the switch from Samba3 to Samba4.

As for the guests group, we face the same issue. Our solution is to
rename the group before upgrading. In my testing, renaming it via an
LDIF works fine so long as Samba is stopped at the time the change is made.

-- 
John Yocum, Systems Administrator, DEOHS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Robert,

you don't have to worry about the groups "domain admins" RID=512
"domain users" RID=513, "Domain guests" RID 514 and
"Domain Computers"
RID 515. These are default groups und will be rebuild during the
provisioning with clasicupgrade. You can't migrate these groups.

Stefan

Am 06.11.2014 um 21:20 schrieb Robert Moulton:
> Greetings -
> 
> In an offline-test environment, I just took a first crack at a
> classic upgrade of our Samba 3.6.9 (389-DS LDAP backend)
> environment to Samba 4.1.13 AD. Among other issues, I see that we
> have some group/SID issues to address. From the upgrade output:
> 
> Could not add group name=guests ((68, "samldb: Account name 
> (sAMAccountName) 'guests' already in use!")) Could not add
group
> name=Domain Admins ((68, "samldb: Account name (sAMAccountName)
> 'Domain Admins' already in use!")) Could not add group
name=Domain
> Users ((68, "samldb: Account name (sAMAccountName) 'Domain
Users'
> already in use!")) Could not add group name=Domain Guests ((68,
> "samldb: Account name (sAMAccountName) 'Domain Guests' already
in
> use!")) Could not add group name=Domain Computers ((68, "samldb:
> Account name (sAMAccountName) 'Domain Computers' already in
> use!"))
> 
> The relevant groups and their current SIDs in our current Samba 3 
> environment:
> 
> [root at sack ~]# net groupmap list [...] guests
> (S-1-5-21-XXXdomainXXX-1040) -> guests [...] Domain Admins
> (S-1-5-21-XXXdomainXXX-2512) -> Domain Admins Domain Users
> (S-1-5-21-XXXdomainXXX-2513) -> Domain Users Domain Guests
> (S-1-5-21-XXXdomainXXX-2514) -> Domain Guests Domain Computers
> (S-1-5-21-XXXdomainXXX-2515) -> Domain Computers [...]
> 
> And the appropriate SIDs, according to Microsoft:
> 
> http://support.microsoft.com/kb/243330
> 
> SID: S-1-5-32-546 Name: Guests
> 
> SID: S-1-5-21domain-512 Name: Domain Admins
> 
> SID: S-1-5-21domain-513 Name: Domain Users
> 
> SID: S-1-5-21domain-514 Name: Domain Guests
> 
> SID: S-1-5-21domain-515 Name: Domain Computers
> 
> I assume that our SIDs can be changed to match the
> Microsoft-specified SIDs relatively easily. Am I right about that?
> If so, could someone describe how to do so, or direct me to
> appropriate documentation?
> 
> The "guests" group conflict poses an additional problem for us,
> because we happen to use it as one of our "primary" groups --
along
> with such groups as "staff", "faculty",
"students", etc ... How
> would you suggest that I address the Guests conflict? Would it be a
> simple matter of renaming the group or ... ?
> 
> thanks, -r
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRcmMYACgkQ2JOGcNAHDTYf7wCfYDWayzBSgY7TjIkiGtrv4le0
dpMAoON5IYBMbzn/ql8a3vTa0/CX28nP
=5cXQ
-----END PGP SIGNATURE-----