samba - Apr 2015 - Change user SID on Samba 4.1

I had troubles with classicupgrade and linux machines, and i'm creating a
new AD (for now works perfect). I want to keep the same SID of the old AD
to avoid to move all users profiles.

Greetings!!
El 28/4/2015 1:07 p. m., "Andrew Bartlett" <abartlet at
samba.org> escribi?:
> On Tue, 2015-04-28 at 11:27 +0200, Daniel Carrasco Mar?n wrote:
> > Hi, Is there any way to change the SID of an user on Samba 4.1?.
I've
> tried:
> >
> > pdbedit -U newSID -u user
> > pdbedit -u user -U newSID
> > pdbedit --'user SID'=newSID -u user
> >
> > but it shows the user infor without change anything.
>
> Changing a user's sid is a really bad idea, so in the AD DC (at least)
> is is made quite difficult.
>
> In particular, it is critical that it remain unique, and be removed from
> the RID pool.  When we do a classicupgrade, we take care to ensure all
> RID pools start above the users we import.  That is really the only time
> it is safe to force a RID.
>
> Why do you need to change it?
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>

On 28/04/15 12:39, Daniel Carrasco Mar?n wrote:
> I had troubles with classicupgrade and linux machines, and i'm creating
a
> new AD (for now works perfect). I want to keep the same SID of the old AD
> to avoid to move all users profiles.
>
> Greetings!!
> El 28/4/2015 1:07 p. m., "Andrew Bartlett" <abartlet at
samba.org> escribi?:
>
>> On Tue, 2015-04-28 at 11:27 +0200, Daniel Carrasco Mar?n wrote:
>>> Hi, Is there any way to change the SID of an user on Samba 4.1?.
I've
>> tried:
>>> pdbedit -U newSID -u user
>>> pdbedit -u user -U newSID
>>> pdbedit --'user SID'=newSID -u user
>>>
>>> but it shows the user infor without change anything.
>> Changing a user's sid is a really bad idea, so in the AD DC (at
least)
>> is is made quite difficult.
>>
>> In particular, it is critical that it remain unique, and be removed
from
>> the RID pool.  When we do a classicupgrade, we take care to ensure all
>> RID pools start above the users we import.  That is really the only
time
>> it is safe to force a RID.
>>
>> Why do you need to change it?
>>
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
>>
>>
Never used it myself, but there is the provision option 
'--domain-sid=SID' . I assume that you can use this to set the domain 
SID when you provision a new domain.

Rowland

Thanks!!, but I don't know how that can help me, because i'm planning to
change the domain, then the Domain SID must be different. Anyway is not
hard, i only have to move the user profile on domain change, but of course
is faster if i don't need to do it.

Greetings!!

2015-04-28 13:58 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 28/04/15 12:39, Daniel Carrasco Mar?n wrote:
>
>> I had troubles with classicupgrade and linux machines, and i'm
creating a
>> new AD (for now works perfect). I want to keep the same SID of the old
AD
>> to avoid to move all users profiles.
>>
>> Greetings!!
>> El 28/4/2015 1:07 p. m., "Andrew Bartlett" <abartlet at
samba.org> escribi?:
>>
>>  On Tue, 2015-04-28 at 11:27 +0200, Daniel Carrasco Mar?n wrote:
>>>
>>>> Hi, Is there any way to change the SID of an user on Samba
4.1?. I've
>>>>
>>> tried:
>>>
>>>> pdbedit -U newSID -u user
>>>> pdbedit -u user -U newSID
>>>> pdbedit --'user SID'=newSID -u user
>>>>
>>>> but it shows the user infor without change anything.
>>>>
>>> Changing a user's sid is a really bad idea, so in the AD DC (at
least)
>>> is is made quite difficult.
>>>
>>> In particular, it is critical that it remain unique, and be removed
from
>>> the RID pool.  When we do a classicupgrade, we take care to ensure
all
>>> RID pools start above the users we import.  That is really the only
time
>>> it is safe to force a RID.
>>>
>>> Why do you need to change it?
>>>
>>> --
>>> Andrew Bartlett                       http://samba.org/~abartlet/
>>> Authentication Developer, Samba Team  http://samba.org
>>> Samba Developer, Catalyst IT
>>> http://catalyst.net.nz/services/samba
>>>
>>>
>>>
>>>
> Never used it myself, but there is the provision option
'--domain-sid=SID'
> . I assume that you can use this to set the domain SID when you provision a
> new domain.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Am 28.04.2015 um 13:58 schrieb Rowland Penny:
> Never used it myself, but there is the provision option
> '--domain-sid=SID' . I assume that you can use this to set the
domain
> SID when you provision a new domain.

This won't help, because it just keep the domain SID and users still 
getting new RIDs, what make them different, if they are linked 
somewhere. And keeping the RIDs still require to keep them out of the 
RID pool. See Andrews mail.


Regards,
Marc

Greetings, Daniel Carrasco Mar?n!
>>> Hi, Is there any way to change the SID of an user on Samba 4.1?.
I've
>>> tried:
>>>
>>> pdbedit -U newSID -u user
>>> pdbedit -u user -U newSID
>>> pdbedit --'user SID'=newSID -u user
>>>
>>> but it shows the user infor without change anything.
>>
>> Changing a user's sid is a really bad idea, so in the AD DC (at
least)
>> is is made quite difficult.
> I had troubles with classicupgrade and linux machines, and i'm creating
a
> new AD (for now works perfect). I want to keep the same SID of the old AD
> to avoid to move all users profiles.
If you could instead explain, what kind of troubles you've had with upgrade?
So far, I haven't seen anything that couldn't be solved with a little
thinking
and a good deal of creativity.

P.S.
I would also appreciate, if you don't top-post.
Putting answer above question makes messages unnecessarily hard to read and
understand.


-- 
With best regards,
Andrey Repin
Tuesday, April 28, 2015 22:33:57

Sorry for my terrible english...

2015-04-28 21:36 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
> Greetings, Daniel Carrasco Mar?n!
>
> >>> Hi, Is there any way to change the SID of an user on Samba
4.1?. I've
> >>> tried:
> >>>
> >>> pdbedit -U newSID -u user
> >>> pdbedit -u user -U newSID
> >>> pdbedit --'user SID'=newSID -u user
> >>>
> >>> but it shows the user infor without change anything.
> >>
> >> Changing a user's sid is a really bad idea, so in the AD DC
(at least)
> >> is is made quite difficult.
>
> > I had troubles with classicupgrade and linux machines, and i'm
creating a
> > new AD (for now works perfect). I want to keep the same SID of the old
AD
> > to avoid to move all users profiles.
>
> If you could instead explain, what kind of troubles you've had with
> upgrade?
> So far, I haven't seen anything that couldn't be solved with a
little
> thinking
> and a good deal of creativity.
>
> P.S.
> I would also appreciate, if you don't top-post.
> Putting answer above question makes messages unnecessarily hard to read and
> understand.
>
>
> --
> With best regards,
> Andrey Repin
> Tuesday, April 28, 2015 22:33:57
>
> Sorry for my terrible english...

Sorry, my Gmail is configured to top-post by default.

My problem with upgrades was with member servers. The upgrade process was
fine and I can join the AD with any Windows machine, but when I try to join
that AD with a Linux machine then it fails. I've created a new AD with same
versions and configurations and I can join that AD with same servers that
fails with upgraded AD.

Greetings!!