samba - Oct 2016 - samba 4 migration (doamin admins & domain users renamed)

Hi,


I'm trying to migrate a samba 3 domain, and I have detected that our domain
users and doamin admins are migrated/renamed during migration, we have this
grousp in other language than english and ater migration are migrated to
domain admin and domain users.
Members of this groups are migrated correctly, only question is this change
in name could genereate a problem and if this is an issue or I can ignore?

Thanks

On Tue, 11 Oct 2016 09:58:34 +0200
Trenta sis via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> 
> I'm trying to migrate a samba 3 domain, and I have detected that our
> domain users and doamin admins are migrated/renamed during migration,
> we have this grousp in other language than english and ater migration
> are migrated to domain admin and domain users.
> Members of this groups are migrated correctly, only question is this
> change in name could genereate a problem and if this is an issue or I
> can ignore?
> 
> Thanks
This shouldn't really be a problem, 'Domain Admins' &
'Domain Users'
will have been identified by the SID-RID and as Samba uses English,
they will have been created in English. There is nothing stopping you
renaming them in your language.

Rowland

Hi,

Am 11.10.2016 um 09:58 schrieb Trenta sis via samba:
> I'm trying to migrate a samba 3 domain, and I have detected that our
domain
> users and doamin admins are migrated/renamed during migration, we have this
> grousp in other language than english and ater migration are migrated to
> domain admin and domain users.
> Members of this groups are migrated correctly, only question is this change
> in name could genereate a problem and if this is an issue or I can ignore?

if your well-known groups use the official security identifiers [1] in
your NT4 domain, they will be identical in AD, because the groups are
recreated and populated by samba-tool.

However, I saw installations where the Admin created the two groups with
{Domain-SID}-{Random-RID} instead of:

Domain Admins:
S-1-5-21-{Domain-SID}-512

Domain Users:
S-1-5-21-{Domain-SID}-513

In this case, the objectSID is different and thus it's a different
group. To fix:
- Create the groups with the correct objectSIDs (don't rename the
attribute. Otherwise it's a different group for your clients).
- Switch the groups to the new ones wherever you used it.
- Remove the groups with the wrong objectSID.
- Start the migration.

I will add this to the Wiki page later this week. I have this one anyway
on my list for a major update.


Regards,
Marc

[1] https://support.microsoft.com/en-us/kb/243330

Hi,

I have checked sambaSID (from samba-ldap 3) and compared with ObjectSID in
samba 4 (after migration) and this value is the same, without any
difference.
For me it is not a problem, but if in the futur I'will keep old name, I can
rename this group after the migration is make...?

Thanks

2016-10-11 10:45 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Hi,
>
> Am 11.10.2016 um 09:58 schrieb Trenta sis via samba:
> > I'm trying to migrate a samba 3 domain, and I have detected that
our
> domain
> > users and doamin admins are migrated/renamed during migration, we have
> this
> > grousp in other language than english and ater migration are migrated
to
> > domain admin and domain users.
> > Members of this groups are migrated correctly, only question is this
> change
> > in name could genereate a problem and if this is an issue or I can
> ignore?
>
>
> if your well-known groups use the official security identifiers [1] in
> your NT4 domain, they will be identical in AD, because the groups are
> recreated and populated by samba-tool.
>
> However, I saw installations where the Admin created the two groups with
> {Domain-SID}-{Random-RID} instead of:
>
> Domain Admins:
> S-1-5-21-{Domain-SID}-512
>
> Domain Users:
> S-1-5-21-{Domain-SID}-513
>
> In this case, the objectSID is different and thus it's a different
> group. To fix:
> - Create the groups with the correct objectSIDs (don't rename the
> attribute. Otherwise it's a different group for your clients).
> - Switch the groups to the new ones wherever you used it.
> - Remove the groups with the wrong objectSID.
> - Start the migration.
>
> I will add this to the Wiki page later this week. I have this one anyway
> on my list for a major update.
>
>
> Regards,
> Marc
>
> [1] https://support.microsoft.com/en-us/kb/243330
>