samba - Oct 2016 - samba 4 migration (doamin admins & domain users renamed)

Hi,

I have checked sambaSID (from samba-ldap 3) and compared with ObjectSID in
samba 4 (after migration) and this value is the same, without any
difference.
For me it is not a problem, but if in the futur I'will keep old name, I can
rename this group after the migration is make...?

Thanks

2016-10-11 10:45 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Hi,
>
> Am 11.10.2016 um 09:58 schrieb Trenta sis via samba:
> > I'm trying to migrate a samba 3 domain, and I have detected that
our
> domain
> > users and doamin admins are migrated/renamed during migration, we have
> this
> > grousp in other language than english and ater migration are migrated
to
> > domain admin and domain users.
> > Members of this groups are migrated correctly, only question is this
> change
> > in name could genereate a problem and if this is an issue or I can
> ignore?
>
>
> if your well-known groups use the official security identifiers [1] in
> your NT4 domain, they will be identical in AD, because the groups are
> recreated and populated by samba-tool.
>
> However, I saw installations where the Admin created the two groups with
> {Domain-SID}-{Random-RID} instead of:
>
> Domain Admins:
> S-1-5-21-{Domain-SID}-512
>
> Domain Users:
> S-1-5-21-{Domain-SID}-513
>
> In this case, the objectSID is different and thus it's a different
> group. To fix:
> - Create the groups with the correct objectSIDs (don't rename the
> attribute. Otherwise it's a different group for your clients).
> - Switch the groups to the new ones wherever you used it.
> - Remove the groups with the wrong objectSID.
> - Start the migration.
>
> I will add this to the Wiki page later this week. I have this one anyway
> on my list for a major update.
>
>
> Regards,
> Marc
>
> [1] https://support.microsoft.com/en-us/kb/243330
>

Am 17.10.2016 um 14:34 schrieb Trenta sis via samba:
> I have checked sambaSID (from samba-ldap 3) and compared with ObjectSID in
> samba 4 (after migration) and this value is the same, without any
> difference.
> For me it is not a problem, but if in the futur I'will keep old name, I
can
> rename this group after the migration is make...?

The classic upgrade creates a new domain administrator and does not
migrate the existing account. That's why it is named
"administrator"
after the migration. However you can rename it again to anything you
like after the migration is finished.


Regards,
MArc

hi,

correct administartor is recreated during migration, but my question is
related with groups domain admins and domain users...
for me no problem sid  is the same


2016-10-17 17:44 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Am 17.10.2016 um 14:34 schrieb Trenta sis via samba:
> > I have checked sambaSID (from samba-ldap 3) and compared with
ObjectSID
> in
> > samba 4 (after migration) and this value is the same, without any
> > difference.
> > For me it is not a problem, but if in the futur I'will keep old
name, I
> can
> > rename this group after the migration is make...?
>
>
> The classic upgrade creates a new domain administrator and does not
> migrate the existing account. That's why it is named
"administrator"
> after the migration. However you can rename it again to anything you
> like after the migration is finished.
>
>
> Regards,
> MArc
>
>

On Mon, 2016-10-17 at 14:34 +0200, Trenta sis via samba
wrote:
> Hi,
> 
> I have checked sambaSID (from samba-ldap 3) and compared with
> ObjectSID in
> samba 4 (after migration) and this value is the same, without any
> difference.
> For me it is not a problem, but if in the futur I'will keep old name,
> I can
> rename this group after the migration is make...?
Yes.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba