NT4-PDC: # net groupmap list Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> users Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> root Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> klienten User pl13 is member of group "Domain Users": # pdbedit -Lv pl13 Unix username: pl13 NT username: Account Flags: [U ] User SID: S-1-5-21-2940660672-4062535256-4144655499-2026 Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513 This group seems not to be converted, see server after classic upgrade: # net groupmap list # -> no groups This puts all these users into some new group: # pdbedit -L | grep pl pl01:4294967295: pl02:4294967295: pl03:4294967295: pl04:4294967295: pl05:4294967295: while on the old server this was: # pdbedit -L | grep pl | sort pl01:501: pl02:502: pl03:503: pl04:504: pl05:505: Am I on the right track here?
On Mon, 28 Nov 2016 14:22:00 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > NT4-PDC: > > # net groupmap list > Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> users > Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> root > Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> klienten > > User pl13 is member of group "Domain Users": > > # pdbedit -Lv pl13 > Unix username: pl13 > NT username: > Account Flags: [U ] > User SID: S-1-5-21-2940660672-4062535256-4144655499-2026 > Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513 > > This group seems not to be converted, see server after classic > upgrade: > > # net groupmap list > # > > -> no groups > > This puts all these users into some new group:Yes, and the group is called 'Domain Users' ;-) In AD, ALL users are members of 'Domain Users' but are not explicitly added to the 'Domain Users' object> > # pdbedit -L | grep pl > > pl01:4294967295: > pl02:4294967295: > pl03:4294967295: > pl04:4294967295: > pl05:4294967295: > > while on the old server this was: > > # pdbedit -L | grep pl | sort > > pl01:501: > pl02:502: > pl03:503: > pl04:504: > pl05:505: > > Am I on the right track here? >Yes, you have found the reason why most of your users are being ignored ;-) in the upgrade python code, there is is this: if entry['rid'] < 1000: logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username) continue Which basically means, if the 'RID' is less than '1000', ignore and move to next user. what I don't fully understand is why the users are getting the '4294967295' number. The cure, change all users RIDs to be more than '1000' before the upgrade. Rowland
Am 2016-11-28 um 15:03 schrieb Rowland Penny via samba:> On Mon, 28 Nov 2016 14:22:00 +0100 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> >> NT4-PDC: >> >> # net groupmap list >> Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> users >> Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> root >> Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> klienten >> >> User pl13 is member of group "Domain Users": >> >> # pdbedit -Lv pl13 >> Unix username: pl13 >> NT username: >> Account Flags: [U ] >> User SID: S-1-5-21-2940660672-4062535256-4144655499-2026 >> Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513 >> >> This group seems not to be converted, see server after classic >> upgrade: >> >> # net groupmap list >> # >> >> -> no groups >> >> This puts all these users into some new group: > > Yes, and the group is called 'Domain Users' ;-) > > In AD, ALL users are members of 'Domain Users' but are not > explicitly added to the 'Domain Users' object > >> >> # pdbedit -L | grep pl >> >> pl01:4294967295: >> pl02:4294967295: >> pl03:4294967295: >> pl04:4294967295: >> pl05:4294967295: >> >> while on the old server this was: >> >> # pdbedit -L | grep pl | sort >> >> pl01:501: >> pl02:502: >> pl03:503: >> pl04:504: >> pl05:505: >> >> Am I on the right track here? >> > > Yes, you have found the reason why most of your users are being > ignored ;-) > > in the upgrade python code, there is is this: > > if entry['rid'] < 1000: > logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username) > continue > > Which basically means, if the 'RID' is less than '1000', ignore and move > to next user. what I don't fully understand is why the users are > getting the '4294967295' number. > > The cure, change all users RIDs to be more than '1000' before the > upgrade.I see. To fully understand: do I *need* to do that or is it *optional*, if I am OK with the fact that they get into "Domain Users" anyway? (In this case it's enough for me to have them all in one group after the upgrade. I would just assign them into 2 groups after then.) Thanks!
On Mon, 2016-11-28 at 14:03 +0000, Rowland Penny via samba wrote:> On Mon, 28 Nov 2016 14:22:00 +0100 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > > > > > > > NT4-PDC: > > > > # net groupmap list > > Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> > > users > > Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> > > root > > Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> > > klienten > > > > User pl13 is member of group "Domain Users": > > > > # pdbedit -Lv pl13 > > Unix username: pl13 > > NT username: > > Account Flags: [U ] > > User SID: S-1-5-21-2940660672-4062535256-4144655499- > > 2026 > > Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513 > > > > This group seems not to be converted, see server after classic > > upgrade: > > > > # net groupmap list > > # > > > > -> no groups > > > > This puts all these users into some new group: > > Yes, and the group is called 'Domain Users' ;-) > > In AD, ALL users are members of 'Domain Users' but are not > explicitly added to the 'Domain Users' object > > > > > > > # pdbedit -L | grep pl > > > > pl01:4294967295: > > pl02:4294967295: > > pl03:4294967295: > > pl04:4294967295: > > pl05:4294967295: > > > > while on the old server this was: > > > > # pdbedit -L | grep pl | sort > > > > pl01:501: > > pl02:502: > > pl03:503: > > pl04:504: > > pl05:505: > > > > Am I on the right track here? > > > > Yes, you have found the reason why most of your users are being > ignored ;-) > > in the upgrade python code, there is is this: > > if entry['rid'] < 1000: > logger.info(" Skipping wellknown rid=%d (for > username=%s)", entry['rid'], username) > continue > > Which basically means, if the 'RID' is less than '1000', ignore and > move > to next user. what I don't fully understand is why the users are > getting the '4294967295' number. > > The cure, change all users RIDs to be more than '1000' before the > upgrade.G'Day Rowland, While your comments on the RID < 1000 issue are correct, your interpretation of the pdbedit output is not correct. That value is not the RID, but in deference to the smbpasswd file format from long before you joined Samba, it is the unix UID value for the username specified. That is probably also why the -1 / 4294967295 values show up, if the user doens't exist locally where the tool is being run. Listing with --verbose will show the full SID, and so the applicable RID. Hopefully these are not below 1000, as changing the SID has annoying implications for profiles and other things. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba