Re: [Samba] Provision new domain keeping users and passwords
- Date: Wed, 29 Mar 2017 14:31:09 -0300
- From: Jeanderson Soares via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Provision new domain keeping users and passwords
2017-03-29 11:06 GMT-03:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:
> On Wed, 29 Mar 2017 17:30:28 +0400
> Mike Lykov via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> > > Hello,
> > > Is this procedure for samba as DC?
> > I'm in doubt about it, it looks like it for old-style NT Domain...
> > Maybe more skiiled people comment it.
> I don't think creating a new domain and using the users and passwords
> is going to work.
> There are several problems:
> Windows identifies the users etc by the RID, but this is to be found at
> the end of the domain SID, so if user 'fred' has the RID 1107 and you
> create a new Samba AD domain and create the user 'fred' with the same
> RID, this would be a different user 'fred', because the SID would be
I created a user 'fred' in the old DC Domain and exported/imported to the
new Domain (using pdbedit) and I was able to login on a windows
machine(member of the new domain) normally (except that the user account
(old dc domain)# pdbedit -v fred
User SID: S-1-5-21-*3914450021-4001743833-916707020*-45772
(new dc domain)# pdbedit -v fred
User SID: S-1-5-21-*1365935180-2367880061-2796624718*-45772
The SID really changed. Maybe i can get troubles in the future.
> The users password is stored in an hidden attribute which is supposed
> to be unreadable, but you can read it on a Samba DC, but it is heavily
> encoded. You may be able to obtain some of the users password with
> pdbedit, but can you get them all ?
Another way to accomplish this would be by exporting the user NTHASH. And i
can do this for all the users:
(old dc domain)# pdbedit -w fred
(new dc domain)# pdbedit fred --set-nt-hash
But you will need to create the user before.
> If you create a new domain, it will be just that, a new domain and you
> will need to join all your machines to it.
> Bearing all this in mind, it will probably be easier to obtain a list
> of your users and groups, also get a list of which user
> is a member of which group.
> Create the new domain, add the users, give them a temporary password
> and set the user to change their password at first logon. Add the
> groups and reset the group membership.
> Email the new password to the users and then one weekend, change over
> to the new DC.
> That sounds the best way. Thanks for the clarifications!
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the