Web lists-archives.com

Re: [Samba] Provision new domain keeping users and passwords




On Thu, 2017-03-30 at 08:10 +0400, Mike Lykov via samba wrote:
> 29.03.2017 21:31, Jeanderson Soares via samba пишет:
> 
> > I created a user 'fred' in the old DC Domain and exported/imported
> > to the
> > new Domain (using pdbedit) and I was able to login on a windows
> > machine(member of the new domain)  normally (except that the user
> > account
> > has expired).
> > 
> > (old dc domain)# pdbedit -v fred
> > User SID:             S-1-5-21-*3914450021-4001743833-916707020*-
> > 45772
> > 
> > (new dc domain)# pdbedit -v fred
> > User SID:             S-1-5-21-*1365935180-2367880061-2796624718*-
> > 45772
> > 
> > The SID really changed. Maybe i can get troubles in the future.

Yes, it will cause you trouble.  You can set the domain SID during the
provision, but this illustrates why I don't recommend this approach. 

> 
> > > If you create a new domain, it will be just that, a new domain
> > > and you
> > > will need to join all your machines to it.
> 
> If you can transfer user with password to the new domain as
> described 
> above, is this method applicable to machine's accounts?
> 
> What can i do (if i want) export/import machine accounts to the new
> domain?
> 
> For example, I have a machine joined to live domain DOM1, and with
> dns 
> server DOM1.dc.com
> 
> I change dns to DOM2.dc.com, then import/export machine account to
> DOM2, 
> (reboot the machine if needed). Is this machine was "joined" to the
> new 
> domain already?

No, a machine is only joined to the same domain name and SID as it
started with.  Machines should be re-joined (perhaps using remote
tools). 

> By the way, if I accidently delete the machine account from domain,
> can 
> i restore it (in samba 4.5), or only rejoin it?

No, you must re-join it. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba