Hi Rowland, Denis

Thank you very much for your answers, It helped really a lot.

And sorry for the delay of answer, was busy on other stuff.

You advices don't lead me straight to the solution, but i get improvements, thanks to it.

For now, whatever i can do to change the workgroup, It changes the Domain SID.

Actually it's more subtle;

Before change workgroup:

#net getdomainsid

SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216

SID for domain OLDDOMAIN.LAN is: S-1-5-21-1905493267-1041818301-753029000

After change workgroup:

#net getdomainsid
SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
SID for domain NEWDOMAIN is: S-1-5-21-673913221-4242741474-1014044216
It sets domainsid to the same than localsid (And again it doesnt retrieve domain accounts)

I tried also to change first localsid (net setlocalsid) to the same than the domain then change the domain sid, but it switches me again on another [new] SID...

And net setdomainid never worked to reset to the original SID.
I tried to manually edit secrets.tdb with tdbtools (to make it reflect the changes) and even erase it, but without success.

I even tried kind of general change (new OpenLDAP with totally modified ldif with new values, modified secrets.tdb). no success.

Actually i found the workaround of changing all SID user accounts with a pdbedit script (which got the advantage to write automatically the changes in the ldap),  to make them corresponding the new domain SID.
ex account:

This way, the PDC finds back all accounts in the domain. Then i run the classicupgrade.

For now it seems a kind of mitigation compared to the "hard" solution of starting back from scratch and rebuild the domain.

I will certainly have to rejoin all machines to the domain (hadn't time yet to test it), but if I can at least find back all users profile, i'll would be up to this path...

I'll give you more details monday after further tests and troubleshoots.

Still open to any advices! (about NetBIOS domain name, or about tips for rejoining machines to the domain)

Thanks again, your help is unvaluable



On 18/10/2017 18:57, Rowland Penny wrote:
On Tue, 17 Oct 2017 14:56:27 +0200
Sami Chibani via samba wrote:

OK, I can confirm that you can change the workgroup name, but you need
to do it before the classicupgrade.

Stop smbd, nmbd and winbind, change the workgroup in smb.conf, restart
smbd, nmbd and winbind.
You should now find that the SIDs haven't changed, but if you search in
ldap for 'sambaDomainName', you will probably find two, one for the old
workgroup and one for the new one. You will also probably find that the
object for the new domain doesn't have a 'sambaNextRid' attribute, so
you will need to add it with the value obtain from the old workgroup
object. Now delete the old workgroup object.
At this point, I stopped smbd, nmbd and winbind, left the ldap server
and copied the required files to the what would become the new DC.
After trying to carry out the classicupgrade, I found that if you have
'passdb backend = ldapsam' in the old smb.conf the upgrade uses, you
need to change this to: passdb backend = ldapsam:"ldap://";

Where '' is the ipaddress of the old PDC

After doing all this, running 'samba-tool domain classicupgrade
--realm=test.tld /var/lib/samba/dbdir/smb.PDC.conf'

Lead to an AD DC, with the REALM 'TEST.TLD' and the workgroup 'EXAMPLE'.


