Re: [Samba] migrating NT-style domain SID-error

On Tue, 15 May 2018 20:37:34 +0200
Stefan Kania via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi Rowland,
> after we solved the puzzle today here is what we found:
> The Samba PDC with tdbsam backend was installed a loooooong time ago.
> Many updates and distributions later, the Samba PDC was still running
> with with the same databases and the same smb.conf. The only thing
> that someone sometime changed was the hostname and the NetBIOS-Name in
> smb.conf. BUT in secrets.tdb was still the old name. Then they used
> the iso-8859-15 codepage and  there were som "fullname"-entries wit
> "ä" "ö" and "ü". Then there were some local users in passwd-file with
> the same ID an name as AD-BUILDIN-Accounts. So with all these funny
> things it was hard to get things running. After we saw the
> errormessage from "samba-tool dbcheck" I try to let samba-tool fix
> the problem, but it didn't worked. Then I try to rebuild the
> index-dbs and that was the point where we found the users with "ä"
> "ö" and"ü". Because of the character translation there was a lot of
> garbage inside the AD-database. So we had set up a new samba-PDC with
> the original name, so we got a new clean secrets.tdb. Then we copied
> the backup from all *.tdb-files to the new PDC. So that we had an
> clean running PDC. Then we changed the "fullname"-entries with
> "pdbedit" copied alle files to the first AD and did the
> classicupgrade. The we found out, that the sysvol-share had the wrong
> group set. I went to all the Objects and I found out, that the group
> "BUILDIN\administrators" had a ObjectClass PosixAccount and a
> GidNumber. With ldbedit I removed the ObjectClass and the GidNumber.
> Did a "net chache flush" reseted the permissions and everything was
> fine. Now we had a nice running first ADDC, then we installed and
> joined the second ADDC, and replication is working and we are happy.
> And YES we are using Louis 4.7 packages. HELLLLOOOOOOOO
> LOOOUUUIIISSSS thanks for the work :-)
> Stefan
> Am 15.05.2018 um 09:39 schrieb Rowland Penny via samba:
> > It looks like it is falling over whilst trying to 'normalise' an
> > entry in AD, could this be a 'locale' problem ??

Glad you got it sorted and you found what I thought was the problem.
Being English, I never have this problem, we don't have these accent
thingies ;-)

You can safely remove any and all posix objectclasses, they are not
required because they are auxiliary objectclasses, you can still use
their attributes without them.


