Web lists-archives.com

Re: [Samba] migrating NT-style domain SID-error

On Tue, 15 May 2018 20:37:34 +0200
Stefan Kania via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi Rowland,
> after we solved the puzzle today here is what we found:
> The Samba PDC with tdbsam backend was installed a loooooong time ago.
> Many updates and distributions later, the Samba PDC was still running
> with with the same databases and the same smb.conf. The only thing
> that someone sometime changed was the hostname and the NetBIOS-Name in
> smb.conf. BUT in secrets.tdb was still the old name. Then they used
> the iso-8859-15 codepage and  there were som "fullname"-entries wit
> "ä" "ö" and "ü". Then there were some local users in passwd-file with
> the same ID an name as AD-BUILDIN-Accounts. So with all these funny
> things it was hard to get things running. After we saw the
> errormessage from "samba-tool dbcheck" I try to let samba-tool fix
> the problem, but it didn't worked. Then I try to rebuild the
> index-dbs and that was the point where we found the users with "ä"
> "ö" and"ü". Because of the character translation there was a lot of
> garbage inside the AD-database. So we had set up a new samba-PDC with
> the original name, so we got a new clean secrets.tdb. Then we copied
> the backup from all *.tdb-files to the new PDC. So that we had an
> clean running PDC. Then we changed the "fullname"-entries with
> "pdbedit" copied alle files to the first AD and did the
> classicupgrade. The we found out, that the sysvol-share had the wrong
> group set. I went to all the Objects and I found out, that the group
> "BUILDIN\administrators" had a ObjectClass PosixAccount and a
> GidNumber. With ldbedit I removed the ObjectClass and the GidNumber.
> Did a "net chache flush" reseted the permissions and everything was
> fine. Now we had a nice running first ADDC, then we installed and
> joined the second ADDC, and replication is working and we are happy.
> And YES we are using Louis 4.7 packages. HELLLLOOOOOOOO
> LOOOUUUIIISSSS thanks for the work :-)
> Stefan
> Am 15.05.2018 um 09:39 schrieb Rowland Penny via samba:
> > It looks like it is falling over whilst trying to 'normalise' an
> > entry in AD, could this be a 'locale' problem ??

Glad you got it sorted and you found what I thought was the problem.
Being English, I never have this problem, we don't have these accent
thingies ;-)

You can safely remove any and all posix objectclasses, they are not
required because they are auxiliary objectclasses, you can still use
their attributes without them.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba