Q&A: Can I change the sambaDomainSID after installation?

Question:

Can I change the sambaDomainSID after installation?

Answer:

No, after installation of samba4, the NT-ACLs are already written to the filesystem.

Possibilities:

You can try to manipulate the sambaSID and sambaPrimaryGroupSID before you install samba on the server.

First

The sambaSID is present after “normal” installation

udm settings/sambadomain list
DN: sambaDomainName=SUN,cn=samba,dc=sun,dc=shine
  NextGroupRid: 1000
  NextRid: None
  NextUserRid: 1000
  SID: S-1-5-21-3861595148-1119969541-3446865811
  badLockoutAttempts: None
  disconnectTime: None
  domainPasswordComplex: 1
  domainPasswordStoreCleartext: 0
  domainPwdProperties: 1
  lockoutDuration: None
  logonToChangePW: None
  maxPasswordAge: None
  minPasswordAge: None
  name: SUN
  passwordHistory: None
  passwordLength: 8
  refuseMachinePWChange: None
  resetCountMinutes: None

Step 1

You have to modify the entry via ldapmodify

 root@master:~# ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: sambaDomainName=SUN,cn=samba,dc=sun,dc=shine
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-1234567890-1234567890-1234567890
EOR

Step 2

During the normal installation, the sambaSID is already set and sambaSID and sambaPrimaryGroupSID are also already set on some objects and groups, although no samba is installed yet.

You can check the objects with:
univention-ldapsearch -LLL '(|(sambaSID=*)(sambaPrimaryGroupSID=*))' sambaSID sambaPrimaryGroupSID

Stop the LDAP Server

/etc/init.d/slapd stop

save the database

slapcat >ldif
cp ldif ldif.backup
mkdir /var/lib/univention-ldap/ldap.backup
mv /var/lib/univention-ldap/ldap/* /var/lib/univention-ldap/ldap.backup

get a new DB Config

ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG

modify ldif modifizieren

z.B. vim → %s/S-1-5-21-3861595148-1119969541-3446865811/S-1-5-21-1234567890-1234567890-1234567890/g

add the new ldif

slapadd <ldif

start slapd

/etc/init.d/slapd start

Note: this way overrides the replication mechanism!

Using ldapmodify for the changes might be a better way.
Otherwise you have to make sure, the translog database gets the changed information. Maybe with univention-replicate-{one,many}

Step 3

Installation on the commandline:
univention-install univention-s4-connector

Check Join Status!

root@master:~# univention-check-join-status
Warning: 'univention-samba4-dns' is not configured.
Warning: 'univention-samba4-saml-kerberos' is not configured.
Error: Not all install files configured: 2 missing

and run them again


univention-run-join-scripts
Running 98univention-samba4-dns.inst                       done
Running 98univention-samba4-saml-kerberos.inst             done