Question:
Can I change the sambaDomainSID after installation?
Answer:
No, after installation of samba4, the NT-ACLs are already written to the filesystem.
Possibilities:
You can try to manipulate the sambaSID and sambaPrimaryGroupSID before you install samba on the server.
First
The sambaSID is present after “normal” installation
udm settings/sambadomain list
DN: sambaDomainName=SUN,cn=samba,dc=sun,dc=shine
NextGroupRid: 1000
NextRid: None
NextUserRid: 1000
SID: S-1-5-21-3861595148-1119969541-3446865811
badLockoutAttempts: None
disconnectTime: None
domainPasswordComplex: 1
domainPasswordStoreCleartext: 0
domainPwdProperties: 1
lockoutDuration: None
logonToChangePW: None
maxPasswordAge: None
minPasswordAge: None
name: SUN
passwordHistory: None
passwordLength: 8
refuseMachinePWChange: None
resetCountMinutes: None
Step 1
You have to modify the entry via ldapmodify
root@master:~# ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: sambaDomainName=SUN,cn=samba,dc=sun,dc=shine
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-1234567890-1234567890-1234567890
EOR
Step 2
During the normal installation, the sambaSID is already set and sambaSID and sambaPrimaryGroupSID are also already set on some objects and groups, although no samba is installed yet.
You can check the objects with:
univention-ldapsearch -LLL '(|(sambaSID=*)(sambaPrimaryGroupSID=*))' sambaSID sambaPrimaryGroupSID
Stop the LDAP Server
/etc/init.d/slapd stop
save the database
slapcat >ldif
cp ldif ldif.backup
mkdir /var/lib/univention-ldap/ldap.backup
mv /var/lib/univention-ldap/ldap/* /var/lib/univention-ldap/ldap.backup
get a new DB Config
ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG
modify ldif modifizieren
z.B. vim → %s/S-1-5-21-3861595148-1119969541-3446865811/S-1-5-21-1234567890-1234567890-1234567890/g
add the new ldif
slapadd <ldif
start slapd
/etc/init.d/slapd start
Note: this way overrides the replication mechanism!
Using ldapmodify for the changes might be a better way.
Otherwise you have to make sure, the translog database gets the changed information. Maybe with univention-replicate-{one,many}
Step 3
Installation on the commandline:
univention-install univention-s4-connector
Check Join Status!
root@master:~# univention-check-join-status
Warning: 'univention-samba4-dns' is not configured.
Warning: 'univention-samba4-saml-kerberos' is not configured.
Error: Not all install files configured: 2 missing
and run them again
univention-run-join-scripts
Running 98univention-samba4-dns.inst done
Running 98univention-samba4-saml-kerberos.inst done