s4-s3upgrade: Assert that administrator has a SID of -500, and only skip root if...

Many upgraded installations have root as -1000, and so that account needs to be kept.

Andrew Bartlett

diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index 85c2c8c6faafa19287f9f2de8514e2ca9d38bc5a..09a52c182ced0da3fd4ddc221ec5dd5aee6b07a2 100644 (file)
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -746,8 +746,15 @@ Please fix this account before attempting to upgrade again
     # Export users to samba4 backend
     logger.info("Importing users")
     for username in userdata:
-        if username.lower() == 'administrator' or username.lower() == 'root':
-            continue
+        if username.lower() == 'administrator':
+            if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
+                raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
+        if username.lower() == 'root':
+            if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
+                logger.warn('User root has been replaced by Administrator')
+            else:
+                logger.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
+
         s4_passdb.add_sam_account(userdata[username])
         if username in uids:
             add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)