[Samba] samba problems. accounts expire after a hour, but work after reset

Collen Blijenberg collen at hermanjordan.nl
Wed Mar 7 12:10:22 GMT 2007 

He thx Edmundo,

hmm, basically i did a migration. we replaced an old samba server after
4 years, and made a new one.
i exported the samba user accounts with  the -i and -e option in pdbedit.
the old exported samba was version 3.0.11.

all i did was transfered the domain SID to the new pdc.
exported the users and machine accounts.

imported all in the new PDC, added the posix users, mapped some groups
with net map.
et voila..

i left all the old .tdb files and all on the old machine, and let the
new PDC handle it.
it looks if all works fine, but adding users and machines gives me the
head ace..

isn't there anny way to influence the SID making process ??
some how i think that changing the algorithmic rid base option isn't
going to work...

i did some other tests as well to day, but it keeps on generating
existing SID's (tried other machines)
what did i forget to do with the migration ??? that makes the SID's
screw up.. ?

Cheers, Collen


Edmundo Valle Neto wrote:
> Collen Blijenberg escreveu:
>> Thx Felipe, after a week debugging, i found the problem!!
>>
>> there was a mix up with SID's. i had 5 machines and username with the 
>> same SID
>> including the PDC.
>
> Would be a nice thing if you discover why that happened. Samba 
> generates the RID part of the SID algorithmically (1000 + (2 x uid) 
> for user accounts, and 1001 + (2 x gid) for groups), if the uid is 
> different in these accounts the RID should be different too.
>
>>
>> but there is something funny were i need some help with,
>>
>> if i make a new user or machine account, samba generate the SID 
>> automatically.
>> i saw, that my server doesn't look at existing SID's.
>
> No it doesn't, that's right. It's not needed, calculating RIDs that 
> way will not make clashes.
>
>>
>> how can i let samba make SID's after a specified number ??
>> my problem at the moment is that  if i make a new user, samba 
>> generate an existing SID, and there for
>> trouble arise!
>>
>
> Well, normally it will not make clashes, unless you already have a 
> base with SIDs calculated, who knows how.
> You can change the "algorithmic rid base" option that defaults to 1000 
> to another value raising the values that will make RIDs. (if you have 
> unmapped accounts, it will have their SIDs changed too, as the 
> algorithm will be different, if I remember right in samba 3.0.23c 
> theres some changes about that).
>
> In some distributions, you can raise the uid/gids range. That way 
> would make higher RIDs be generated too. :)
>
>> example: current last SID in user database:  
>> S-1-5-21-1968991162-2130249723-1959552931-5462
>> if i make a new user samba will use: 
>> S-1-5-21-1968991162-2130249723-1959552931-5410    ????????????
>
> Do you use a database server to store your samba users right? Well, I 
> never used it, I don't know how exactly it stores information. As I 
> don't know how do you have created your accounts or how much have you 
> messed with them. Normally uids are not reused in posix accounts and 
> samba user/group accounts picks up even/odd RID numbers, not making 
> that probably future clash as you are seeing. :)
>
>> so basically it's all about the last 4 digits!
>> can i alter a .tdb file ??? (if so witch one??)
>
> I can't say that you can't, there's some tools that 
> dump/change/add/etc contents of .tdb files, you can even dump them and 
> grep to find where's the information that you are looking for, but 
> keep in mind that probably you will mess up with any reference to the 
> SID being changed (beeing it ACLs, profiles, or whatever).
>
> The last time that I blowed up my base with repeated SIDs (took me a 
> while to discover why users where getting permissions that they 
> shouldn't, it was the first time I used an LDAP base importing the old 
> base and I changed the code that make the SIDs in the scripts that 
> creates the accounts) I deleted all these accounts, raised the base 
> RID, recreated them and changed permissions with shell scripts.
>
>> all i like is samba to start making SID's after that -5462 number !!!
>>
>> Cheers, Collen....
>>
>> ...
> [cut]
>
>
> I hope it helps.
>
> Regards.
>
> Edmundo Valle Neto

More information about the samba mailing list