Inge-Haavard Hunstad inge at cc.uit.no
Tue Apr 25 21:45:29 GMT 2000

Paul J Collins wrote:
> >>>>> "Inge-Haavard" == Inge-Haavard Hunstad <inge at cc.uit.no> writes:
>     Inge-Haavard> Hi all, I have some questions regarding the rid. I
>     Inge-Haavard> need to know how important the rid is in a Samba
>     Inge-Haavard> controlled domain. Can I assign a new rid to a user
>     Inge-Haavard> without getting any trouble. As I see it it is only
>     Inge-Haavard> the profile that contains the rid and will be
>     Inge-Haavard> corrupted if the rid of a user changes. Is this
>     Inge-Haavard> right? If so will I eliminate this problem if I use
>     Inge-Haavard> mandatory profiles and deletes the local copy when
>     Inge-Haavard> the user log out?  Another problem would be the
>     Inge-Haavard> machine accounts if I change the rid of a machine
>     Inge-Haavard> account will I have to rejoin the domain?
> The RID is the part of the SID that identifies the user's entry in the
> domain's SAM.  If you change a user's RID, then the permissions on any
> NTFS volumes that refer to that user will no longer apply; you will
> likely see "Account Unknown" in such permissions lists.  It is called
> a Relative Identifier because it only has meaning when coupled with
> the SID of a domain.
> In other words, it's very like a Unix user or group ID, and changing
> it has similar effects that changing a Unix user's user ID would have,
> but with more knock-on effects, I would think.
> I believe that an NT Workstation remembers the SID of its machine
> account, so you would probably have to rejoin the domain.  I can't
> figure out how to view the LSA secret objects with regedt32, so I
> can't be sure.
> If you detail *why* you need to change the RIDs, better solutions may
> be possible.
Thanks for your help. The reason I ask these questions is a little bit
out of curiosity. I also have some users that already exist in the my
smbpasswd but since my smbd now uses LDAP to store the passwords I
needed to know what the consequences of just giving these users a new
rid(sid) where. I think I would have to stop the samba server and start
the old one to extract the rid. But since this server is in a production
environment I hoped that it would be possible just to give the users a
new rid instead. 


> Paul.
> --
> Paul Collins <sneakums at eircom.net> - - - - - [ A&P,a&f ]
>  GPG: 0A49 49A9 2932 0EE5 89B2  9EE0 3B65 7154 8131 1BCD
>  PGP: 88BA 2393 8E3C CECF E43A  44B4 0766 DD71 04E5 962C
> "Linux: it's just this operating system, you know?"

More information about the samba-ntdom mailing list