SID changes for a PDC when you change its name ...

Richard Sharpe rsharpe at
Mon Sep 23 02:47:00 GMT 2002


If you change the server name of a PDC, Samba generates a new machine SID 
because of an incorrect test in pdb_generate_sam_sid.

It tries to retrieve the domain sid associated with global_myname first, 
and of course, if you change your server name, this fails.

So, you then drop through, generate a new SID for your machine, and set to 
domain SID to that if you are a DC and so on.

This generates lots of pain, however, if you are a DC and you simply want 
to change the name of your DC.

What is neat, though, is that you can change your name back to what it 
wasn (netbios name), restart the machine, and all seems well, in that 
Windows clients that have joined the domain do not give you nasty messages 
about invalid SIDs. (the name of security ID of the domain specified is 
inconsistent with the trust information for that domain).

What I suggest is that the test should be reversed. pdb_generate_sam_sid 
should look up the domain sid for global_myworkgroup, and if the machine 
is a DC and the SID for global_myname is different or non-existent, it 
should be set to the correct thing.

Secondly, it would be nice if there was a command like 'net rpc 
setlocalsid S-1-5-21-x-y-z' that allowed you to set the SID in the secrets 
database when you need to.
Richard Sharpe, rsharpe at, rsharpe at, 
sharpe at

More information about the samba-technical mailing list