sambaSID in the sambaSamAccount a good idea?

Andrew Bartlett abartlet at
Tue Jun 24 23:55:51 GMT 2003

On Wed, 2003-06-25 at 06:21, Volker Lendecke wrote:
> Hi!
> I just ran into the following problem, which in retrospect is an
> absolutely simple user error: I took an existing LDAP database with
> sambaSamAccount objects and set up a new server with it. This simply
> does not work as expected, at least I as a naive user had expected a
> different result.


> The new server had created a SID of its own, as it did not have a
> secrets.tdb. So all the LDAP accounts were foreign to him, and idmap
> happily allocated arbitrary uids to the LDAP users. So with this as a
> PDC I could not join a domain with 'root' as the account 'root' was
> mapped to uid 10000.
> In this respect pdb_ldap and pdb_tdb behave differently, pdb_tdb only
> stores the RID.

This makes pdb_tdb behave weirdly when somebody copies the tdb to a
different server, without secrets.tdb.  

The correct solution (for which I'll produce a patch) is to assert that
the SID stored in secrets.tdb is always the SID stored in LDAP for the
domain, and update secrets.tdb is we need to.

> Ok, we definitely need to store the domain SID in LDAP. But I'm not sure
> I like the idea that we have the complete SID attached to the user. I
> think I would feel better with only the RID in it. We could make it
> relative to the OU and the domain object in that OU or whatever, but
> user objects with a complete SID? I'm not sure.

This simplifies searches - we can always search (for example a sid->name
lookup) without special cases for the RID/SID.

> This does not mean that the sambaSID attribute does not have a value in
> itself -- we will need it for a decent alias implementation.
> Comments?

I think ensuring that the passdb is the 'place' that knows the Domain
SID is the correct solution.

This should allow an LDAP slave to be setup, and 'just work'.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list