samba: group sid & user sid
rsharpe at richardsharpe.com
Wed Mar 19 22:28:22 GMT 2003
On Wed, 19 Mar 2003, David Gaston wrote:
> Mr. Sharpe,
That's Richard to most folks ...
> Our university computer science department systems groups has recently
> used samba-3.0alpha22 to aid in merging our unix & windows NT environments.
> Older accounts created before the merge grab the old sid when being logged
> into. We've downloaded your profiles program, and I had a question about
> it's usage.
> On the first page of http://www.richardsharpe.com/samba-stuff.html,
> you mention:
> "You might be able to do the following to fix the SIDs:
> profiles -c S-1-5-21-x-y-z-oldrid -n S-1-5-21-a-b-c-newrid /path/to/profile
> You will have to do that twice, once for the owner SID and once for the
> group SID. "
> Why is it necessary to change both of these?
Because if you don't, the group SID on the entries in the profile will all
have the wrong DOMAIN portion of their SID. However, this just might not
be an issue.
> With a user having an owner
> SID of 1-5-32-544, the correct syntax to change this would be:
> profiles -c S-1-5-32-544-x-y-z-oldrid -n S-1-5-32-544-a-b-c-newrid \
Hmmm, I am not familiar with that S-1-5-32-544. That seems like a
well-known SID. Ahhh, I see, S-1-5-32 is for the Built-in domain, and 544
looks like the Domain Admins built-in group RID (0x220).
So, in that case, you don't need to change that SID, I believe, and the
syntax above is wrong, also.
It would be:
profiles -c S-1-5-32-544 -n S-1-5-21-x-y-z-somerid
If you wanted to change the Domain Admins group to some specific person,
but I don't think you really want to do that.
If you list the ACLs on the entries in the profiles, you should seem more
SIDs that the one above. You should see SIDs like S-1-5-21-x-y-z-RID, and
those are the ones you want to change.
To find the RID of an existing user, try wbinfo, as it has flags that
allow you to translate a name into a SID.
I guess I will have to update my page to help people further.
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
More information about the samba-technical