samba: group sid & user sid

Richard Sharpe rsharpe at richardsharpe.com
Wed Mar 19 22:28:22 GMT 2003 

On Wed, 19 Mar 2003, David Gaston wrote:

> Mr. Sharpe,

That's Richard to most folks ...

> Our university computer science department systems groups has recently
> used samba-3.0alpha22 to aid in merging our unix & windows NT environments.
> Older accounts created before the merge grab the old sid when being logged
> into.  We've downloaded your profiles program, and I had a question about 
> it's usage.
> On the first page of http://www.richardsharpe.com/samba-stuff.html,
> you mention:
>  "You might be able to do the following to fix the SIDs:
>  profiles -c S-1-5-21-x-y-z-oldrid -n S-1-5-21-a-b-c-newrid /path/to/profile
>      
> 
> You will have to do that twice, once for the owner SID and once for the 
> group SID. "
> 
> Why is it necessary to change both of these?  

Because if you don't, the group SID on the entries in the profile will all 
have the wrong DOMAIN portion of their SID. However, this just might not 
be an issue.

> With a user having an owner
> SID of 1-5-32-544, the correct syntax to change this would be:
> 
> profiles -c S-1-5-32-544-x-y-z-oldrid -n S-1-5-32-544-a-b-c-newrid \
>     /path/to/profile

Hmmm, I am not familiar with that S-1-5-32-544. That seems like a 
well-known SID. Ahhh, I see, S-1-5-32 is for the Built-in domain, and 544 
looks like the Domain Admins built-in group RID (0x220).

So, in that case, you don't need to change that SID, I believe, and the 
syntax above is wrong, also.

It would be:

  profiles -c S-1-5-32-544 -n S-1-5-21-x-y-z-somerid

If you wanted to change the Domain Admins group to some specific person, 
but I don't think you really want to do that.

If you list the ACLs on the entries in the profiles, you should seem more 
SIDs that the one above. You should see SIDs like S-1-5-21-x-y-z-RID, and 
those are the ones you want to change. 

To find the RID of an existing user, try wbinfo, as it has flags that 
allow you to translate a name into a SID.

I guess I will have to update my page to help people further.

Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com

More information about the samba-technical mailing list