[Samba] Re: Samba PDC migration

Andrew Bartlett abartlet at samba.org
Sun Jul 21 03:17:02 GMT 2002

Tim Allen wrote:
> Andrew
> > Samba does not send back 'null' strings easily - if the passdb comes up
> > with 'null' it uses the default.  Perhaps by setting 'logon path' etc to
> > "" it might help.  Or it might not.
> OK, tried this but unfortunately it does not fix the problem.
> The user who is logging in has a UID of 1002
> Looking at the logs, Samba authenticates the user OK, but then we see that
> his RID is set to 3004, not 1002. From then on, it's a new user. I assume
> this new RID is coming from the NT4 workstation? The question is, what's
> making it do this? What sort of negotiation takes place between Samba and
> the workstation at this point?.

OK.  You have a fundemental misunderstanding of how samba creates RIDs
for users.

Samba must create a globaly unqiue identifier for every user and group
it represents to NT.  This is called a SID, and starts with the 'domain
sid'.  This belongs to the domain, and is generated at startup.

Each user and group also needs a SID, and this is made up of both a RID
'Relitive Identifier' and the Doamin SID.  

Domain SID: S-1-5-21-4117985702-3860941512-23890400

User RID: 1081

User SID: S-1-5-21-4117985702-3860941512-23890400-1081

So, how to get a unique RID.  The 'correct' solution is to store it
along with other details on the user, like their password.  Unfortunelty
we don't do that in 2.2, only in HEAD.  For Samba 2.2, we simply get
their RID by this formula:

(UID is unix UID)

RID = (UID*2)+1000

Groups are 

RID = (UID*2) + 1001

So, if you want to migrate NT domains, your only option is to migrate
the domain sid (see posts on this list, probably easiest to either suck
it to secrets.tdb with 2.2's smbpasswd, or put it in MACHINE.SID in your
secrets/ dir, and delete secrets.tdb) then import all the users into

LDAP has the 'RID' attribute, and this can be set to any value.   Samba
HEAD will honer that value, but you should look into the 'alogrithmic
rid base' to bump the '1000' value up to '10000' to ensure that users
not in ldap don't create conflicting rids.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list