[Samba] Re: Domain SID for BDC

Gerald Carter jerry at samba.org
Thu Jun 6 15:01:01 GMT 2002

On Thu, 6 Jun 2002 Volker.Lendecke at SerNet.DE wrote:

> One thing that struck me today is the fact that if you copy the
> secrets.tdb to another machine, smbd will generate a new SID for the
> machine and hand this out on lsaquery. The only way to create a working
> BDC with 2.2.5 is to manually generate a MACHINE.SID from the PDC with
> rpcclient/lsaquery, copy this over to the BDC with no secrets.tdb and
> then start smbd on the BDC. It will then suck the MACHINE.SID into a
> secrets.tdb and delete MACHINE.SID. This should at least be documented

I just added a -S switch to smbpasswd in SAMBA_2_2 to suck the sid
from a DC.  My tests show up ok.  Can you test this?  I'll update 
the man page shortly.

	smbpasswd -S [-r machine]

It's a little awkward in that it grabs the domain from smb.conf
in case it needs to look up a pdc.  However, if the -r option is used,
it will grab the sid from that machine regardless of the domain.
I'll try to clean this up some.

Please test and let me know.

Note that you can also do this to suck the SID from a Windows 
NT PDC for migration purposes. :-)

> if not fixed. It's also a bit annoying that you have to manually add the
> LDAP admin password on each BDC after the secrets.tdb is created. Ok,
> you should have a separate admin password for each LDAP replica, but how
> practial is that? ;-)

I think this is ok.  With the new smbpasswd option, you should be able 
to simply copy the secrets.tdb file and set the domain sid in it.
The ldap admin pw should remain ok as long as you don't change the 
ldap admin dn.

cheers, jerry
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

More information about the samba mailing list