[Samba] Recover from inadvertent change to domain SID

Jean Lofts jean.lofts at eng.ox.ac.uk
Fri Apr 8 20:58:20 GMT 2005

I have run Samba 2.2.2 without problems for three years.
The server acts as the domain controller for a domain of
thirty XP/2000 computers. Two weeks ago the domain
SID was accidentally changed. I can confirm this by
looking at backups of /etc/MACHINE.SID. I am not sure
how the SID changed but I _think_ that it may have occurred
during testing for an upgrade to Samba 3 :(

I now find that _some_ users can no longer log on to _some_
machines. The majority of users always log on to 'their own'
computer and have not reported problems. Problems seem
to occur when a user attempts to log on to a machine that they
would not regularly use.

User profiles are stored locally (i.e they are not roaming).
If I examine the user profiles on an XP client,
(System Properties,Advanced,User Profiles)
I typically find that some profiles are recognized by the domain
whilst others appear as 'Account Unknown'. The 'unknown'
accounts are unable to log in. If a user has _never_ logged
on to a particular machine before (and therefore has no
profile) they are also unable to log in.

However, if I examine the user SIDs in the registry
(HKLM/SOFTWARE/Microsoft/Windows NT/ProfileList)
all the user SIDs begin with the original domain SID, not
with the new domain SID which has been in place for two

Question: How are _any_ users able to log in when their
user SID is different from the domain SID?

Question: A user can log in to one machine but not another
even though the user SID in the registry is identical on
both machines. Does this mean that the machine SID is also
a factor?

Question: What is the best course of action to take now?
Can I simply replace the original domain SID in MACHINE.SID?
Will the current 'incorrect' domain SID have propagated elsewhere?

If I leave the current domain SID in place, I believe that
I can recover by simply removing a machine from the domain
and rejoining. I have tried this on one machine and it seems to
work. But of course, the system then creates a new profile
when a user logs on and I am keen to avoid this.

Many thanks

Jean Lofts

More information about the samba mailing list