[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

Christoph Peus cp at peus.net
Sun Nov 13 10:27:02 GMT 2005


Thomas Bork wrote:

>> after "net rpc vampire" migration:
>> uidNumber: 22693
>> sambaSID: S-1-5-21-1139895982-289624505-398547282-4370
> 
> 
>> after the maschine rejoined the domain:
>> uidNumber: 22694
>> sambaSID: S-1-5-21-1139895982-289624505-398547282-46388
> 
> 
> Hi Christoph, nice to read you :)

Hi Tom,  :-)

thanks for your quick answer.

> What shows
> testparm -sv 2>/dev/null | grep 'algorithmic rid'
> ?
> 
> Think it will look like 'algorithmic rid base = 1000'
> because 22694 * 2 + 1000 = 46388

Indeed - it's 1000.


> You have to find the point in the migration process, where the new 
> sambaSID is calculated. Your migrated sambaSID is not correct.

Hmmm... if I understood the "net rpc vampire" migration magic right, the 
SID is not calculated using the algorithm you explained above but fetched 
from the NT server. (Otherwise it wouldn't be possible to have some SIDs 
with uneven RIDs like "....-1933" after the migration.)
What *is* "calculated" during the migration is the uidNumber, and therefore 
this may differ from the original one, but does samba really use the 
algorithimic relationship between the uidNumber and the SID/RID as a kind 
of authentication base for the maschine?

I changed the RID to "2 x uidNumber + 1000", but this didn't solve the problem.
I guess that there's something wrong with the password related attributes 
of the maschine account. Do you know where I can find a documentation for 
the DC/client trust mechanism?

Christoph



More information about the samba mailing list