[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

Thomas Bork tombork at web.de
Sun Nov 13 15:25:33 GMT 2005

Christoph Peus wrote:

>> You have to find the point in the migration process, where the new 
>> sambaSID is calculated. Your migrated sambaSID is not correct.
> Hmmm... if I understood the "net rpc vampire" migration magic right, the 
> SID is not calculated using the algorithm you explained above but 
> fetched from the NT server. (Otherwise it wouldn't be possible to have 
> some SIDs with uneven RIDs like "....-1933" after the migration.)

If I think about this:

If the complete SID (SID + RID) is recalculated during the migration 
process, it will be impossible to load a roaming profile, because the 
recalculated SID is not the same as in the profile (if the RID is 
included in the authentification process).
Maybe the algorithmic calculating will only be used for new created 
accounts (users/machines). If this is the case, I wrote a lot of shit ;)

> What *is* "calculated" during the migration is the uidNumber, and 
> therefore this may differ from the original one, but does samba really 
> use the algorithimic relationship between the uidNumber and the SID/RID 
> as a kind of authentication base for the maschine?
> I changed the RID to "2 x uidNumber + 1000", but this didn't solve the 
> problem.
> I guess that there's something wrong with the password related 
> attributes of the maschine account. Do you know where I can find a 
> documentation for the DC/client trust mechanism?

Sorry, I searched the Samba3-HOWTO but have not found something about, only


Maybe this is usefull:


Think only the SID/RID and the sambaNTPassword/sambaLMPassword are used 
for authentification.
Have you tried to set the "sambaPwdCanChange" and "sambaPwdMustChange" 
attributes with pdbedit?

der tom

More information about the samba mailing list