[Samba] Problem with Domain SID

Marcus Haarmann marcus.haarmann at midoco.de
Thu Aug 17 06:48:48 GMT 2006


Hi all,
 
We have a small network with WinXP Prof SP2 machines and a Linux (Debian)
PDC using Samba 3.0.22.
We encountered the following situation:
One user was not able to lo into the domain any more some days ago. Using
logging on samba side, I found out that samba correctly authenticates the
machine and the workstation. Though, XP did not log in, giving a message
that the password might not match.
After that had happened, we found out that the user was not able on any
machine in our network ! Also other users we tried were only able to lo in
at their own machine (probably because the password and other information is
cached there).
Putting on some logs in Win XP, we found out that the error produced was
related to a well-known problem: 
the PDC SID was changed and the entrustment between the Windows machines and
the PDC is broken.
The only solution presented in the FAQ is to remove the machine from the
domain and reassign it. This means a complete loss of profile data for the
user.
 
The problem is: the whole samba environment was not changed at all. So why
did the SID change ? I cannot say when the SID changed so there might be no
available backup of the secrets files any more.
And: is there a way to retrieve the old SID of the PDC from the registry of
any client machine (all the other machines are still unchanged and the users
can log into the domain on their machines). 
Then we could set it to the old value and all the other machines would be
trusted without a rejoin for the domain and loss of profile data.
 
Any hints on that ?
 
Thanks in advance,
 
Marcus
 
 
 


More information about the samba mailing list