[Samba] Problem with Domain SID

simo idra at samba.org
Thu Aug 17 12:24:16 GMT 2006


On Thu, 2006-08-17 at 08:48 +0200, Marcus Haarmann wrote:
> Hi all,
>  
> We have a small network with WinXP Prof SP2 machines and a Linux (Debian)
> PDC using Samba 3.0.22.
> We encountered the following situation:
> One user was not able to lo into the domain any more some days ago. Using
> logging on samba side, I found out that samba correctly authenticates the
> machine and the workstation. Though, XP did not log in, giving a message
> that the password might not match.
> After that had happened, we found out that the user was not able on any
> machine in our network ! Also other users we tried were only able to lo in
> at their own machine (probably because the password and other information is
> cached there).
> Putting on some logs in Win XP, we found out that the error produced was
> related to a well-known problem: 
> the PDC SID was changed and the entrustment between the Windows machines and
> the PDC is broken.
> The only solution presented in the FAQ is to remove the machine from the
> domain and reassign it. This means a complete loss of profile data for the
> user.
>  
> The problem is: the whole samba environment was not changed at all. So why
> did the SID change ? I cannot say when the SID changed so there might be no
> available backup of the secrets files any more.

The SID may change if you change the machine name.
If you have not specified the 'netbios name' in smb.conf it is derived
from the machine hostname.
I always advice to fix the netbi0os name in smb.conf for PDCs exactly to
avoid a SID change in case of change of the hostname.

> And: is there a way to retrieve the old SID of the PDC from the registry of
> any client machine (all the other machines are still unchanged and the users
> can log into the domain on their machines).

Any file of users contain the Domain SID portion you should be able to
see the SID in the security tab as if the domain do not exist you
shouldn't be able to resolve SIDs to names either.

> Then we could set it to the old value and all the other machines would be
> trusted without a rejoin for the domain and loss of profile data.

look at the net utility for how to set a SID.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba mailing list