[Samba] Problem with Domain SID

Michael Gasch gasch at eva.mpg.de
Fri Aug 18 12:50:00 GMT 2006

hello simo,

what is the intension of net setdomainsid?
why would i set a domain sid on a member?


simo wrote:
> On Thu, 2006-08-17 at 14:20 +0200, Marcus Haarmann wrote:
>> Hi Andre,
>> The machine was off-network for two days only. 
>> The problem is not machine based, but server based. The server SID has
>> definetely changed since the user was created (and the machine joined the
>> domain).
>> I found out in the meantime that the users SID contains the domain SID (this
>> can be retrieved in registry under HKEY_USERS, strip the last two bytes and
>> you have the domain SID), where it was created with. Unfortunately, there is
>> no simple way setting it in samba (like net setsid ... for domain SID, only
>> the PDC sid can be set). I have done this using a hex editor, patching
>> secrets.tdb (SID of PDC and Domain, these are identical, at our site). 
>> So, the problem is half-way solved.
> The 'net' command provides the setlocalsid and setdomainsid functions
> for setting the SIDs, there is no need to use hex editors. (setdomainsid
> may be available on 3.0.23 only)
>> The server now has the old sid again, which was presumably changed more than
>> half a year ago (modification time of secrets.tdb was December 2005). I
> I remember there is some kernel bug on some versions of the kernel, that
> do not update the mtime when the file is mmapped, it may have changed
> just recently (and is probably so, as you would have had problems much
> eralier otherwise).
>> cannot say why the entrustment from this special machine has been broken,
>> but now I am able to log on to the domain as any user on all machines again.
>> (which have joined the domain before the SID change).
>> The only thing is that we added one machine after the modification of the
>> Domain-SID, we have to see how this machine behaves. I am now trying to
>> reactivate the old profile of the user who was not able to log in.
>> For the machine which joined the domain after the SID change, we might have
>> to rejoin the machine to the domain, unless anybody can tell me how this
>> trustment can be reassigned without a profile change ...
> you can use the 'profiles' tool to change all the SIDs in the user
> profile file (NTUSER.DAT)
> Simo.

Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399

More information about the samba mailing list