[Samba] Problem with Domain SID

Marcus Haarmann marcus.haarmann at midoco.de
Fri Aug 18 13:38:30 GMT 2006

Hi, I could have used this because my original SID was not available any
more (so I could not take it from an existing PDC/BDC). Unfortunately I
couldn't because I am using 3.0.22 and the feature is new ...
So I had to patch the secrets.tdb with a hex editor.


-----Original Message-----
From: Michael Gasch [mailto:gasch at eva.mpg.de] 
Sent: Friday, August 18, 2006 2:50 PM
To: idra at samba.org
Cc: Marcus Haarmann; samba at lists.samba.org
Subject: Re: [Samba] Problem with Domain SID

hello simo,

what is the intension of net setdomainsid?
why would i set a domain sid on a member?


simo wrote:
> On Thu, 2006-08-17 at 14:20 +0200, Marcus Haarmann wrote:
>> Hi Andre,
>> The machine was off-network for two days only. 
>> The problem is not machine based, but server based. The server SID 
>> has definetely changed since the user was created (and the machine 
>> joined the domain).
>> I found out in the meantime that the users SID contains the domain 
>> SID (this can be retrieved in registry under HKEY_USERS, strip the 
>> last two bytes and you have the domain SID), where it was created 
>> with. Unfortunately, there is no simple way setting it in samba (like 
>> net setsid ... for domain SID, only the PDC sid can be set). I have 
>> done this using a hex editor, patching secrets.tdb (SID of PDC and
Domain, these are identical, at our site).
>> So, the problem is half-way solved.
> The 'net' command provides the setlocalsid and setdomainsid functions 
> for setting the SIDs, there is no need to use hex editors. 
> (setdomainsid may be available on 3.0.23 only)
>> The server now has the old sid again, which was presumably changed 
>> more than half a year ago (modification time of secrets.tdb was 
>> December 2005). I
> I remember there is some kernel bug on some versions of the kernel, 
> that do not update the mtime when the file is mmapped, it may have 
> changed just recently (and is probably so, as you would have had 
> problems much eralier otherwise).
>> cannot say why the entrustment from this special machine has been 
>> broken, but now I am able to log on to the domain as any user on all
machines again.
>> (which have joined the domain before the SID change).
>> The only thing is that we added one machine after the modification of 
>> the Domain-SID, we have to see how this machine behaves. I am now 
>> trying to reactivate the old profile of the user who was not able to log
>> For the machine which joined the domain after the SID change, we 
>> might have to rejoin the machine to the domain, unless anybody can 
>> tell me how this trustment can be reassigned without a profile change ...
> you can use the 'profiles' tool to change all the SIDs in the user 
> profile file (NTUSER.DAT)
> Simo.

Michael Gasch
Max Planck Institute for Evolutionary Anthropology Department of Human
Evolution (IT Staff) Deutscher Platz 6
D-04103 Leipzig

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399

More information about the samba mailing list