[Samba] Domain SID does not match built in domain groups' SIDs...

Jason Shaw jason.shaw at amiwest.com
Thu Aug 31 16:15:08 GMT 2006 

 >> It appears that the built in domain groups' SIDs do not match the
 >> domain's SID. I used the IDEALX scripts to create these accounts and I
 >> obviously thought everything was fine before proceeding to add users and
 >> groups.
 >
 > 	Did you change the SID inside the IDEALX scripts?

I bet I populated these groups before I changed the SID in the IDEALX 
scripts while testing things out and I never went back to correct it. I 
see that the SID is currently set correctly for them.

Thanks for pointing that out! Seeing that set correctly makes me a bit 
more comfortable using those scripts.


 >> Any suggestions on how I can correct this without wiping out the users
 >> and groups I've already added?
 >
 > 	Hmmm, you can remap it. :)

Would remapping them correct the SIDs? Can I just use a LDAP editor and 
manually change the SID to what it should be without screwing up other 
things? To my understanding, all the important Samba data is stored in 
LDAP. So I shouldn't have to worry about the contents of smbpasswd, 
secrets.tdb, or anything of that nature, right?

Given I can just edit the SIDs, I do know that I may have to restart the 
SMB daemon, rejoin some users to groups, correct the local 
administrators group on workstations, etc. I understand the clean up, I 
don't want to ruin anything else that's not a simple text edit or 
command call.


Thank you,

Jason


Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08/30/2006 04:16 PM, Jason Shaw escreveu:
>> Hello,
>> I'm having a few problems, but I'm thinking this should be fixed first.
>> It may solve my other issues.
>>
>> It appears that the built in domain groups' SIDs do not match the
>> domain's SID. I used the IDEALX scripts to create these accounts and I
>> obviously thought everything was fine before proceeding to add users and
>> groups.
> 
> 	Did you change the SID inside the IDEALX scripts?
> 
> 
>> Any suggestions on how I can correct this without wiping out the users
>> and groups I've already added?
> 
> 	Hmmm, you can remap it. :)
> 
> 
>> Samba PDC 3.0.20b
>> OpenLDAP backend
>>
>> # net groupmap list
>> Domain Admins (S-1-5-21-220492119-3728255649-3324185874-512) -> Domain
>> Admins
>> Domain Users (S-1-5-21-220492119-3728255649-3324185874-513) -> Domain Users
>> Domain Guests (S-1-5-21-220492119-3728255649-3324185874-514) -> Domain
>> Guests
>> Domain Computers (S-1-5-21-220492119-3728255649-3324185874-515) ->
>> Domain Computers
>>
>> # net getlocalsid
>> SID for domain FS02 is: S-1-5-21-580359677-1468577533-2286006929
> 
>> Much appreciated!
>> Jason
> 
> 	Kind regards,
> 
> - --
> Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
> http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
> 
> iD8DBQFE9vNxCj65ZxU4gPQRAr+8AJ4vYKoKwbZ99LHFBU71PqnwzK7VhgCgpIwx
> wFJ4M2ngWacJ1FK5pEW5hgo=
> =k0AI
> -----END PGP SIGNATURE-----

More information about the samba mailing list