[Samba] Domain SID does not match built in domain groups' SIDs...
Jason Shaw
jason.shaw at amiwest.com
Thu Aug 31 16:15:08 GMT 2006
>> It appears that the built in domain groups' SIDs do not match the
>> domain's SID. I used the IDEALX scripts to create these accounts and I
>> obviously thought everything was fine before proceeding to add users and
>> groups.
>
> Did you change the SID inside the IDEALX scripts?
I bet I populated these groups before I changed the SID in the IDEALX
scripts while testing things out and I never went back to correct it. I
see that the SID is currently set correctly for them.
Thanks for pointing that out! Seeing that set correctly makes me a bit
more comfortable using those scripts.
>> Any suggestions on how I can correct this without wiping out the users
>> and groups I've already added?
>
> Hmmm, you can remap it. :)
Would remapping them correct the SIDs? Can I just use a LDAP editor and
manually change the SID to what it should be without screwing up other
things? To my understanding, all the important Samba data is stored in
LDAP. So I shouldn't have to worry about the contents of smbpasswd,
secrets.tdb, or anything of that nature, right?
Given I can just edit the SIDs, I do know that I may have to restart the
SMB daemon, rejoin some users to groups, correct the local
administrators group on workstations, etc. I understand the clean up, I
don't want to ruin anything else that's not a simple text edit or
command call.
Thank you,
Jason
Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/30/2006 04:16 PM, Jason Shaw escreveu:
>> Hello,
>> I'm having a few problems, but I'm thinking this should be fixed first.
>> It may solve my other issues.
>>
>> It appears that the built in domain groups' SIDs do not match the
>> domain's SID. I used the IDEALX scripts to create these accounts and I
>> obviously thought everything was fine before proceeding to add users and
>> groups.
>
> Did you change the SID inside the IDEALX scripts?
>
>
>> Any suggestions on how I can correct this without wiping out the users
>> and groups I've already added?
>
> Hmmm, you can remap it. :)
>
>
>> Samba PDC 3.0.20b
>> OpenLDAP backend
>>
>> # net groupmap list
>> Domain Admins (S-1-5-21-220492119-3728255649-3324185874-512) -> Domain
>> Admins
>> Domain Users (S-1-5-21-220492119-3728255649-3324185874-513) -> Domain Users
>> Domain Guests (S-1-5-21-220492119-3728255649-3324185874-514) -> Domain
>> Guests
>> Domain Computers (S-1-5-21-220492119-3728255649-3324185874-515) ->
>> Domain Computers
>>
>> # net getlocalsid
>> SID for domain FS02 is: S-1-5-21-580359677-1468577533-2286006929
>
>> Much appreciated!
>> Jason
>
> Kind regards,
>
> - --
> Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
> http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
>
> iD8DBQFE9vNxCj65ZxU4gPQRAr+8AJ4vYKoKwbZ99LHFBU71PqnwzK7VhgCgpIwx
> wFJ4M2ngWacJ1FK5pEW5hgo=
> =k0AI
> -----END PGP SIGNATURE-----
More information about the samba
mailing list