[Samba] Re: Domain SID does not match built in domain groups SIDs...

Jason Shaw jason.shaw at amiwest.com
Fri Sep 1 17:07:30 GMT 2006

>>> Would remapping them correct the SIDs? Can I just >>use a LDAP editor and
>>> manually change the SID to what it should be without >>screwing up other
>>> things? To my understanding, all the important Samba >>data is stored in
>>> LDAP. So I shouldn't have to worry about the >>contents of smbpasswd,
>>> secrets.tdb, or anything of that nature, right?
>>> Given I can just edit the SIDs, I do know that I may >>have to restart the
>>> SMB daemon, rejoin some users to groups, correct >>the local
>>> administrators group on workstations, etc. I >>understand the clean up, I
>>> don't want to ruin anything else that's not a simple text >>edit or
>>> command call.
> There is a utility that allows you to change the domain's SID.  Search the
> archives and the documentation for "net setlocalsid"

I do not want to change the domain or the server SID. Doing so would 
invalid the users I have already entered. I just want to fix a couple of 
groups that have bad SIDs.

Looking through the IDEALX scripts, it appears that I can just edit 
these SIDs with an LDAP editor; they appear to only modify the LDAP, no 
other Samba files (secrets.tdb, etc). But I'm not certain and do not 
want to proceed until I know I won't screw myself over by doing so.

Does anyone see anything wrong with this? Should I just delete these 
groups and recreate them? Would that be a more smart way?

Thank you,


More information about the samba mailing list