[Samba] Re: Domain SID does not match built in domain groups SIDs...

[Jamrock]

"Jason Shaw" <jason.shaw at amiwest.com> wrote in message
news:44F868D2.3030807 at amiwest.com...
> >>> Would remapping them correct the SIDs? Can I just >>use a LDAP editor
and
> >>> manually change the SID to what it should be without >>screwing up
other
> >>> things? To my understanding, all the important Samba >>data is stored
in
> >>> LDAP. So I shouldn't have to worry about the >>contents of smbpasswd,
> >>> secrets.tdb, or anything of that nature, right?
> >
> >>> Given I can just edit the SIDs, I do know that I may >>have to restart
the
> >>> SMB daemon, rejoin some users to groups, correct >>the local
> >>> administrators group on workstations, etc. I >>understand the clean
up, I
> >>> don't want to ruin anything else that's not a simple text >>edit or
> >>> command call.
> >
> >
> > There is a utility that allows you to change the domain's SID.  Search
the
> > archives and the documentation for "net setlocalsid"
>
>
> I do not want to change the domain or the server SID. Doing so would
> invalid the users I have already entered. I just want to fix a couple of
> groups that have bad SIDs.

It sounds as if you are saying that the users have the same SID as the
domain.  However some groups have incorrect SID's.

If you are keeping the POSIX and Windows user information in LDAP, you can
do the following:

Make a backup of the folder containing the ldap data.

Use ldapsearch to export the contents of the ldap directory to a file.  This
provides a second backup

Use ldapsearch  to dump the group information to a file.

Modify the SID information in the second (group) file and use ldapmodify to
bring the correct information back into the ldap directory.

This is based on the assumption that the domain's SID is correct and the
users' SID's are correct. Only the groups' SID's are incorrect.