[Samba] Re: SID

Dragan Krnic dkrnic at googlemail.com
Mon Aug 27 19:57:45 GMT 2007


> What I ended up doing was to use an LDAP browser
> and edit the domain accounts for ech machine to
> have the same SID.

we're not using LDAP but we can manipulate the trivial
data base file "secrets.tdb" to set the locl SID to
any sensible SID.

Is it OK to set the local SID to the same value as
the domain SID?

In our network the PDC server has the same local SID
as the domain SID. All other member servers register
the same domain SID for the domain and a totally
different local SID for themselves in "secrets.tdb".

This works quite well, except that sometimes there
is an entry in samba logs that a domain-qualified
user SID with correct RID for an existing user with
the same UID=(RID-1000)/2 and same GIDs on all member
servers can't be mapped to his name, e.g.

  [2007/08/21 20:48:26, 0]
smbd/posix_acls.c:create_canon_ace_lists(1421)
create_canon_ace_lists: unable to map SID
S-1-5-21-3574958883-2392404172-2943802112-2590 to uid or gid.

whereby RID=2590 translates to UID=795, a well-known
user in our domain S-1-5-21-3574958883-2392404172-2943802112.

Is it OK to set the local SID to the same value as
the domain SID, as the quoted posting seems to imply?


More information about the samba mailing list