[Samba] Re: SID
Edmundo Valle Neto
edmundo.valle at terra.com.br
Mon Aug 27 22:49:54 GMT 2007
Dragan Krnic escreveu:
>> What I ended up doing was to use an LDAP browser
>> and edit the domain accounts for ech machine to
>> have the same SID.
>>
>
> we're not using LDAP but we can manipulate the trivial
> data base file "secrets.tdb" to set the locl SID to
> any sensible SID.
>
> Is it OK to set the local SID to the same value as
> the domain SID?
>
> In our network the PDC server has the same local SID
> as the domain SID. All other member servers register
> the same domain SID for the domain and a totally
> different local SID for themselves in "secrets.tdb".
>
> This works quite well, except that sometimes there
> is an entry in samba logs that a domain-qualified
> user SID with correct RID for an existing user with
> the same UID=(RID-1000)/2 and same GIDs on all member
> servers can't be mapped to his name, e.g.
>
> [2007/08/21 20:48:26, 0]
> smbd/posix_acls.c:create_canon_ace_lists(1421)
> create_canon_ace_lists: unable to map SID
> S-1-5-21-3574958883-2392404172-2943802112-2590 to uid or gid.
>
> whereby RID=2590 translates to UID=795, a well-known
> user in our domain S-1-5-21-3574958883-2392404172-2943802112.
>
> Is it OK to set the local SID to the same value as
> the domain SID, as the quoted posting seems to imply?
>
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id365521
"... there is now a safe copy of the local machine SID. On a PDC/BDC
this is the domain SID also."
So, as the documentation says, yes, on a PDC/BDC the machine SID IS
equal to the domain SID.
Regards.
Edmundo Valle Neto
More information about the samba
mailing list