[Samba] Re: SID

John H Terpstra jht at samba.org
Mon Aug 27 23:16:35 GMT 2007


On Monday 27 August 2007 17:49, Edmundo Valle Neto wrote:
> Dragan Krnic escreveu:
> >> What I ended up doing was to use an LDAP browser
> >> and edit the domain accounts for ech machine to
> >> have the same SID.
> >
> > we're not using LDAP but we can manipulate the trivial
> > data base file "secrets.tdb" to set the locl SID to
> > any sensible SID.
> >
> > Is it OK to set the local SID to the same value as
> > the domain SID?
> >
> > In our network the PDC server has the same local SID
> > as the domain SID. All other member servers register
> > the same domain SID for the domain and a totally
> > different local SID for themselves in "secrets.tdb".
> >
> > This works quite well, except that sometimes there
> > is an entry in samba logs that a domain-qualified
> > user SID with correct RID for an existing user with
> > the same UID=(RID-1000)/2 and same GIDs on all member
> > servers can't be mapped to his name, e.g.
> >
> >   [2007/08/21 20:48:26, 0]
> > smbd/posix_acls.c:create_canon_ace_lists(1421)
> > create_canon_ace_lists: unable to map SID
> > S-1-5-21-3574958883-2392404172-2943802112-2590 to uid or gid.
> >
> > whereby RID=2590 translates to UID=795, a well-known
> > user in our domain S-1-5-21-3574958883-2392404172-2943802112.
> >
> > Is it OK to set the local SID to the same value as
> > the domain SID, as the quoted posting seems to imply?
>
> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#
>id365521
>
> "... there is now a safe copy of the local machine SID. On a PDC/BDC
> this is the domain SID also."
>
> So, as the documentation says, yes, on a PDC/BDC the machine SID IS
> equal to the domain SID.

The local SID is the machine SID.

Let it be ultimately clear - only a PDC and BDC may have the samba SID. On a 
PDC and BDC the Domain SID is the same as the machine SID.

Domain member server may NOT have the same SID as the domain SID. The machine 
SID should be unique. It is the domain membership account that makes possible 
its participation within the domain. In every respect a domain member server 
is just like a domain member workstation, except that it will usually have 
more disk storage capacity.

Additionally, there is usually no need for anyone to hand-craft a domain or 
server SID - Samba will autogenerate the SID.

When setting up a BDC it is necessary to synchronize the Domain SID from the 
PDC.  This is done by executing:

	net rpc getsid -S PDC

The next step is to join the domain (something that should be done for the 
PDC, the BDC, and on all domain members) by executing:

	net rpc join

I hope that answers the questions raised.

- John T.


More information about the samba mailing list