[Samba] Re: Sharing Accounts between Servers and SIDs

Duncan Brannen dbb at st-andrews.ac.uk
Mon Jul 23 11:42:14 GMT 2007

When I did this, I did a getlocalsid on the samba server and used that 
as the
prefix for all user SIDs so the sambaSID became <Domain SID>-<old Rid>

I then did a setlocalsid on the other servers wanting to use the same 

As far as I could tell, the only thing samba tries to write is the 

If you write it in to the master manually, samba should stop trying to 
add it.

dn: sambaDomainName=<Samba Domain>, dc=example,dc=com
sambaDomainName: <Samba Domain>
sambaSID: <Samba Sid>
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextRid: 1104

I don't use the RidBase or NextRid as users and machines have these 
assigned outside of samba.

Hope this helps.


Peter Daum wrote:
> To answer my own question: No, it doesn't work like this!
> Samba coumplained about any SID I tried as being invalid.
> (Unfortunately, I couldn't find any hint about what constitutes
> a "valid" SID). Furthermore, It seems like when using the samba3
> ldap_sam backend, samba wants to write all kinds of stuff into
> the ldap directory (which does not work because the directory is
> replicated and samba only has access to a read-only copy. For many
> reasons, I also don't want samba to be able to write the LDAP
> directory).
> Is it possible at all to use the Samba3 ldapsam backend with this
> setup? (With Samba2 it worked without any problem, starting with
> Samba3 the focus of Samba shifted obviously mostly towards beeing as
> windows-like as possible; right now I am using Samba 3.0.23b).
> I am trying to keep out everything that only makes sense within a pure
> windows domain controller based network - all I want is a bunch of
> samba servers using a shared account database. The clients don't do
> domain logons but just connect to single servers, which should consider
> all users with a valid unix account as local users and authenticate based
> on the lm/nt password hashes stored in the ldap directory.
> Any help is appreciated,
> Regards,
>                  Peter Daum
> Peter Daum wrote:
>> I maintain a heterogenous network with a shared LDAP account database.
>> The user accounts have globally unique user names, UIDs and RIDs.
>> Some, but not all accounts are valid on all machines, but there is no
>> need for samba to care about this, because there simply won't be a
>> unix account for invalid users. There are no MS servers involved, and
>> because every samba server has the same user account base and does its
>> own authentification, there is no need for winbind.
>> The samba servers currently still use the old samba2-compatible
>> ldapsam_compat passdb backend which I eventually want to migrate to the
>> current sambaSamAccount. While most attributes just changed their names,
>> which shouldn't make much any difference, I am a little uncertain,
>> how to handle the new sambaSID attribute without breaking my setup:
>> Would it work to just put a dummy domain with SID "S-1-0-0" in the
>> directory and use this as a prefix for all the user SIDs?
>> Currently, every server has its own SID (which is created by Samba,
>> so far there was no reason to worry about this), but with the new
>> LDAP schema, I am afraid that Samba might not accept such an account
>> as a valid local account ...
>> Any recommendations?
>> Regards,
>>                    Peter Daum

More information about the samba mailing list