[Samba] Help cleaning up domain SID mess...

Bjørn Tore Sund bjorn.sund at it.uib.no
Sun Jul 29 13:34:33 GMT 2007 

I have four SLES 10 servers working as Samba servers on the same domain 
with an LDAP account backend.  Relevant smb.conf entries are:
[global]
        workgroup = UNIX
        realm = UNIX.UIB.NO
        server string = ukl-samba
        netbios name = ukl-samba
        security = user
        allow trusted domains = yes
        domain master = yes
        local master = yes
        encrypt passwords = yes


Only one of the servers is set as domain and local master, server string 
and netbios name obviously differ while workgroup and realm are set to 
the same.  When I first set them up (smbpasswd -w, etc.) they created 
seperate sambaDomain entries in the LDAP root, with separate SIDs.  the 
sambaDomain entries are named after each server.  The user SIDs we 
simply set to be based on the SID of the first server we set up.  It all 
worked, so I never questioned it.

Then just before the weekend I took the first server up to SLES 10 SP1, 
which brought Samba up from 3.0.21 to 3.0.24, and this server was 
effectively broken.  On startup, every single user (all 35.0000 of 
them...) would get a line in /var/log/messages:
ukl-samba smbd[16336]:   User <SNIP> with invalid SID <SNIP> in passdb

Nobody could get at the Samba shares until I edited the LDAP tree to 
switch the SIDs between this server and the server with the SID the user 
SIDs were based on.

Clearly, I need to clean something up before upgrading the next server 
to SLES 10 SP1, or things will be really, really broken.  Either a 
setting to switch of the SID validation, or Someting(tm) to clean up the 
LDAP tree.  The latter is probably better, but I have no idea where to 
start.  I was hoping someone here had an answer which saved me the 
trouble of setting up a full test domain with LDAP and Samba-servers...  
Can I just set the same SID on all four domains?  Or delete three of the 
four domains and rename the one with the correct SID to the _domain_ 
name in sted of the server name?

Thanks,

Bjørn

-- 
Bj¯rn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no 
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the samba mailing list