[Samba] Help cleaning up domain SID mess...

Phil Burrow philburrow at blueyonder.co.uk
Mon Jul 30 01:07:54 GMT 2007

Bjørn Tore Sund wrote:
 > I have four SLES 10 servers working as Samba servers on the same domain
 > with an LDAP account backend.  Relevant smb.conf entries are:
 > [global]
 >        workgroup = UNIX
 >        realm = UNIX.UIB.NO
 >        server string = ukl-samba
 >        netbios name = ukl-samba
 >        security = user
 >        allow trusted domains = yes
 >        domain master = yes
 >        local master = yes
 >        encrypt passwords = yes
 > Only one of the servers is set as domain and local master, server string
 > and netbios name obviously differ while workgroup and realm are set to
 > the same.  When I first set them up (smbpasswd -w, etc.) they created
 > seperate sambaDomain entries in the LDAP root, with separate SIDs.  the
 > sambaDomain entries are named after each server.  The user SIDs we
 > simply set to be based on the SID of the first server we set up.

 > effectively broken.  On startup, every single user (all 35.0000 of
 > them...) would get a line in /var/log/messages:
 > ukl-samba smbd[16336]:   User <SNIP> with invalid SID <SNIP> in passdb
 > Nobody could get at the Samba shares until I edited the LDAP tree to
 > switch the SIDs between this server and the server with the SID the user
 > SIDs were based on.
 > start.  I was hoping someone here had an answer which saved me the
 > trouble of setting up a full test domain with LDAP and Samba-servers...
 > Can I just set the same SID on all four domains?  Or delete three of the
 > four domains and rename the one with the correct SID to the _domain_
 > name in sted of the server name?
 > Thanks,
 > Bjørn

Hi Bjørn,

 From what you mention here it sounds like you have four 
sambaDomainName=UNIX entries (objectClass: sambaDomain) with different 
sambaSID attributes. Effectively 4 different domains, on 4 different 
servers all with the same name.

Users have a sambaSID entry in their LDAP record, and the first portion 
of this needs to be the same as the sambaSID for the *domain* they are 
logging on to. If it's not then it wont work.

In answer to your point at the end, yes you can do this and it is what 
you are "supposed" to do, as far as I know.

If you do "net getlocalsid" on each of your SLES machines, the SID that 
is returned should be the same for all of them if you want them all to 
be controllers on your domain. If it's not, pick the SID you want - i.e. 
the sambaSID all your users have in their LDAP records - then "net 
setlocalsid MYDOMAINSID" on the servers you wish to change to that SID. 
(NB: On a domain, "net getlocalsid" and "net getlocalsid MYDOMAIN" 
should return the same.)

Then go into your LDAP directory and delete all but one of the 
sambaDomainName=UNIX entries, and ensure the remaining one has sambaSID 

That is probably all you need to do.



More information about the samba mailing list