[Samba] Help cleaning up domain SID mess...

Bjoern Tore Sund bjorn.sund at it.uib.no
Mon Jul 30 05:45:01 GMT 2007

Phil Burrow wrote:
> Bjørn Tore Sund wrote:
>  >
>  > I have four SLES 10 servers working as Samba servers on the same domain
>  > with an LDAP account backend.  Relevant smb.conf entries are:
>  > [global]
>  >        workgroup = UNIX
>  >        realm = UNIX.UIB.NO
>  >        server string = ukl-samba
>  >        netbios name = ukl-samba
>  >        security = user
>  >        allow trusted domains = yes
>  >        domain master = yes
>  >        local master = yes
>  >        encrypt passwords = yes
>  >
>  >
>  > Only one of the servers is set as domain and local master, server string
>  > and netbios name obviously differ while workgroup and realm are set to
>  > the same.  When I first set them up (smbpasswd -w, etc.) they created
>  > seperate sambaDomain entries in the LDAP root, with separate SIDs.  the
>  > sambaDomain entries are named after each server.  The user SIDs we
>  > simply set to be based on the SID of the first server we set up.
>  > effectively broken.  On startup, every single user (all 35.0000 of
>  > them...) would get a line in /var/log/messages:
>  > ukl-samba smbd[16336]:   User <SNIP> with invalid SID <SNIP> in passdb
>  >
>  > Nobody could get at the Samba shares until I edited the LDAP tree to
>  > switch the SIDs between this server and the server with the SID the user
>  > SIDs were based on.
>  >
>  > start.  I was hoping someone here had an answer which saved me the
>  > trouble of setting up a full test domain with LDAP and Samba-servers...
>  > Can I just set the same SID on all four domains?  Or delete three of the
>  > four domains and rename the one with the correct SID to the _domain_
>  > name in sted of the server name?
>  >
>  > Thanks,
>  >
>  > Bjørn
>  >
> Hi Bjørn,
>  From what you mention here it sounds like you have four 
> sambaDomainName=UNIX entries (objectClass: sambaDomain) with different 
> sambaSID attributes. Effectively 4 different domains, on 4 different 
> servers all with the same name.

Thanks, but no: my sambaDomainnames are named after the servers, not the 
domain.  So I have a sambaDomainname=ukl-samba for the server I quote 
from above, and similary for the other three.  I gather this isn't what 
should have happened when the servers automatically registered 
themselves in the LDAP backend, but it did.

> Users have a sambaSID entry in their LDAP record, and the first portion 
> of this needs to be the same as the sambaSID for the *domain* they are 
> logging on to. If it's not then it wont work.

It did work with 3.0.21.  I found the fine new code snippet which means 
it won't work with 3.0.24, and I don't disagree with the principle as 
long as my mess can be sorted out despite of it. :)

> In answer to your point at the end, yes you can do this and it is what 
> you are "supposed" to do, as far as I know.

That was my assumption.  Now for gathering up courage...

> If you do "net getlocalsid" on each of your SLES machines, the SID that 
> is returned should be the same for all of them if you want them all to 
> be controllers on your domain. If it's not, pick the SID you want - i.e. 
> the sambaSID all your users have in their LDAP records - then "net 
> setlocalsid MYDOMAINSID" on the servers you wish to change to that SID. 
> (NB: On a domain, "net getlocalsid" and "net getlocalsid MYDOMAIN" 
> should return the same.)
> Then go into your LDAP directory and delete all but one of the 
> sambaDomainName=UNIX entries, and ensure the remaining one has sambaSID 
> That is probably all you need to do.

Thanks a lot.  The last remaining quiestion is then what happens when I 
rename sambaDomainname=ukl-samba to sambaDomainname=unix and proceed 
from there?

Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the samba mailing list