[Samba] Help cleaning up domain SID mess...

Bjoern Tore Sund bjorn.sund at it.uib.no
Mon Jul 30 11:26:30 GMT 2007

Phil Burrow wrote:
> Bjoern Tore Sund wrote:
>  >> If you do "net getlocalsid" on each of your SLES machines, the SID
>  >> that is returned should be the same for all of them if you want them
>  >> all to be controllers on your domain. If it's not, pick the SID you
>  >> want - i.e. the sambaSID all your users have in their LDAP records -
>  >> then "net setlocalsid MYDOMAINSID" on the servers you wish to change
>  >> to that SID. (NB: On a domain, "net getlocalsid" and "net getlocalsid
>  >> MYDOMAIN" should return the same.)

It seems clear that my Samba servers are rather opinionated about what a 
domain is and which one they are members of:
ukl-felles:~ # net getlocalsid
SID for domain UKL-FELLES is: S-1-5-21-1347351597-3932655379-226643757
ukl-felles:~ # net setlocalsid  S-1-5-21-556026149-4105021892-2038178009
ukl-felles:~ # net getlocalsid
SID for domain UKL-FELLES is: S-1-5-21-1347351597-3932655379-226643757

The sambasid entry in LDAP for sambadomainname=ukl-felles didn't change. 
  This server also has, and always has had:
         workgroup = UNIX
         realm = UNIX.UIB.NO
         server string = ukl-felles
         netbios name = ukl-felles
         os level = 30
         security = user
         allow trusted domains = yes
         domain master = no
         local master = no
         encrypt passwords = yes

The problem is security=user, I assume, on the other hand all docs I've 
looked at say this is the setting when running samba with an LDAP 
backend, as opposed to an AD backend.  security=domain means the server 
stops responding to SMB connections.

>  >> Then go into your LDAP directory and delete all but one of the
>  >> sambaDomainName=UNIX entries, and ensure the remaining one has
>  >> sambaSID set to MYDOMAINSID.
>  >>
>  >> That is probably all you need to do.
>  >
>  > Thanks a lot.  The last remaining quiestion is then what happens when I
>  > rename sambaDomainname=ukl-samba to sambaDomainname=unix and proceed
>  > from there?
> This is why you need to test it before doing it ;)

Yes, but ever so carefully, and based on as much of other people's pain 
as possible. :)

> If your intention is to consolidate your 4 domains into one, with a PDC 
> and some BDCs then provided the sambaSID in the user records is the same 
> as the domain SID then your setup - with your 4 servers each having the 
> same SID - should work correctly.

The problem becomes one of how to convince all the servers that they are 
not their own domain, they want to go with the common one as their 
domain name.

> You might need to re-add your client machines to the new domain. I dont 
> know if Windows could handle the domain name changing but having the 
> same SID.
> If you are using roaming profiles or things such as this you might 
> encounter Windows complaining if the SID changes, but if you use the 
> sambaSID you used already have then it shouldn't do.

No Windows here, this is the cifs disk server for 800 Linux clients. 
None of which are members of the domain in any meaningful way.  I just 
want all the servers to authenticate against the same LDAP server, the 
domain is irrelevant for functionality.  Hmmm.  Which means that I might 
just get away with setting the same SID on all four domains and leave it 
at that... ?

Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the samba mailing list