[Samba] samba problems. accounts expire after a hour, but work after reset

Edmundo Valle Neto edmundo.valle at terra.com.br
Tue Mar 6 23:24:21 GMT 2007

Collen Blijenberg escreveu:
> Thx Felipe, after a week debugging, i found the problem!!
> there was a mix up with SID's. i had 5 machines and username with the 
> same SID
> including the PDC.

Would be a nice thing if you discover why that happened. Samba generates 
the RID part of the SID algorithmically (1000 + (2 x uid) for user 
accounts, and 1001 + (2 x gid) for groups), if the uid is different in 
these accounts the RID should be different too.

> but there is something funny were i need some help with,
> if i make a new user or machine account, samba generate the SID 
> automatically.
> i saw, that my server doesn't look at existing SID's.

No it doesn't, that's right. It's not needed, calculating RIDs that way 
will not make clashes.

> how can i let samba make SID's after a specified number ??
> my problem at the moment is that  if i make a new user, samba generate 
> an existing SID, and there for
> trouble arise!

Well, normally it will not make clashes, unless you already have a base 
with SIDs calculated, who knows how.
You can change the "algorithmic rid base" option that defaults to 1000 
to another value raising the values that will make RIDs. (if you have 
unmapped accounts, it will have their SIDs changed too, as the algorithm 
will be different, if I remember right in samba 3.0.23c theres some 
changes about that).

In some distributions, you can raise the uid/gids range. That way would 
make higher RIDs be generated too. :)

> example: current last SID in user database:  
> S-1-5-21-1968991162-2130249723-1959552931-5462
> if i make a new user samba will use: 
> S-1-5-21-1968991162-2130249723-1959552931-5410    ????????????

Do you use a database server to store your samba users right? Well, I 
never used it, I don't know how exactly it stores information. As I 
don't know how do you have created your accounts or how much have you 
messed with them. Normally uids are not reused in posix accounts and 
samba user/group accounts picks up even/odd RID numbers, not making that 
probably future clash as you are seeing. :)

> so basically it's all about the last 4 digits!
> can i alter a .tdb file ??? (if so witch one??)

I can't say that you can't, there's some tools that dump/change/add/etc 
contents of .tdb files, you can even dump them and grep to find where's 
the information that you are looking for, but keep in mind that probably 
you will mess up with any reference to the SID being changed (beeing it 
ACLs, profiles, or whatever).

The last time that I blowed up my base with repeated SIDs (took me a 
while to discover why users where getting permissions that they 
shouldn't, it was the first time I used an LDAP base importing the old 
base and I changed the code that make the SIDs in the scripts that 
creates the accounts) I deleted all these accounts, raised the base RID, 
recreated them and changed permissions with shell scripts.

> all i like is samba to start making SID's after that -5462 number !!!
> Cheers, Collen....
> ...

I hope it helps.


Edmundo Valle Neto

More information about the samba mailing list