[Samba] samba problems. accounts expire after a hour, but work after reset

Collen Blijenberg collen at hermanjordan.nl
Wed Mar 7 13:38:56 GMT 2007

Sorry, forgot something,

indeed there was a mixup with the migrating, old posix uid were differed 
than the once we use now.
a changed the auto_increment value of the user.uid table from mysql.
i took the highest sid (5620) subbed 1000 and /2 and used that for 
auto_increment value..

so now my new user accounts are in sync with samba RID's again.

all i'm interested in now is the once i already have and use...
i have a heap of accounts that have a posix uid, that doesn't fit the 
rules Edmundo explained (1000 + (2*uid))
it looks like all works fine, but i would like to take the advise of the 

is the rule only active when creating new accounts, or does samba use 
that rule also with in
daily basic things ? (like logging in, or accessing shares ??)

does it harm to have a posix uid 1050 and a SID ending with -1299  ?????

Cheers Collen

Collen Blijenberg wrote:
> He thx Edmundo,
> hmm, basically i did a migration. we replaced an old samba server after
> 4 years, and made a new one.
> i exported the samba user accounts with  the -i and -e option in pdbedit.
> the old exported samba was version 3.0.11.
> all i did was transfered the domain SID to the new pdc.
> exported the users and machine accounts.
> imported all in the new PDC, added the posix users, mapped some groups
> with net map.
> et voila..
> i left all the old .tdb files and all on the old machine, and let the
> new PDC handle it.
> it looks if all works fine, but adding users and machines gives me the
> head ace..
> isn't there anny way to influence the SID making process ??
> some how i think that changing the algorithmic rid base option isn't
> going to work...
> i did some other tests as well to day, but it keeps on generating
> existing SID's (tried other machines)
> what did i forget to do with the migration ??? that makes the SID's
> screw up.. ?
> Cheers, Collen
> Edmundo Valle Neto wrote:
>> Collen Blijenberg escreveu:
>>> Thx Felipe, after a week debugging, i found the problem!!
>>> there was a mix up with SID's. i had 5 machines and username with 
>>> the same SID
>>> including the PDC.
>> Would be a nice thing if you discover why that happened. Samba 
>> generates the RID part of the SID algorithmically (1000 + (2 x uid) 
>> for user accounts, and 1001 + (2 x gid) for groups), if the uid is 
>> different in these accounts the RID should be different too.
>>> but there is something funny were i need some help with,
>>> if i make a new user or machine account, samba generate the SID 
>>> automatically.
>>> i saw, that my server doesn't look at existing SID's.
>> No it doesn't, that's right. It's not needed, calculating RIDs that 
>> way will not make clashes.
>>> how can i let samba make SID's after a specified number ??
>>> my problem at the moment is that  if i make a new user, samba 
>>> generate an existing SID, and there for
>>> trouble arise!
>> Well, normally it will not make clashes, unless you already have a 
>> base with SIDs calculated, who knows how.
>> You can change the "algorithmic rid base" option that defaults to 
>> 1000 to another value raising the values that will make RIDs. (if you 
>> have unmapped accounts, it will have their SIDs changed too, as the 
>> algorithm will be different, if I remember right in samba 3.0.23c 
>> theres some changes about that).
>> In some distributions, you can raise the uid/gids range. That way 
>> would make higher RIDs be generated too. :)
>>> example: current last SID in user database:  
>>> S-1-5-21-1968991162-2130249723-1959552931-5462
>>> if i make a new user samba will use: 
>>> S-1-5-21-1968991162-2130249723-1959552931-5410    ????????????
>> Do you use a database server to store your samba users right? Well, I 
>> never used it, I don't know how exactly it stores information. As I 
>> don't know how do you have created your accounts or how much have you 
>> messed with them. Normally uids are not reused in posix accounts and 
>> samba user/group accounts picks up even/odd RID numbers, not making 
>> that probably future clash as you are seeing. :)
>>> so basically it's all about the last 4 digits!
>>> can i alter a .tdb file ??? (if so witch one??)
>> I can't say that you can't, there's some tools that 
>> dump/change/add/etc contents of .tdb files, you can even dump them 
>> and grep to find where's the information that you are looking for, 
>> but keep in mind that probably you will mess up with any reference to 
>> the SID being changed (beeing it ACLs, profiles, or whatever).
>> The last time that I blowed up my base with repeated SIDs (took me a 
>> while to discover why users where getting permissions that they 
>> shouldn't, it was the first time I used an LDAP base importing the 
>> old base and I changed the code that make the SIDs in the scripts 
>> that creates the accounts) I deleted all these accounts, raised the 
>> base RID, recreated them and changed permissions with shell scripts.
>>> all i like is samba to start making SID's after that -5462 number !!!
>>> Cheers, Collen....
>>> ...
>> [cut]
>> I hope it helps.
>> Regards.
>> Edmundo Valle Neto

More information about the samba mailing list