[Samba] changing SID breaks some permissions

[Andrew Bartlett]

On Fri, 2010-12-24 at 11:13 -0800, Christ Schlacta wrote:
> I've got a standalone host with an SID that matches exactly a domain 
> SID.  for some (fairly obvious) reason, windows machines get confused by 
> this, so I need to change one of the two SIDs.  I decided (for 
> simplicity's sake) to change the machine.  it broke a bunch of 
> permissions in some silent way, and I couldn't solve a printing related 
> issue as a result (see my other post).  Clearly there's more to changing 
> the SID then just net setlocalsid, as that's what broke stuff.  so the 
> question is this:
> 
> what else uses that sid, and where does it need to be changed?

The SID is embedded in every security descriptor stored, be it on disk
in a security descriptor or in a database.  In particular this applies
to the registry which stores printer details. 

I fear it will be difficult to find and fix all the instances, but
others who are more involved in this code regularly may wish to
comment. 

In short, you may be better to re-configure this workstation from
scratch. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.