[Samba] Help with fixing users and groups with the same SID in LDAP

Tim IT at mcgeecorp.com
Mon Dec 2 14:31:32 MST 2013

Jonathan Buzzard <jonathan <at> buzzard.me.uk> writes:

> There is absolutely nothing wrong with a uidNumber and gidNumber being 
> the same numerical value as they are two entirely different sets of 
> numbers. What is not possible in the Windows world is to have a username 
> and a group with the same text name. What looks to be at issue is that 
> you have been generating SID's based on the uidNumber or gidNumber which 
> has never been a sensible idea.

Hmm... I believe the SIDs in question were automatically generated ages ago 
by smbldap tools. No one has manually intervened when adding users or groups 
to my knowledge. 

I was planning to follow the apparent convention of the existing SIDs when 
updating the dupes... IIRC it was how SIDs were computed back in the NT days 
or something :-) Is there a better algorithm to use or does it really not 
matter what I change the last section to as long as the SID is unique within 
the domain?

> There should be no reason to change the gidNumber, just change the SID. 
> I would have the directory servers offline to the users while the 
> changes where made and restart any domain joined machines after 
> restarting the samba3+ldap combination.

Ok, thanks - that makes sense.

I appreciate your help!


More information about the samba mailing list