[Samba] Messed up SIDs: How to change machine SID?

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jul 3 10:10:10 MDT 2013

I have an LDAP backend.

In LDAP, the machine accounts for my  windows and linux clients so show 
the same base SID as the domain SID (ie.. all but the last digits.)

However I also have the mismatch with "net getdomainsid" -  which 
definately explains why they don't behave as I would expect.   You may 
want to try fixing this with "net setlocalsid."   I guess when you joing 
unix  or linux member server to the domain the localsid is not updated.

Re the BUILTIN groups you may want to explicitly map these to unix 
groups rather than relying on winbind to do it

e.g.   I created  unix groups

#getent group ....
Builtin Admins::544:
Builtin Users::545:
Builtin Guests::546:

Then mapped the well know built-in Windows groups to the unix groups

#net groupmap add ntgroup="Administrators" unixgroup=544 
sid=S-1-5-32-544   type=builtin
#net groupmap add ntgroup="Users" unixgroup=545   sid=S-1-5-32-545 
#net groupmap add ntgroup="Guests" unixgroup=546 sid=S-1-5-32-546 

# net groupmap list | grep -i builtin

Administrators (S-1-5-32-544) -> Builtin Admins
Users (S-1-5-32-545) -> Builtin Users
Guests (S-1-5-32-546) -> Builtin Guests

The linux samba member servers I use mostly for IT use anyway so I never 
shook out all the bugs.

On 07/03/13 11:49, Marcus Mundt wrote:
> Dear Samba Gurus,
> I got the following errors:
> tail -f /var/log/samba/log.wb-DOM1
> [2013/07/02 15:49:19.990168,  2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
>    name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
> log.smbd
> [2013/07/02 15:40:51.809516,  2] auth/token_util.c:455(finalize_local_nt_token)
>    WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind allocate gids?
> [2013/07/02 15:40:51.811330,  2] auth/token_util.c:479(finalize_local_nt_token)
>    WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
> I guess the reason might be this:
> net getdomainsid
> SID for local machine M1 is: 	S-1-5-21-3981825222-1828954701-2606613544
> SID for domain DOM1 is: 	S-1-5-21-2762780445-1763757571-3541238449
> net getdomainsid
> SID for local machine M2 is: 	S-1-5-21-2913448378-2543514743-1508345481
> SID for domain DOM1 is: 	S-1-5-21-2762780445-1763757571-3541238449
> Shouldn't the SIDs be the same except the last digits???
> Cheers,
> Marcus

More information about the samba mailing list