[Samba] How to fix wrong SIDs

Daniel Tamm daniel.tamm at biomil.se
Fri Aug 22 01:13:54 MDT 2014

Den 2014-08-21 15:20, Rowland Penny skrev:
> On 21/08/14 13:55, Daniel Tamm wrote:
>> I am operating a PDC samba server running version 4.1.6-Ubuntu with an
>> OpenLDAP backend. Due to problems during the upgrade to Samba4, I needed
>> to recover the users and groups from a backup. Now, I ended up with 2
>> different entries for sambaDomainName: one is my real domain, the other
>> is just named "sambaDomain". I suppose that the latter comes from the
>> clean samba install I did during upgrade. The 2 domains have different
>> SIDs.
>> Now, the problem is that some users (root) and groups (Domain Admins,
>> Domain Computers, Domain Guests, Domain Users) have SIDs belonging to
>> the domain sambaDomain. I suppose that this can be the cause of some
>> other problems I have.
>> So my question is, what is the best way to correct the problem? Can I
>> just delete the entry sambaDomainName=sambaDomain, and then adjust the
>> SIDs of the aforementioned users and groups so that they contain the SID
>> of my real domain? I am using phpLDAPAdmin.
>> Another question: may the SID problem be the cause for my problem to add
>> a domain group to the local Administrator group on a workstation?
>> (there, I may add the group once, but when I re-open the dialog, it is
>> not there any more. The next time I try to add the group, I just get the
>> notice that it has already been added. Users in the domain group are not
>> granted Admin rights.)
>> Thank you!
>> Daniel
> Is this in a test domain or production ? If it is the former, I would
> start again, if it is the later, then again, it might be easier to start
> again, just how many users/computers in the domain. How did you do the
> 'upgrade' ??
> Rowland
Thank you for your reply!
It's a production domain with a dozen users/machines.
The upgrade to Ubuntu 14.04 went wrong and left me with a corrupted
domain or system (I don't remember exactly), so I started over with a
clean new Ubuntu installation and then, after the base samba/ldap system
was running again, imported an LDIF backup file with phpldapadmin.
What would happen if I simply corrected the user's and group's SIDs in
the LDAP database?

More information about the samba mailing list