[Samba] problem with mechanism of samba user SID creation

Karel Lang AFD lang at afd.cz
Thu Sep 4 05:25:29 MDT 2014


Hello guys,
as subject says, i've got problem with it. And because i'm in 
preparation of migration of users form Samba PDC with passdb.tdb backend 
ot LDAP backend, i need to be 100% clear on it.

I can't find the reference to it anywhere, so if anyone can point me in 
the right way ..?

What is confusing for me? I'll explain on example:

1. Scenario: Existing Samba PDC server (difference between Samba SID and 
User SID)

[root at srv-022 etc]# net getlocalsid
SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550

[root at srv-022 etc]# pdbedit -Lv | grep -i -A15 lang

Unix username:        lang
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-110010030-2840066419-870397770-2262
Primary Group SID:    S-1-5-21-110010030-2840066419-870397770-513

NOTE pls the difference between Samba SID and SID of user. I'd expect 
that SID of user is generated by: Samba SID+RID ?  Why the difference?
Please note, this server was created by migration from older Samba 
version - so, that might have had impact on this? (and i have not been 
doing that migration, so i dont know exactly what was going on at that 
time).


2. Scenario: my testing Samba PDC server

- i installed same Samba version like on the main server (3.6.9)
- i tarred and un-tarred whole /etc/samba folder to this test server
- i rsynced /etc/passwd, group, hosts, smb.conf, passdb.tdb
- i set same Samba SID like the Production server has (via net setlocalsid)


result:

[root at afdfake home]# net getlocalsid
SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550

[root at afdfake etc]# pdbedit -Lv | grep -i -A15 lang
Unix username:        lang
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1659033379-200690441-2582778234-2262
Primary Group SID:    S-1-5-21-1659033379-200690441-2582778234-513

As you can see again, i have difference between Samba SID and user SID, 
but what i do not understand at ALL why user SID is different to user 
SID on Production server (it is same user)

This considering, it is completely same passdb.tdb file like on 
Production ... what mechanism changed that SID of my user?

Also - if i would like to correct this discrepancy on my test server via 
pdbedit and make Samba SID and User SID same - it FAILs:

[root at afdfake etc]# pdbedit -U 
S-1-5-21-3959513538-1809711307-1766237550-2262 lang
tdb_update_sam: struct samu (lang) with no RID!
Unable to modify entry!


3. Scenario: freshly installed Samba (again 3.6.9) on laptop:

[root at orionis ~]# net getlocalsid
SID for domain ORIONIS is: S-1-5-21-2647753566-3134634105-1426643513

[root at orionis ~]# pdbedit -Lv
Unix username:        lang
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2647753566-3134634105-1426643513-1000
Primary Group SID:    S-1-5-21-2647753566-3134634105-1426643513-513

As you can see, this is result i'd expect - User SID=Samba SID +User RID

And both are same.


So what is the mechanism behind this? How can even the authentication 
work on Production server (scenario 1) while Samba SID and User SID differs?
Why even newly added users keep that different User SID to Samba SID trait?

I can't find answers from samba lists - can please point me to some 
documentation, or shed some light?


Thanks!








More information about the samba mailing list