[Samba] problem with mechanism of samba user SID creation
Karel Lang AFD
lang at afd.cz
Mon Sep 8 02:26:38 MDT 2014
Hello guys,
please any advanced Samba user or dev would know the answer?
To make my question the shortest it can get:
"Why the Samba SID and User SID (can) differ?"
I'm interested in understanding of the mechanism behind it. I stated all
details in my first message.
Please bear up with me i am new to maillist, so i'm not sure if i can
reply to myself to 'refresh' the question.
Thanks a lot.
On 09/04/2014 01:25 PM, Karel Lang AFD wrote:
> Hello guys,
> as subject says, i've got problem with it. And because i'm in
> preparation of migration of users form Samba PDC with passdb.tdb backend
> ot LDAP backend, i need to be 100% clear on it.
>
> I can't find the reference to it anywhere, so if anyone can point me in
> the right way ..?
>
> What is confusing for me? I'll explain on example:
>
> 1. Scenario: Existing Samba PDC server (difference between Samba SID and
> User SID)
>
> [root at srv-022 etc]# net getlocalsid
> SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550
>
> [root at srv-022 etc]# pdbedit -Lv | grep -i -A15 lang
>
> Unix username: lang
> NT username:
> Account Flags: [U ]
> User SID: S-1-5-21-110010030-2840066419-870397770-2262
> Primary Group SID: S-1-5-21-110010030-2840066419-870397770-513
>
> NOTE pls the difference between Samba SID and SID of user. I'd expect
> that SID of user is generated by: Samba SID+RID ? Why the difference?
> Please note, this server was created by migration from older Samba
> version - so, that might have had impact on this? (and i have not been
> doing that migration, so i dont know exactly what was going on at that
> time).
>
>
> 2. Scenario: my testing Samba PDC server
>
> - i installed same Samba version like on the main server (3.6.9)
> - i tarred and un-tarred whole /etc/samba folder to this test server
> - i rsynced /etc/passwd, group, hosts, smb.conf, passdb.tdb
> - i set same Samba SID like the Production server has (via net setlocalsid)
>
>
> result:
>
> [root at afdfake home]# net getlocalsid
> SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550
>
> [root at afdfake etc]# pdbedit -Lv | grep -i -A15 lang
> Unix username: lang
> NT username:
> Account Flags: [U ]
> User SID: S-1-5-21-1659033379-200690441-2582778234-2262
> Primary Group SID: S-1-5-21-1659033379-200690441-2582778234-513
>
> As you can see again, i have difference between Samba SID and user SID,
> but what i do not understand at ALL why user SID is different to user
> SID on Production server (it is same user)
>
> This considering, it is completely same passdb.tdb file like on
> Production ... what mechanism changed that SID of my user?
>
> Also - if i would like to correct this discrepancy on my test server via
> pdbedit and make Samba SID and User SID same - it FAILs:
>
> [root at afdfake etc]# pdbedit -U
> S-1-5-21-3959513538-1809711307-1766237550-2262 lang
> tdb_update_sam: struct samu (lang) with no RID!
> Unable to modify entry!
>
>
> 3. Scenario: freshly installed Samba (again 3.6.9) on laptop:
>
> [root at orionis ~]# net getlocalsid
> SID for domain ORIONIS is: S-1-5-21-2647753566-3134634105-1426643513
>
> [root at orionis ~]# pdbedit -Lv
> Unix username: lang
> NT username:
> Account Flags: [U ]
> User SID: S-1-5-21-2647753566-3134634105-1426643513-1000
> Primary Group SID: S-1-5-21-2647753566-3134634105-1426643513-513
>
> As you can see, this is result i'd expect - User SID=Samba SID +User RID
>
> And both are same.
>
>
> So what is the mechanism behind this? How can even the authentication
> work on Production server (scenario 1) while Samba SID and User SID
> differs?
> Why even newly added users keep that different User SID to Samba SID trait?
>
> I can't find answers from samba lists - can please point me to some
> documentation, or shed some light?
>
>
> Thanks!
>
>
>
>
>
>
More information about the samba
mailing list