[Samba] problem with mechanism of samba user SID creation

Rowland Penny rowlandpenny at googlemail.com
Mon Sep 8 02:55:18 MDT 2014 

On 08/09/14 09:26, Karel Lang AFD wrote:
> Hello guys,
> please any advanced Samba user or dev would know the answer?
>
> To make my question the shortest it can get:
> "Why the Samba SID and User SID (can) differ?"
>
> I'm interested in understanding of the mechanism behind it. I stated 
> all details in my first message.
>
> Please bear up with me i am new to maillist, so i'm not sure if i can 
> reply to myself to 'refresh' the question.
>
>
>
> Thanks a lot.
>
>
> On 09/04/2014 01:25 PM, Karel Lang AFD wrote:
>> Hello guys,
>> as subject says, i've got problem with it. And because i'm in
>> preparation of migration of users form Samba PDC with passdb.tdb backend
>> ot LDAP backend, i need to be 100% clear on it.
>>
>> I can't find the reference to it anywhere, so if anyone can point me in
>> the right way ..?
>>
>> What is confusing for me? I'll explain on example:
>>
>> 1. Scenario: Existing Samba PDC server (difference between Samba SID and
>> User SID)
>>
>> [root at srv-022 etc]# net getlocalsid
>> SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550
>>
>> [root at srv-022 etc]# pdbedit -Lv | grep -i -A15 lang
>>
>> Unix username:        lang
>> NT username:
>> Account Flags:        [U          ]
>> User SID: S-1-5-21-110010030-2840066419-870397770-2262
>> Primary Group SID: S-1-5-21-110010030-2840066419-870397770-513
>>
>> NOTE pls the difference between Samba SID and SID of user. I'd expect
>> that SID of user is generated by: Samba SID+RID ?  Why the difference?
>> Please note, this server was created by migration from older Samba
>> version - so, that might have had impact on this? (and i have not been
>> doing that migration, so i dont know exactly what was going on at that
>> time).
>>
>>
>> 2. Scenario: my testing Samba PDC server
>>
>> - i installed same Samba version like on the main server (3.6.9)
>> - i tarred and un-tarred whole /etc/samba folder to this test server
>> - i rsynced /etc/passwd, group, hosts, smb.conf, passdb.tdb
>> - i set same Samba SID like the Production server has (via net 
>> setlocalsid)
>>
>>
>> result:
>>
>> [root at afdfake home]# net getlocalsid
>> SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550
>>
>> [root at afdfake etc]# pdbedit -Lv | grep -i -A15 lang
>> Unix username:        lang
>> NT username:
>> Account Flags:        [U          ]
>> User SID: S-1-5-21-1659033379-200690441-2582778234-2262
>> Primary Group SID: S-1-5-21-1659033379-200690441-2582778234-513
>>
>> As you can see again, i have difference between Samba SID and user SID,
>> but what i do not understand at ALL why user SID is different to user
>> SID on Production server (it is same user)
>>
>> This considering, it is completely same passdb.tdb file like on
>> Production ... what mechanism changed that SID of my user?
>>
>> Also - if i would like to correct this discrepancy on my test server via
>> pdbedit and make Samba SID and User SID same - it FAILs:
>>
>> [root at afdfake etc]# pdbedit -U
>> S-1-5-21-3959513538-1809711307-1766237550-2262 lang
>> tdb_update_sam: struct samu (lang) with no RID!
>> Unable to modify entry!
>>
>>
>> 3. Scenario: freshly installed Samba (again 3.6.9) on laptop:
>>
>> [root at orionis ~]# net getlocalsid
>> SID for domain ORIONIS is: S-1-5-21-2647753566-3134634105-1426643513
>>
>> [root at orionis ~]# pdbedit -Lv
>> Unix username:        lang
>> NT username:
>> Account Flags:        [U          ]
>> User SID: S-1-5-21-2647753566-3134634105-1426643513-1000
>> Primary Group SID: S-1-5-21-2647753566-3134634105-1426643513-513
>>
>> As you can see, this is result i'd expect - User SID=Samba SID +User RID
>>
>> And both are same.
>>
>>
>> So what is the mechanism behind this? How can even the authentication
>> work on Production server (scenario 1) while Samba SID and User SID
>> differs?
>> Why even newly added users keep that different User SID to Samba SID 
>> trait?
>>
>> I can't find answers from samba lists - can please point me to some
>> documentation, or shed some light?
>>
>>
>> Thanks!
>>
>>
>>
>>
>>
>>
>
Hi, I think your problem is that you are mistaking the local SID for the 
domain sid, there is another command 'net get domainsid'.

If I run this on my laptop that is joined to the domain, I get this:

rowland at ThinkPad ~ $ sudo net getdomainsid
SID for local machine THINKPAD is: S-1-5-21-1417260334-839400796-1629432758
SID for domain EXAMPLE is: S-1-5-21-2025076216-3455336656-3842161122

Yes, the local SID is different from the domain SID, but the local SID 
is not used.

So, having got that out of the way, can we have a bit more info please, 
smb.conf, what sort of domain and what is the domain controller.

Rowland

More information about the samba mailing list