[Samba] How can I change the localSID for a SAMBA Server?

Rowland penny rpenny at samba.org
Tue Dec 15 22:40:26 UTC 2015

On 15/12/15 22:27, Tetra wrote:
> On 15.12.2015 22:16, Byron Bogaert wrote:
>> We need to change the SID on a standalone server because it needs to 
>> also
>> act as a File Server. The authentication comes from LDAP, and we have
>> existing entries in LDAP for SID of the domain. Instead of change all 
>> the
>> SID in ldap, we would like to be able to change it on the server.
> I noticed something similar (though while testing on some older 
> samba-3 standalone servers, where I wanted to see if I could use ldap
> instead of a rsync replicated smbpasswd file by setting the same SID on
> all servers.)
> The SID is locally stored in secure.tdb and you can see it with tdbtool
> (though in hex, and need to know that the last three 10-digit numbers 
> in the SID are 32-bits or 4-Byte each)
> Seems net setlocalsid changed the sid in secrets.tdb, but the server
> finds its SID in LDAP after that is set up in smb.conf, and there it 
> was not changed.
> I solved it by also changing it manually on the LDAP server, or made
> sure that the sid was changed locally before starting up smbd with LDAP
> configured, or deleted the LDAP entry for the server and restarted smbd
> so it was generated anew.

The problem is that the machine is supposed to be a standalone server 
and how can it be one, if it has the same SID as another machine, or am 
I missing something? Surely, if it does have the same SID, you are 
talking a basic domain.

As long as the computer can get the users details from ldap and the 
underlying OS can see this info, it shouldn't make any difference what 
its SID is i.e. as long as 'getent passwd <a user in ldap>' returns the 
required info.


More information about the samba mailing list