[Samba] How can I change the localSID for a SAMBA Server?
terjet-list at funcom.com
Wed Dec 16 00:35:01 UTC 2015
On 15.12.2015 23:40, Rowland penny wrote:
> The problem is that the machine is supposed to be a standalone server
> and how can it be one, if it has the same SID as another machine, or am
> I missing something?Surely, if it does have the same SID, you are
> talking a basic domain.
No, if it is a standalone server, it doesn't really care about what SID
itself has (localsid), but the test I did showed that it did care about
what SID a user had. ...
> As long as the computer can get the users details from ldap and the
> underlying OS can see this info, it shouldn't make any difference what
> its SID is i.e. as long as 'getent passwd <a user in ldap>' returns the
> required info.
If the server has a sid of S-1-5-21-x-y-z the user must have a SID + rid
(relative id) that matches, e.g. S-1-5-21-x-y-z-1000. If not I couldn't
log on to the share. So I decided on an easy to remember SID and a
generic domain name of SAMBA and added all users to LDAP with this as
sambaSID and sambaDomainName (using the tool LDAP Account Manager Pro
from Roland Gruber). When I then add all servers with same SID, I manage
to log on to the fileshares.
This was for testing how I in a simple way could replace a system with
standalone servers with a smbpasswd file where all the users were
created on one of them, then the smbpasswd file was rsynced to the
others. (The unix/linux users and groups were the same on all servers
thanks to NIS, now being replaced with LDAP.)
We don't need a domain for this system. The PCs used are currently not
in a domain at all, the Linux PCs will not, the Macs like not, and there
are even some Windows Home PCs that cannot join a domain. The Samba
servers are just for providing file shares in a way Windows recognizes.
We don't want it to be possible to make users or change password locally
on the samba servers, all that should be done in the LDAP Account
Manager (It can update linux and samba password at the same time.)
I haven't concluded yet, if this is how to do it, but it seems it is a
possible way of doing it.
More information about the samba