[Samba] How can I change the localSID for a SAMBA Server?

Tetra terjet-list at funcom.com
Wed Dec 16 00:35:01 UTC 2015

On 15.12.2015 23:40, Rowland penny wrote:
> The problem is that the machine is supposed to be a standalone server
> and how can it be one, if it has the same SID as another machine, or am
> I missing something?Surely, if it does have the same SID, you are
> talking a basic domain.

No, if it is a standalone server, it doesn't really care about what SID 
itself has (localsid), but the test I did showed that it did care about 
what SID a user had. ...

> As long as the computer can get the users details from ldap and the
> underlying OS can see this info, it shouldn't make any difference what
> its SID is i.e. as long as 'getent passwd <a user in ldap>' returns the
> required info.

If the server has a sid of S-1-5-21-x-y-z the user must have a SID + rid 
(relative id) that matches, e.g. S-1-5-21-x-y-z-1000. If not I couldn't 
log on to the share. So I decided on an easy to remember SID and a 
generic domain name of SAMBA and added all users to LDAP with this as 
sambaSID and sambaDomainName (using the tool LDAP Account Manager Pro 
from Roland Gruber). When I then add all servers with same SID, I manage 
to log on to the fileshares.

This was for testing how I in a simple way could replace a system with 
standalone servers with a smbpasswd file where all the users were 
created on one of them, then the smbpasswd file was rsynced to the 
others. (The unix/linux users and groups were the same on all servers 
thanks to NIS, now being replaced with LDAP.)

We don't need a domain for this system. The PCs used are currently not 
in a domain at all, the Linux PCs will not, the Macs like not, and there 
are even some Windows Home PCs that cannot join a domain. The Samba 
servers are just for providing file shares in a way Windows recognizes. 
We don't want it to be possible to make users or change password locally 
on the samba servers, all that should be done in the LDAP Account 
Manager (It can update linux and samba password at the same time.)

I haven't concluded yet, if this is how to do it, but it seems it is a 
possible way of doing it.

More information about the samba mailing list