[Samba] How can I change the localSID for a SAMBA Server?

Byron Bogaert bbogaert at wikimedia.org
Wed Dec 16 00:46:09 UTC 2015

Hi Tetra,

This is the way we are currently looking at building our SAMBA file server.
The reason why we would like to change the SID on the SAMBA server is so we
do not need to change all the existing entries in ldap to be  SID + rid.


*Byron Bogaert*

*IT System Administrator*
Wikimedia Foundation

Imagine a world in which every single human being can freely share in the
sum of all knowledge. Help us make it a reality!

On Tue, Dec 15, 2015 at 4:35 PM, Tetra <terjet-list at funcom.com> wrote:

> On 15.12.2015 23:40, Rowland penny wrote:
>> The problem is that the machine is supposed to be a standalone server
>> and how can it be one, if it has the same SID as another machine, or am
>> I missing something?Surely, if it does have the same SID, you are
>> talking a basic domain.
> No, if it is a standalone server, it doesn't really care about what SID
> itself has (localsid), but the test I did showed that it did care about
> what SID a user had. ...
> As long as the computer can get the users details from ldap and the
>> underlying OS can see this info, it shouldn't make any difference what
>> its SID is i.e. as long as 'getent passwd <a user in ldap>' returns the
>> required info.
> If the server has a sid of S-1-5-21-x-y-z the user must have a SID + rid
> (relative id) that matches, e.g. S-1-5-21-x-y-z-1000. If not I couldn't log
> on to the share. So I decided on an easy to remember SID and a generic
> domain name of SAMBA and added all users to LDAP with this as sambaSID and
> sambaDomainName (using the tool LDAP Account Manager Pro from Roland
> Gruber). When I then add all servers with same SID, I manage to log on to
> the fileshares.
> This was for testing how I in a simple way could replace a system with
> standalone servers with a smbpasswd file where all the users were created
> on one of them, then the smbpasswd file was rsynced to the others. (The
> unix/linux users and groups were the same on all servers thanks to NIS, now
> being replaced with LDAP.)
> We don't need a domain for this system. The PCs used are currently not in
> a domain at all, the Linux PCs will not, the Macs like not, and there are
> even some Windows Home PCs that cannot join a domain. The Samba servers are
> just for providing file shares in a way Windows recognizes. We don't want
> it to be possible to make users or change password locally on the samba
> servers, all that should be done in the LDAP Account Manager (It can update
> linux and samba password at the same time.)
> I haven't concluded yet, if this is how to do it, but it seems it is a
> possible way of doing it.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list