[Samba] Yet another "Can I change user's SID" question

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jan 28 15:48:18 MST 2015

On 01/28/15 17:08, George wrote:
> Good evening team,
> I have read lots of topics and posts explaining why you *shouldn't*
> manually change a user's SID on the databases, and I agree with the
> "phylosophical" reasons behind it, let's say.
> Now, what happens if besides all the warnings you still do it?? What else
> might break, considering that we are careful enough to not enter a
> duplicate, or obvious errors? I understand that ldbedit does not even let
> you do it, but that can be easily "tweaked" on the source code.
> The reason behind this question is the usual "accidentally deleted user".
> In this case it was no big deal, a new user was created and profiles
> migrated, but what would have happened if a new user was created and then
> assigned the SID of the previous user? I tried this on a lab machine with a
> "tweaked" ldbedit and nothing seems to break (or at least not as badly so
> as to realize in 5 minutes of testing). This is Samba 4.1.x DC with no
> replication.
> Best regards!
> George

I would guess you run the risk that the new user may get file access , 
or group membership, or computer priveldegesthat the old user had, that 
the new user should not.

I am also guessing  that samba somewhere keeps a counter of "last SID 
assigned" -  which means that you could allocate a SID that samba thinks 
is available for a future user.

More information about the samba mailing list