[Samba] Invalid SID after upgrade to Samba 4.1

Mark Burkley mark at emutex.com
Tue Nov 10 19:57:41 UTC 2015 

Hi folks,

We just had a problem with our samba server here in the office.  I
upgraded our file server from Debian wheezy (samba 3.6) to Debian jessie
(samba 4.1) but this broke Samba and I struggled for a day or so to
figure out why.  Searching for answers online found lots of cases of
similar problems but nothing jumping out as a relevant solution.

This is my global config section

[global]
    workgroup = WORKGROUP
    realm = emutex.com
    server string = Server
    dns proxy = no
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    server role = standalone server
    security = user
    passdb backend = ldapsam:ldap://ldap.....com/
    obey pam restrictions = No
    ldap admin dn = cn=samba,ou=DSA,dc=emutex,dc=com
    ldap suffix = dc=emutex, dc=com
    ldap group suffix = ou=groups
    ldap user suffix = ou=users
    ldap machine suffix = ou=machines
    ldap idmap suffix = ou=users
    ldap ssl = no
    log level = 3
    interfaces = eth0
    syslog = 0
    server string = %h server
    panic action = /usr/share/samba/panic-action %d
    encrypt passwords = true
    follow symlinks = yes
    wide links = yes
    unix extensions = no
    map to guest = bad user

I have a file server that uses NFS and samba to serve files to both *nix
and Windows users.  I have another server running OpenLDAP and Kerberos
for authentication.  Samba uses ldapsam as the backend and this has
worked fine for several years.  But after the upgrade, I was getting an
error from "pdbedit -L" saying "SID S-xxxx does not belong to our
domain".  The domain has not changed, nor has the hostname of the server.

I examined the LDAP database and found two entries
"sambaDomainName=WORKGROUP" and "sambaDomainName=SERVER".  The SID in
the entry for "WORKGROUP" matched the SID in the user entries but the
SID in the entry for SERVER was new.  I tried using "net setlocalsid"
but this didn't change anything so I copied the SID from entry WORKGROUP
to entry SERVER and deleted the entry for WORKGROUP.  After that,
everything worked fine as before.

So it seems to me the meaning of "domain" has changed and Samba is now
using the hostname entry as the source of the SID instead of the
workgroup name?  So that after upgrading from samba 3 to samba 4, users
who have an LDAP backend need to manually edit the sambaDomainName
entries in their database.

I'd appreciate if someone more knowledgeable about Samba and LDAP
backends could confirm this and verify that my fix is reasonable and
safe and so on.  Apologies if this is documented somewhere already, but
if it is I couldn't find it.

Many thanks,

Mark

More information about the samba mailing list