[Samba] Invalid SID after upgrade to Samba 4.1

Rowland Penny rowlandpenny241155 at gmail.com
Tue Nov 10 20:56:40 UTC 2015

On 10/11/15 19:57, Mark Burkley wrote:
> Hi folks,
> We just had a problem with our samba server here in the office. I
> upgraded our file server from Debian wheezy (samba 3.6) to Debian jessie
> (samba 4.1) but this broke Samba and I struggled for a day or so to
> figure out why.  Searching for answers online found lots of cases of
> similar problems but nothing jumping out as a relevant solution.
> This is my global config section
> [global]
>    workgroup = WORKGROUP
>    realm = emutex.com
>    server string = Server
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    server role = standalone server
>    security = user
>    passdb backend = ldapsam:ldap://ldap.....com/
>    obey pam restrictions = No
>    ldap admin dn = cn=samba,ou=DSA,dc=emutex,dc=com
>    ldap suffix = dc=emutex, dc=com
>    ldap group suffix = ou=groups
>    ldap user suffix = ou=users
>    ldap machine suffix = ou=machines
>    ldap idmap suffix = ou=users
>    ldap ssl = no
>    log level = 3
>    interfaces = eth0
>    syslog = 0
>    server string = %h server
>    panic action = /usr/share/samba/panic-action %d
>    encrypt passwords = true
>    follow symlinks = yes
>    wide links = yes
>    unix extensions = no
>    map to guest = bad user
> I have a file server that uses NFS and samba to serve files to both *nix
> and Windows users.  I have another server running OpenLDAP and Kerberos
> for authentication.  Samba uses ldapsam as the backend and this has
> worked fine for several years.  But after the upgrade, I was getting an
> error from "pdbedit -L" saying "SID S-xxxx does not belong to our
> domain".  The domain has not changed, nor has the hostname of the server.
> I examined the LDAP database and found two entries
> "sambaDomainName=WORKGROUP" and "sambaDomainName=SERVER".  The SID in
> the entry for "WORKGROUP" matched the SID in the user entries but the
> SID in the entry for SERVER was new.  I tried using "net setlocalsid"
> but this didn't change anything so I copied the SID from entry WORKGROUP
> to entry SERVER and deleted the entry for WORKGROUP.  After that,
> everything worked fine as before.
> So it seems to me the meaning of "domain" has changed and Samba is now
> using the hostname entry as the source of the SID instead of the
> workgroup name?  So that after upgrading from samba 3 to samba 4, users
> who have an LDAP backend need to manually edit the sambaDomainName
> entries in their database.
> I'd appreciate if someone more knowledgeable about Samba and LDAP
> backends could confirm this and verify that my fix is reasonable and
> safe and so on.  Apologies if this is documented somewhere already, but
> if it is I couldn't find it.
> Many thanks,
> Mark
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

You are using 'realm = emutex.com' , this may be your problem, you only 
use this on a DC or an ADS domain member.

If this is a standalone server, then it is not a part of a domain, 
though it could be a machine in workgroup.


More information about the samba mailing list