[Samba] Classic Upgrade changes domain SID

Andrew Bartlett abartlet at samba.org
Tue Aug 29 00:31:32 UTC 2023 

On Mon, 2023-08-28 at 23:46 +0200, Peter Koch via samba wrote:
> Hi Andrew and Roland,
> 
> I spent some hours today to debug the problem by
> adding lots of printf-statements into the samba4
> source.
> 
> Here are my findings:
> - upgrade.py calls passdb.get_global_sam_sid()
> - get_global_sam_sid() calls pdb_generate_sam_sid()
> - pdb_generate_sam_sid() calls secrets_fetch_domain_sid()
> - secrets_fetch_domain_sid() calls secrets_fetch()
> - secrets_fetch() calls dbwrap_fetch()
> - dbwrap_fetch() reads the correct file and returns
>    exactly the binary string that tdbdump displays
> 
> At this point I was really astonished: Everything works
> as expected but the resulting domain SID nevertheless is
> wrong. And then I realized the reason:
> 
> My old secrets.tdb file contains the following SID-data:
> 01040000:00000005:00000015:545BFAD5:92AC2583:A49AEB0A
> 0x00000015=21, 0x545BFAD5=1415314133
> 0x15000000=352321536, 0xD5FA5B54=3589954388
> 
> My old samba3-server is a Sun Sparc machine with
> MSB byte order while my new samba4-server is an
> Intel machine with LSB byte order.
> 
> S-1-5-21-1415314133-2460755331-2761616138 and
> S-1-5-352321536-3589954388-2200284306-183212708
> are the same SIDs, just the byte ordering of the last
> 4 numbers was reversed.

Interesting.  I had assumed (not reading closely enough) that you were
running the commands on the same server.

Presumably the 'wrong' side was what did 'net getdomainsid' showed when
run on the new server?

> Now my concern is that not only secrets.tdb contains
> machine dependent data, but other tdb-files do as well.

The main passdb.tdb is packed with tdb_pack(), so should be safer.  The
upgrade also upgrades the group mapping, but that is the same.  

Thankfully most of the rest of secrets.tdb we just ignore, as there is
a lot of direct memory copies in that handler. 

> I will fix the secrets.tdb file with a hex-editor and let
> you know what happens.

You can also force the SID on the new server with 'net setdomainsid'.

All the best with the upgrade!

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list