Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Change user SID on Samba 4.1

1 view
Skip to first unread message

Daniel Carrasco Marín

unread,
Apr 28, 2015, 5:29:52 AM4/28/15
to
Hi, Is there any way to change the SID of an user on Samba 4.1?. I've tried:

pdbedit -U newSID -u user
pdbedit -u user -U newSID
pdbedit --'user SID'=newSID -u user

but it shows the user infor without change anything.

Thanks!!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett

unread,
Apr 28, 2015, 7:33:46 AM4/28/15
to
On Tue, 2015-04-28 at 11:27 +0200, Daniel Carrasco Marín wrote:
> Hi, Is there any way to change the SID of an user on Samba 4.1?. I've tried:
>
> pdbedit -U newSID -u user
> pdbedit -u user -U newSID
> pdbedit --'user SID'=newSID -u user
>
> but it shows the user infor without change anything.

Changing a user's sid is a really bad idea, so in the AD DC (at least)
is is made quite difficult.

In particular, it is critical that it remain unique, and be removed from
the RID pool. When we do a classicupgrade, we take care to ensure all
RID pools start above the users we import. That is really the only time
it is safe to force a RID.

Why do you need to change it?

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Daniel Carrasco Marín

unread,
Apr 28, 2015, 7:41:41 AM4/28/15
to
I had troubles with classicupgrade and linux machines, and i'm creating a
new AD (for now works perfect). I want to keep the same SID of the old AD
to avoid to move all users profiles.

Greetings!!

Rowland Penny

unread,
Apr 28, 2015, 8:00:43 AM4/28/15
to

Never used it myself, but there is the provision option
'--domain-sid=SID' . I assume that you can use this to set the domain
SID when you provision a new domain.

Rowland

Daniel Carrasco Marín

unread,
Apr 28, 2015, 10:42:51 AM4/28/15
to
Thanks!!, but I don't know how that can help me, because i'm planning to
change the domain, then the Domain SID must be different. Anyway is not
hard, i only have to move the user profile on domain change, but of course
is faster if i don't need to do it.

Greetings!!

Marc Muehlfeld

unread,
Apr 28, 2015, 12:13:04 PM4/28/15
to
Am 28.04.2015 um 13:58 schrieb Rowland Penny:
> Never used it myself, but there is the provision option
> '--domain-sid=SID' . I assume that you can use this to set the domain
> SID when you provision a new domain.


This won't help, because it just keep the domain SID and users still
getting new RIDs, what make them different, if they are linked
somewhere. And keeping the RIDs still require to keep them out of the
RID pool. See Andrews mail.


Regards,
Marc

Rowland Penny

unread,
Apr 28, 2015, 12:52:43 PM4/28/15
to
On 28/04/15 17:11, Marc Muehlfeld wrote:
> Am 28.04.2015 um 13:58 schrieb Rowland Penny:
>> Never used it myself, but there is the provision option
>> '--domain-sid=SID' . I assume that you can use this to set the domain
>> SID when you provision a new domain.
>
>
> This won't help, because it just keep the domain SID and users still
> getting new RIDs, what make them different, if they are linked
> somewhere. And keeping the RIDs still require to keep them out of the
> RID pool. See Andrews mail.
>
>
> Regards,
> Marc

Thanks for clarifying that Marc.

Rowland

Andrey Repin

unread,
Apr 28, 2015, 3:52:09 PM4/28/15
to
Greetings, Daniel Carrasco Marín!

>>> Hi, Is there any way to change the SID of an user on Samba 4.1?. I've
>>> tried:
>>>
>>> pdbedit -U newSID -u user
>>> pdbedit -u user -U newSID
>>> pdbedit --'user SID'=newSID -u user
>>>
>>> but it shows the user infor without change anything.
>>
>> Changing a user's sid is a really bad idea, so in the AD DC (at least)
>> is is made quite difficult.

> I had troubles with classicupgrade and linux machines, and i'm creating a
> new AD (for now works perfect). I want to keep the same SID of the old AD
> to avoid to move all users profiles.

If you could instead explain, what kind of troubles you've had with upgrade?
So far, I haven't seen anything that couldn't be solved with a little thinking
and a good deal of creativity.

P.S.
I would also appreciate, if you don't top-post.
Putting answer above question makes messages unnecessarily hard to read and
understand.


--
With best regards,
Andrey Repin
Tuesday, April 28, 2015 22:33:57

Sorry for my terrible english...

Daniel Carrasco Marín

unread,
Apr 28, 2015, 4:02:04 PM4/28/15
to


Sorry, my Gmail is configured to top-post by default.

My problem with upgrades was with member servers. The upgrade process was
fine and I can join the AD with any Windows machine, but when I try to join
that AD with a Linux machine then it fails. I've created a new AD with same
versions and configurations and I can join that AD with same servers that
fails with upgraded AD.

Greetings!!

Marc Muehlfeld

unread,
Apr 28, 2015, 4:27:10 PM4/28/15
to
Hello Daniel,

Am 28.04.2015 um 21:58 schrieb Daniel Carrasco Marín:
> My problem with upgrades was with member servers. The upgrade process was
> fine and I can join the AD with any Windows machine, but when I try to join
> that AD with a Linux machine then it fails. I've created a new AD with same
> versions and configurations and I can join that AD with same servers that
> fails with upgraded AD.


How do you join the Linux machines? And what was the problem/error?


Regards,
Marc

Daniel Carrasco Marín

unread,
Apr 28, 2015, 4:39:09 PM4/28/15
to
2015-04-28 22:25 GMT+02:00 Marc Muehlfeld <mmueh...@samba.org>:

> Hello Daniel,
>
> Am 28.04.2015 um 21:58 schrieb Daniel Carrasco Marín:
>
>> My problem with upgrades was with member servers. The upgrade process was
>> fine and I can join the AD with any Windows machine, but when I try to
>> join
>> that AD with a Linux machine then it fails. I've created a new AD with
>> same
>> versions and configurations and I can join that AD with same servers that
>> fails with upgraded AD.
>>
>
>
> How do you join the Linux machines? And what was the problem/error?
>
>
> Regards,
> Marc
>
>

I don't know if you have some mails from list called "I can't join the new
AD server with Samba4". Here's where i explain my problem.

Greetings!!

Steve Ankeny

unread,
Apr 28, 2015, 5:05:18 PM4/28/15
to
On 04/28/2015 04:37 PM, Daniel Carrasco Marín wrote:
> 2015-04-28 22:25 GMT+02:00 Marc Muehlfeld <mmueh...@samba.org>:
>
>> Hello Daniel,
>>
>> Am 28.04.2015 um 21:58 schrieb Daniel Carrasco Marín:
>>
>>> My problem with upgrades was with member servers. The upgrade process was
>>> fine and I can join the AD with any Windows machine, but when I try to
>>> join
>>> that AD with a Linux machine then it fails. I've created a new AD with
>>> same
>>> versions and configurations and I can join that AD with same servers that
>>> fails with upgraded AD.
>>>
>>
>> How do you join the Linux machines? And what was the problem/error?
>>
>>
>> Regards,
>> Marc
>>
>>
> I don't know if you have some mails from list called "I can't join the new
> AD server with Samba4". Here's where i explain my problem.
>
> Greetings!!
Looks like the thread starts here --

https://lists.samba.org/archive/samba/2015-April/191269.html

Andrey Repin

unread,
Apr 28, 2015, 5:07:23 PM4/28/15
to
Greetings, Daniel Carrasco Marín!

> My problem with upgrades was with member servers. The upgrade process was
> fine and I can join the AD with any Windows machine, but when I try to join
> that AD with a Linux machine then it fails. I've created a new AD with same
> versions and configurations and I can join that AD with same servers that
> fails with upgraded AD.

Now, that is not a problem at all as far as problems go.
Please make sure you followed instructions in
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server and that your
Samba and Kerberos client configuration on a member server is correct.
Post contents of /etc/krb5.conf and the results of `samba-tool testparm` if
you did not manage to join the domain despite all your attempts.


--
With best regards,
Andrey Repin
Tuesday, April 28, 2015 23:31:56

Sorry for my terrible english...

Rowland Penny

unread,
Apr 28, 2015, 5:23:16 PM4/28/15
to
On 28/04/15 22:03, Steve Ankeny wrote:
> On 04/28/2015 04:37 PM, Daniel Carrasco Marín wrote:
>> 2015-04-28 22:25 GMT+02:00 Marc Muehlfeld <mmueh...@samba.org>:
>>
>>> Hello Daniel,
>>>
>>> Am 28.04.2015 um 21:58 schrieb Daniel Carrasco Marín:
>>>
>>>> My problem with upgrades was with member servers. The upgrade
>>>> process was
>>>> fine and I can join the AD with any Windows machine, but when I try to
>>>> join
>>>> that AD with a Linux machine then it fails. I've created a new AD with
>>>> same
>>>> versions and configurations and I can join that AD with same
>>>> servers that
>>>> fails with upgraded AD.
>>>>
>>>
>>> How do you join the Linux machines? And what was the problem/error?
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>>
>> I don't know if you have some mails from list called "I can't join
>> the new
>> AD server with Samba4". Here's where i explain my problem.
>>
>> Greetings!!
> Looks like the thread starts here --
>
> https://lists.samba.org/archive/samba/2015-April/191269.html
>
>

It actually starts a couple of posts earlier, but you can ignore them,
the OP posted wrong info. Everything seemed to be OK, but he says that
he cannot join a member server to the domain, for what appears to be an
authentication problem for Administrator.

See if you can see anything I missed, or suggest anything else the OP
can try.

Rowland

Andrey Repin

unread,
Apr 28, 2015, 6:22:05 PM4/28/15
to
Greetings, Rowland Penny!

>> Looks like the thread starts here --
>>
>> https://lists.samba.org/archive/samba/2015-April/191269.html
>>
>>

> It actually starts a couple of posts earlier, but you can ignore them,
> the OP posted wrong info. Everything seemed to be OK, but he says that
> he cannot join a member server to the domain, for what appears to be an
> authentication problem for Administrator.

If that is indeed a problem, I would suggest trying another member of
'Domain Admins' group.

> See if you can see anything I missed, or suggest anything else the OP
> can try.


--
With best regards,
Andrey Repin
Wednesday, April 29, 2015 01:10:42

Sorry for my terrible english...

Daniel Carrasco Marín

unread,
Apr 28, 2015, 6:40:20 PM4/28/15
to
2015-04-29 0:11 GMT+02:00 Andrey Repin <anrd...@yandex.ru>:

> Greetings, Rowland Penny!
>
> >> Looks like the thread starts here --
> >>
> >> https://lists.samba.org/archive/samba/2015-April/191269.html
> >>
> >>
>
> > It actually starts a couple of posts earlier, but you can ignore them,
> > the OP posted wrong info. Everything seemed to be OK, but he says that
> > he cannot join a member server to the domain, for what appears to be an
> > authentication problem for Administrator.
>
> If that is indeed a problem, I would suggest trying another member of
> 'Domain Admins' group.
>

Tried, but it fails too.
Tomorrow i will try to migrate again the old domain. Maybe i'll try to
compile the latest version or sernet packages instead the 4.1 of Wheezy
Backports.

Greetings!!

Daniel Carrasco Marín

unread,
Apr 29, 2015, 8:07:48 AM4/29/15
to
2015-04-29 0:38 GMT+02:00 Daniel Carrasco Marín <danielm...@gmail.com>:

>
>
> 2015-04-29 0:11 GMT+02:00 Andrey Repin <anrd...@yandex.ru>:
>
>> Greetings, Rowland Penny!
>>
>> >> Looks like the thread starts here --
>> >>
>> >> https://lists.samba.org/archive/samba/2015-April/191269.html
>> >>
>> >>
>>
>> > It actually starts a couple of posts earlier, but you can ignore them,
>> > the OP posted wrong info. Everything seemed to be OK, but he says that
>> > he cannot join a member server to the domain, for what appears to be an
>> > authentication problem for Administrator.
>>
>> If that is indeed a problem, I would suggest trying another member of
>> 'Domain Admins' group.
>>
>
> Tried, but it fails too.
> Tomorrow i will try to migrate again the old domain. Maybe i'll try to
> compile the latest version or sernet packages instead the 4.1 of Wheezy
> Backports.
>
> Greetings!!
>

Impossible... I've tried with Sernet packages and compiling the latest
version from git and I can't make it work. I've followed the full upgrade
manual from the wiki two times and in both versions I've got an error
"NT_STATUS_OBJECT_NAME_NOT_FOUND" when i try to run the "smbclient -L
localhost -U%" command to check if works (at least with wheezy backports
v4.1 this works). Finally I preffer to still with the new working domain
instead keep trying to upgrade the old domain. Maybe is damaged or have any
wrong configurations and the best way is to create a new clean domain.

Thanks anyway for your help.

Andrew Bartlett

unread,
May 1, 2015, 6:14:42 AM5/1/15
to

There really isn't much difference between a 'new' domain and your old
domain. That is, what we do at the start of the classicupgrade is
provision a new domain, with the correct name and SID, then add the
users. So I really think you should try and understand what the issue
actually is. You will need to post the logs, level 10 if need be, of
the server, and the client, to get any useful assistance.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Daniel Carrasco Marín

unread,
May 1, 2015, 6:29:48 AM5/1/15
to
Thanks for your help, but actually I've the new domain working with all
users/groups, some GPO and some services vinculed to that AD, and i don't
want to change all again. Even I can migrate the user computers gradually
because the actual services works with new domain without change anything.

Thanks again and greetings!!

0 new messages