hello simo,
what is the intension of net setdomainsid?
why would i set a domain sid on a member?
thx!
micha
simo wrote:
On Thu, 2006-08-17 at 14:20 +0200, Marcus Haarmann wrote:
Hi Andre,
The machine was off-network for two days only.
The problem is not machine based, but server based. The server SID has
definetely changed since the user was created (and the machine joined the
domain).
I found out in the meantime that the users SID contains the domain SID (this
can be retrieved in registry under HKEY_USERS, strip the last two bytes and
you have the domain SID), where it was created with. Unfortunately, there is
no simple way setting it in samba (like net setsid ... for domain SID, only
the PDC sid can be set). I have done this using a hex editor, patching
secrets.tdb (SID of PDC and Domain, these are identical, at our site).
So, the problem is half-way solved.
The 'net' command provides the setlocalsid and setdomainsid functions
for setting the SIDs, there is no need to use hex editors. (setdomainsid
may be available on 3.0.23 only)
The server now has the old sid again, which was presumably changed more than
half a year ago (modification time of secrets.tdb was December 2005). I
I remember there is some kernel bug on some versions of the kernel, that
do not update the mtime when the file is mmapped, it may have changed
just recently (and is probably so, as you would have had problems much
eralier otherwise).
cannot say why the entrustment from this special machine has been broken,
but now I am able to log on to the domain as any user on all machines again.
(which have joined the domain before the SID change).
The only thing is that we added one machine after the modification of the
Domain-SID, we have to see how this machine behaves. I am now trying to
reactivate the old profile of the user who was not able to log in.
For the machine which joined the domain after the SID change, we might have
to rejoin the machine to the domain, unless anybody can tell me how this
trustment can be reassigned without a profile change ...
you can use the 'profiles' tool to change all the SIDs in the user
profile file (NTUSER.DAT)
Simo.
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
49 (0)341 - 3550 374
Fax: 49 (0)341 - 3550 399
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
