Hi, I could have used this because my original SID was not available any more (so I could not take it from an existing PDC/BDC). Unfortunately I couldn't because I am using 3.0.22 and the feature is new ... So I had to patch the secrets.tdb with a hex editor.
Marcus -----Original Message----- From: Michael Gasch [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 2:50 PM To: [EMAIL PROTECTED] Cc: Marcus Haarmann; samba@lists.samba.org Subject: Re: [Samba] Problem with Domain SID hello simo, what is the intension of net setdomainsid? why would i set a domain sid on a member? thx! micha simo wrote: > On Thu, 2006-08-17 at 14:20 +0200, Marcus Haarmann wrote: >> Hi Andre, >> >> The machine was off-network for two days only. >> The problem is not machine based, but server based. The server SID >> has definetely changed since the user was created (and the machine >> joined the domain). >> I found out in the meantime that the users SID contains the domain >> SID (this can be retrieved in registry under HKEY_USERS, strip the >> last two bytes and you have the domain SID), where it was created >> with. Unfortunately, there is no simple way setting it in samba (like >> net setsid ... for domain SID, only the PDC sid can be set). I have >> done this using a hex editor, patching secrets.tdb (SID of PDC and Domain, these are identical, at our site). >> So, the problem is half-way solved. > > The 'net' command provides the setlocalsid and setdomainsid functions > for setting the SIDs, there is no need to use hex editors. > (setdomainsid may be available on 3.0.23 only) > >> The server now has the old sid again, which was presumably changed >> more than half a year ago (modification time of secrets.tdb was >> December 2005). I > > I remember there is some kernel bug on some versions of the kernel, > that do not update the mtime when the file is mmapped, it may have > changed just recently (and is probably so, as you would have had > problems much eralier otherwise). > >> cannot say why the entrustment from this special machine has been >> broken, but now I am able to log on to the domain as any user on all machines again. >> (which have joined the domain before the SID change). >> The only thing is that we added one machine after the modification of >> the Domain-SID, we have to see how this machine behaves. I am now >> trying to reactivate the old profile of the user who was not able to log in. >> For the machine which joined the domain after the SID change, we >> might have to rejoin the machine to the domain, unless anybody can >> tell me how this trustment can be reassigned without a profile change ... > > you can use the 'profiles' tool to change all the SIDs in the user > profile file (NTUSER.DAT) > > > Simo. > -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
