Re: [Samba] PDC: System SID missing / inconsistent with domain SID

[Eric Shubert]

I've recently come across the same situation, while migrating a 3.0.33 
PDC host to 3.6.9. I had renamed the old host some time ago from LANYARD 
to TACS-DC. The old host still functions fine, except for not being able 
to get its own SID.


Old DC host:
[root@tacs-dc samba]# net getdomainsid
Could not fetch local SID
[root@tacs-dc samba]# tdbdump secrets.tdb
{
key(19) = SECRETS/DOMGUID/R3I
data(16) = \DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B
}
{
key(19) = SECRETS/SID/LANYARD
data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)
}
{
key(15) = SECRETS/SID/R3I
data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)
}
[root@tacs-dc samba]# net rpc trustdom list -U shubes
Password:
Trusted domains list:

none

Trusting domains list:

none
[root@tacs-dc samba]#


I've migrated everything (accounts, tdb files) to a new host, and 
changed the LANYARD record to TACS-DC in the secrets.tdb, which 
corresponds to the new hostname:

[root@tacs-dc private]# net getdomainsid
SID for local machine TACS-DC is: S-1-5-21-93357678-3857568473-1617xx
SID for domain R3I is: S-1-5-21-93357678-3857568473-1617xx
[root@tacs-dc private]# tdbdump secrets.tdb
{
key(19) = SECRETS/DOMGUID/R3I
data(16) = \DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B
}
{
key(19) = SECRETS/SID/TACS-DC
data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)
}
{
key(15) = SECRETS/SID/R3I
data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)
}
[root@tacs-dc private]# net rpc trustdom list -U shubes
Unable to find a suitable server for domain R3I
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
[root@tacs-dc private]#

Everything appears to be working, except that the new host isn't 
recognized as a domain controller. Note that workstations are able to 
log on to the domain using the new DC host though.


I'm guessing that adding a TACS-DC record to the old host would fix the 
problem of not being able to get its SID.


I'm also guessing that adding a LANYARD record to the new host *might* 
make it recognize that it's a domain controller. I hope to test this 
later today, when users are gone.


It appears to me that the original host name which created the domain is 
stored in some way somewhere else (I see it in the USER_ records in the 
passdb.tdb file). If so, can this somehow be changed? The documentation 
I've found all says how to migrate to another host keeping the host name 
the same, but I haven't been able to find anything about changing the 
host name.


Does anyone have any other ideas why this new host isn't being 
recognized as a DC?


Thanks.

--
-Eric 'shubes'
On 04/29/2010 03:08 AM, Frank Stanek wrote:

Hello,

I recently noticed a problem on our PDC (samba 3.0.32
on SLES 10 SP2) which I kind of know how to solve after
web research but I am unclear about the possible
consequences for our domain and clients.

The situation is this:
Originally samba was set up on this machine to test. Back
then its hostname was infrahostnew, so there is a SID for
that NETBIOS name in secrets.tdb. When the PDC went in
production, we had to change the hostname to infrahost.
We then provisioned our domain MYDOMAIN. Now there is also
a SID for MYDOMAIN in secrets.tdb which is different than
the SID of infrahostnew. Also there is no SID at all for
the new NETBIOS name infrahost. This causes for example
net getlocalsid to fail.

My research suggests that the NETBIOS name SID of the PDC
infrahost should be the same as the domain SID, is that
correct? Also, I found an article that dealt with inconsistent
SIDs; it suggested to set the NETBIOS SID to be the same
as the domain SID. But this article dealt with the case
that there actually _is_ a NETBIOS SID in secrets.tdb but
it's not the same as the domain SID. This is not our case
however since there is no SID at all for the NETBIOS name.

We haven't noticed any problems because of this at all,
I just stumbled upon it when I went to check the SIDs
routinely. How would you suggest I proceed in this situation?
Should we set the NETBIOS SID to be the same as the domain
SID with net setlocalsid? What possible consequences could
there be? We are very concerned that this may introduce problems
for our clients that we don't have at the moment. But I
wouldn't like to keep things in an inconsistent state like
this either.

I'd be glad for any insights.

Regards
Frank





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: System SID missing / inconsistent with domain SID

[Eric Shubert]

On 08/26/2013 01:21 PM, Eric Shubert wrote:

I'm guessing that adding a TACS-DC record to the old host would fix the
problem of not being able to get its SID.


This appears to work now.


I'm also guessing that adding a LANYARD record to the new host *might*
make it recognize that it's a domain controller. I hope to test this
later today, when users are gone.


This didn't appear to help. The new DC still doesn't recognize itself as 
a DC:

# net rpc trustdom list -U shubes
Unable to find a suitable server for domain R3I
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
#

I do have the SID of the domain/host that was created by this host. I 
wonder if restoring those records in secrets.tdb, then using the net 
command to change the SID of the domain and host might fix things up. 
Does the net setdomainsid command do anything more than change the value 
of the record in the tdb file? If it does, that could be a solution.


Anyone have any insight about how to go about changing the host name of 
a domain controller (while migrating it)?


Thanks.

--
-Eric 'shubes'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PDC: System SID missing / inconsistent with domain SID

[Frank Stanek]

Hello,

I recently noticed a problem on our PDC (samba 3.0.32
on SLES 10 SP2) which I kind of know how to solve after
web research but I am unclear about the possible
consequences for our domain and clients.

The situation is this:
Originally samba was set up on this machine to test. Back
then its hostname was infrahostnew, so there is a SID for
that NETBIOS name in secrets.tdb. When the PDC went in
production, we had to change the hostname to infrahost.
We then provisioned our domain MYDOMAIN. Now there is also
a SID for MYDOMAIN in secrets.tdb which is different than
the SID of infrahostnew. Also there is no SID at all for
the new NETBIOS name infrahost. This causes for example
net getlocalsid to fail.

My research suggests that the NETBIOS name SID of the PDC
infrahost should be the same as the domain SID, is that
correct? Also, I found an article that dealt with inconsistent
SIDs; it suggested to set the NETBIOS SID to be the same
as the domain SID. But this article dealt with the case
that there actually _is_ a NETBIOS SID in secrets.tdb but
it's not the same as the domain SID. This is not our case
however since there is no SID at all for the NETBIOS name.

We haven't noticed any problems because of this at all,
I just stumbled upon it when I went to check the SIDs
routinely. How would you suggest I proceed in this situation?
Should we set the NETBIOS SID to be the same as the domain
SID with net setlocalsid? What possible consequences could
there be? We are very concerned that this may introduce problems
for our clients that we don't have at the moment. But I
wouldn't like to keep things in an inconsistent state like
this either.

I'd be glad for any insights.

Regards
Frank
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba