Hi all, We have a small network with WinXP Prof SP2 machines and a Linux (Debian) PDC using Samba 3.0.22. We encountered the following situation: One user was not able to lo into the domain any more some days ago. Using logging on samba side, I found out that samba correctly authenticates the machine and the workstation. Though, XP did not log in, giving a message that the password might not match. After that had happened, we found out that the user was not able on any machine in our network ! Also other users we tried were only able to lo in at their own machine (probably because the password and other information is cached there). Putting on some logs in Win XP, we found out that the error produced was related to a well-known problem: the PDC SID was changed and the entrustment between the Windows machines and the PDC is broken. The only solution presented in the FAQ is to remove the machine from the domain and reassign it. This means a complete loss of profile data for the user. The problem is: the whole samba environment was not changed at all. So why did the SID change ? I cannot say when the SID changed so there might be no available backup of the secrets files any more. And: is there a way to retrieve the old SID of the PDC from the registry of any client machine (all the other machines are still unchanged and the users can log into the domain on their machines). Then we could set it to the old value and all the other machines would be trusted without a rejoin for the domain and loss of profile data. Any hints on that ? Thanks in advance, Marcus
Hi Marcus. Am Donnerstag, den 17.08.2006, 08:48 +0200 schrieb Marcus Haarmann:> The problem is: the whole samba environment was not changed at all. So why > did the SID change ? I cannot say when the SID changed so there might be no > available backup of the secrets files any more. > And: is there a way to retrieve the old SID of the PDC from the registry of > any client machine (all the other machines are still unchanged and the users > can log into the domain on their machines). > Then we could set it to the old value and all the other machines would be > trusted without a rejoin for the domain and loss of profile data.Is ist possible, that this special Windows-Machine was offline for a longer time? A friend of mine told me, that WinXP changes its SID from time to time (2 weeks i think), but the last entry is kept. This would make the machine unusable after 4 weeks of downtime. So perhaps your client changes his SID and thinks that your server is not trusted any more. Another idea: I noticed, that if you pull the network cable off a running winXP-Machine, it is possible that it loses its domain-membership. Greetz, Andre
On Thu, 2006-08-17 at 08:48 +0200, Marcus Haarmann wrote:> Hi all, > > We have a small network with WinXP Prof SP2 machines and a Linux (Debian) > PDC using Samba 3.0.22. > We encountered the following situation: > One user was not able to lo into the domain any more some days ago. Using > logging on samba side, I found out that samba correctly authenticates the > machine and the workstation. Though, XP did not log in, giving a message > that the password might not match. > After that had happened, we found out that the user was not able on any > machine in our network ! Also other users we tried were only able to lo in > at their own machine (probably because the password and other information is > cached there). > Putting on some logs in Win XP, we found out that the error produced was > related to a well-known problem: > the PDC SID was changed and the entrustment between the Windows machines and > the PDC is broken. > The only solution presented in the FAQ is to remove the machine from the > domain and reassign it. This means a complete loss of profile data for the > user. > > The problem is: the whole samba environment was not changed at all. So why > did the SID change ? I cannot say when the SID changed so there might be no > available backup of the secrets files any more.The SID may change if you change the machine name. If you have not specified the 'netbios name' in smb.conf it is derived from the machine hostname. I always advice to fix the netbi0os name in smb.conf for PDCs exactly to avoid a SID change in case of change of the hostname.> And: is there a way to retrieve the old SID of the PDC from the registry of > any client machine (all the other machines are still unchanged and the users > can log into the domain on their machines).Any file of users contain the Domain SID portion you should be able to see the SID in the security tab as if the domain do not exist you shouldn't be able to resolve SIDs to names either.> Then we could set it to the old value and all the other machines would be > trusted without a rejoin for the domain and loss of profile data.look at the net utility for how to set a SID. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Hi Andre, The machine was off-network for two days only. The problem is not machine based, but server based. The server SID has definetely changed since the user was created (and the machine joined the domain). I found out in the meantime that the users SID contains the domain SID (this can be retrieved in registry under HKEY_USERS, strip the last two bytes and you have the domain SID), where it was created with. Unfortunately, there is no simple way setting it in samba (like net setsid ... for domain SID, only the PDC sid can be set). I have done this using a hex editor, patching secrets.tdb (SID of PDC and Domain, these are identical, at our site). So, the problem is half-way solved. The server now has the old sid again, which was presumably changed more than half a year ago (modification time of secrets.tdb was December 2005). I cannot say why the entrustment from this special machine has been broken, but now I am able to log on to the domain as any user on all machines again. (which have joined the domain before the SID change). The only thing is that we added one machine after the modification of the Domain-SID, we have to see how this machine behaves. I am now trying to reactivate the old profile of the user who was not able to log in. For the machine which joined the domain after the SID change, we might have to rejoin the machine to the domain, unless anybody can tell me how this trustment can be reassigned without a profile change ... Marcus -----Original Message----- From: samba-bounces+marcus.haarmann=midoco.de@lists.samba.org [mailto:samba-bounces+marcus.haarmann=midoco.de@lists.samba.org] On Behalf Of Andre Timmermann Sent: Thursday, August 17, 2006 12:52 PM To: Liste SAMBA Subject: Re: [Samba] Problem with Domain SID Hi Marcus. Am Donnerstag, den 17.08.2006, 08:48 +0200 schrieb Marcus Haarmann:> The problem is: the whole samba environment was not changed at all. So > why did the SID change ? I cannot say when the SID changed so there > might be no available backup of the secrets files any more. > And: is there a way to retrieve the old SID of the PDC from the > registry of any client machine (all the other machines are still > unchanged and the users can log into the domain on their machines). > Then we could set it to the old value and all the other machines would > be trusted without a rejoin for the domain and loss of profile data.Is ist possible, that this special Windows-Machine was offline for a longer time? A friend of mine told me, that WinXP changes its SID from time to time (2 weeks i think), but the last entry is kept. This would make the machine unusable after 4 weeks of downtime. So perhaps your client changes his SID and thinks that your server is not trusted any more. Another idea: I noticed, that if you pull the network cable off a running winXP-Machine, it is possible that it loses its domain-membership. Greetz, Andre -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba