Linda Walsh
2009-Sep-15 18:42 UTC
[Samba] Domain SID vs. Local SID on Domain Controller & SID requirements
IF a samba server is setup to be a domain controller, should it's local SID = the domain SID? Also, what are the requirements of a SID? I usually see S-1-5-21-x-y-z, where x,y,z = 10 digits, but could x,y,z be 1,2,3 (for example)? I.e. do they have to be 10 digit numbers or can they be shorter? If I have a simple setup, and want a sid I can remember can I just make it 'short'?
simo
2009-Sep-15 18:51 UTC
[Samba] Domain SID vs. Local SID on Domain Controller & SID requirements
On Tue, 2009-09-15 at 11:42 -0700, Linda Walsh wrote:> IF a samba server is setup to be a domain controller, should > it's local SID = the domain SID?yes the PDC exports the "local SAM" as the "domain SAM" (the SAM is the DB where user information is stored including SIDs)> Also, what are the requirements of a SID? > > I usually see S-1-5-21-x-y-z, where x,y,z = 10 digits, but > could x,y,z be 1,2,3 (for example)? I.e. do they have to be > 10 digit numbers or can they be shorter?They are random 32bit integers, they can be any number between 1 and 2^32-1> If I have a simple setup, and want a sid I can remember can I > just make it 'short'?No, users SID are composed of Domain SID + RID, the Domain SID part is identical for all domain user and is generated once by the PDC at installation time. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <simo at samba.org> Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
Miguel Medalha
2009-Sep-15 19:40 UTC
[Samba] Domain SID vs. Local SID on Domain Controller & SID requirements
> IF a samba server is setup to be a domain controller, should > it's local SID = the domain SID? > >The SID of the Primary Domain Controler (PDC) is also the Domain's SID.> Also, what are the requirements of a SID? >Security Identifier http://en.wikipedia.org/wiki/Security_Identifier> I usually see S-1-5-21-x-y-z, where x,y,z = 10 digits, but > could x,y,z be 1,2,3 (for example)? I.e. do they have to be > 10 digit numbers or can they be shorter? > > If I have a simple setup, and want a sid I can remember can I > just make it 'short'? >No. Please consult the above article. You don't need to "remember" the SID, you may need to keep it. net getdomainsid
Reasonably Related Threads
- "net getdomainsid" reporting "Could not fetch local SID" -- am I using this command appropriately?
- missing symbols talloc_* (opensuse 11.4/samba 3.5.7-xxx)
- Fw: [cifs-protocol] QUESTION - samba cifs mount - HELP
- rsync 3.0.9 incompatible with self? (proto incompat on local->local)
- SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)