samba - Sep 2014 - problem with mechanism of samba user SID creation

Hello guys,
as subject says, i've got problem with it. And because i'm in 
preparation of migration of users form Samba PDC with passdb.tdb backend 
ot LDAP backend, i need to be 100% clear on it.

I can't find the reference to it anywhere, so if anyone can point me in 
the right way ..?

What is confusing for me? I'll explain on example:

1. Scenario: Existing Samba PDC server (difference between Samba SID and 
User SID)

[root at srv-022 etc]# net getlocalsid
SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550

[root at srv-022 etc]# pdbedit -Lv | grep -i -A15 lang

Unix username:        lang
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-110010030-2840066419-870397770-2262
Primary Group SID:    S-1-5-21-110010030-2840066419-870397770-513

NOTE pls the difference between Samba SID and SID of user. I'd expect 
that SID of user is generated by: Samba SID+RID ?  Why the difference?
Please note, this server was created by migration from older Samba 
version - so, that might have had impact on this? (and i have not been 
doing that migration, so i dont know exactly what was going on at that 
time).


2. Scenario: my testing Samba PDC server

- i installed same Samba version like on the main server (3.6.9)
- i tarred and un-tarred whole /etc/samba folder to this test server
- i rsynced /etc/passwd, group, hosts, smb.conf, passdb.tdb
- i set same Samba SID like the Production server has (via net setlocalsid)


result:

[root at afdfake home]# net getlocalsid
SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550

[root at afdfake etc]# pdbedit -Lv | grep -i -A15 lang
Unix username:        lang
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1659033379-200690441-2582778234-2262
Primary Group SID:    S-1-5-21-1659033379-200690441-2582778234-513

As you can see again, i have difference between Samba SID and user SID, 
but what i do not understand at ALL why user SID is different to user 
SID on Production server (it is same user)

This considering, it is completely same passdb.tdb file like on 
Production ... what mechanism changed that SID of my user?

Also - if i would like to correct this discrepancy on my test server via 
pdbedit and make Samba SID and User SID same - it FAILs:

[root at afdfake etc]# pdbedit -U 
S-1-5-21-3959513538-1809711307-1766237550-2262 lang
tdb_update_sam: struct samu (lang) with no RID!
Unable to modify entry!


3. Scenario: freshly installed Samba (again 3.6.9) on laptop:

[root at orionis ~]# net getlocalsid
SID for domain ORIONIS is: S-1-5-21-2647753566-3134634105-1426643513

[root at orionis ~]# pdbedit -Lv
Unix username:        lang
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2647753566-3134634105-1426643513-1000
Primary Group SID:    S-1-5-21-2647753566-3134634105-1426643513-513

As you can see, this is result i'd expect - User SID=Samba SID +User RID

And both are same.


So what is the mechanism behind this? How can even the authentication 
work on Production server (scenario 1) while Samba SID and User SID differs?
Why even newly added users keep that different User SID to Samba SID trait?

I can't find answers from samba lists - can please point me to some 
documentation, or shed some light?


Thanks!

Hello guys,
please any advanced Samba user or dev would know the answer?

To make my question the shortest it can get:
"Why the Samba SID and User SID (can) differ?"

I'm interested in understanding of the mechanism behind it. I stated all 
details in my first message.

Please bear up with me i am new to maillist, so i'm not sure if i can 
reply to myself to 'refresh' the question.



Thanks a lot.


On 09/04/2014 01:25 PM, Karel Lang AFD wrote:
> Hello guys,
> as subject says, i've got problem with it. And because i'm in
> preparation of migration of users form Samba PDC with passdb.tdb backend
> ot LDAP backend, i need to be 100% clear on it.
>
> I can't find the reference to it anywhere, so if anyone can point me in
> the right way ..?
>
> What is confusing for me? I'll explain on example:
>
> 1. Scenario: Existing Samba PDC server (difference between Samba SID and
> User SID)
>
> [root at srv-022 etc]# net getlocalsid
> SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550
>
> [root at srv-022 etc]# pdbedit -Lv | grep -i -A15 lang
>
> Unix username:        lang
> NT username:
> Account Flags:        [U          ]
> User SID:             S-1-5-21-110010030-2840066419-870397770-2262
> Primary Group SID:    S-1-5-21-110010030-2840066419-870397770-513
>
> NOTE pls the difference between Samba SID and SID of user. I'd expect
> that SID of user is generated by: Samba SID+RID ?  Why the difference?
> Please note, this server was created by migration from older Samba
> version - so, that might have had impact on this? (and i have not been
> doing that migration, so i dont know exactly what was going on at that
> time).
>
>
> 2. Scenario: my testing Samba PDC server
>
> - i installed same Samba version like on the main server (3.6.9)
> - i tarred and un-tarred whole /etc/samba folder to this test server
> - i rsynced /etc/passwd, group, hosts, smb.conf, passdb.tdb
> - i set same Samba SID like the Production server has (via net setlocalsid)
>
>
> result:
>
> [root at afdfake home]# net getlocalsid
> SID for domain SRV-022 is: S-1-5-21-3959513538-1809711307-1766237550
>
> [root at afdfake etc]# pdbedit -Lv | grep -i -A15 lang
> Unix username:        lang
> NT username:
> Account Flags:        [U          ]
> User SID:             S-1-5-21-1659033379-200690441-2582778234-2262
> Primary Group SID:    S-1-5-21-1659033379-200690441-2582778234-513
>
> As you can see again, i have difference between Samba SID and user SID,
> but what i do not understand at ALL why user SID is different to user
> SID on Production server (it is same user)
>
> This considering, it is completely same passdb.tdb file like on
> Production ... what mechanism changed that SID of my user?
>
> Also - if i would like to correct this discrepancy on my test server via
> pdbedit and make Samba SID and User SID same - it FAILs:
>
> [root at afdfake etc]# pdbedit -U
> S-1-5-21-3959513538-1809711307-1766237550-2262 lang
> tdb_update_sam: struct samu (lang) with no RID!
> Unable to modify entry!
>
>
> 3. Scenario: freshly installed Samba (again 3.6.9) on laptop:
>
> [root at orionis ~]# net getlocalsid
> SID for domain ORIONIS is: S-1-5-21-2647753566-3134634105-1426643513
>
> [root at orionis ~]# pdbedit -Lv
> Unix username:        lang
> NT username:
> Account Flags:        [U          ]
> User SID:             S-1-5-21-2647753566-3134634105-1426643513-1000
> Primary Group SID:    S-1-5-21-2647753566-3134634105-1426643513-513
>
> As you can see, this is result i'd expect - User SID=Samba SID +User
RID
>
> And both are same.
>
>
> So what is the mechanism behind this? How can even the authentication
> work on Production server (scenario 1) while Samba SID and User SID
> differs?
> Why even newly added users keep that different User SID to Samba SID trait?
>
> I can't find answers from samba lists - can please point me to some
> documentation, or shed some light?
>
>
> Thanks!
>
>
>
>
>
>