samba - Jan 2015 - Yet another "Can I change user's SID" question

Good evening team,

I have read lots of topics and posts explaining why you *shouldn't*
manually change a user's SID on the databases, and I agree with the
"phylosophical" reasons behind it, let's say.

Now, what happens if besides all the warnings you still do it?? What else
might break, considering that we are careful enough to not enter a
duplicate, or obvious errors? I understand that ldbedit does not even let
you do it, but that can be easily "tweaked" on the source code.

The reason behind this question is the usual "accidentally deleted
user".
In this case it was no big deal, a new user was created and profiles
migrated, but what would have happened if a new user was created and then
assigned the SID of the previous user? I tried this on a lab machine with a
"tweaked" ldbedit and nothing seems to break (or at least not as badly
so
as to realize in 5 minutes of testing). This is Samba 4.1.x DC with no
replication.

Best regards!

George

On 01/28/15 17:08, George wrote:
> Good evening team,
>
> I have read lots of topics and posts explaining why you *shouldn't*
> manually change a user's SID on the databases, and I agree with the
> "phylosophical" reasons behind it, let's say.
>
> Now, what happens if besides all the warnings you still do it?? What else
> might break, considering that we are careful enough to not enter a
> duplicate, or obvious errors? I understand that ldbedit does not even let
> you do it, but that can be easily "tweaked" on the source code.
>
> The reason behind this question is the usual "accidentally deleted
user".
> In this case it was no big deal, a new user was created and profiles
> migrated, but what would have happened if a new user was created and then
> assigned the SID of the previous user? I tried this on a lab machine with a
> "tweaked" ldbedit and nothing seems to break (or at least not as
badly so
> as to realize in 5 minutes of testing). This is Samba 4.1.x DC with no
> replication.
>
> Best regards!
>
> George

I would guess you run the risk that the new user may get file access , 
or group membership, or computer priveldegesthat the old user had, that 
the new user should not.

I am also guessing  that samba somewhere keeps a counter of "last SID 
assigned" -  which means that you could allocate a SID that samba thinks 
is available for a future user.

Hello George,

Am 28.01.2015 um 23:08 schrieb George:
> The reason behind this question is the usual "accidentally deleted
user".
What you want is the AD recycle bin feature:
https://wiki.samba.org/index.php/Restoring_deleted_AD_objects


Regards,
Marc

On Wed, Jan 28, 2015 at 7:50 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> What you want is the AD recycle bin feature:
> https://wiki.samba.org/index.php/Restoring_deleted_AD_object
> <https://wiki.samba.org/index.php/Restoring_deleted_AD_objects>

Good info, thanks. Didn't know there were bugs with the Windows tools and
Samba. In the case I was talking about, someone tried to recover it with
ldp.exe but the reanimated object ended up completely messed up.

And just for learning purposes, I started thinking in the manual hack to
the database. Any other thoughts??

George