Good evening team, I have read lots of topics and posts explaining why you *shouldn't* manually change a user's SID on the databases, and I agree with the "phylosophical" reasons behind it, let's say. Now, what happens if besides all the warnings you still do it?? What else might break, considering that we are careful enough to not enter a duplicate, or obvious errors? I understand that ldbedit does not even let you do it, but that can be easily "tweaked" on the source code. The reason behind this question is the usual "accidentally deleted user". In this case it was no big deal, a new user was created and profiles migrated, but what would have happened if a new user was created and then assigned the SID of the previous user? I tried this on a lab machine with a "tweaked" ldbedit and nothing seems to break (or at least not as badly so as to realize in 5 minutes of testing). This is Samba 4.1.x DC with no replication. Best regards! George
Gaiseric Vandal
2015-Jan-28 22:48 UTC
[Samba] Yet another "Can I change user's SID" question
On 01/28/15 17:08, George wrote:> Good evening team, > > I have read lots of topics and posts explaining why you *shouldn't* > manually change a user's SID on the databases, and I agree with the > "phylosophical" reasons behind it, let's say. > > Now, what happens if besides all the warnings you still do it?? What else > might break, considering that we are careful enough to not enter a > duplicate, or obvious errors? I understand that ldbedit does not even let > you do it, but that can be easily "tweaked" on the source code. > > The reason behind this question is the usual "accidentally deleted user". > In this case it was no big deal, a new user was created and profiles > migrated, but what would have happened if a new user was created and then > assigned the SID of the previous user? I tried this on a lab machine with a > "tweaked" ldbedit and nothing seems to break (or at least not as badly so > as to realize in 5 minutes of testing). This is Samba 4.1.x DC with no > replication. > > Best regards! > > GeorgeI would guess you run the risk that the new user may get file access , or group membership, or computer priveldegesthat the old user had, that the new user should not. I am also guessing that samba somewhere keeps a counter of "last SID assigned" - which means that you could allocate a SID that samba thinks is available for a future user.
Marc Muehlfeld
2015-Jan-28 22:50 UTC
[Samba] Yet another "Can I change user's SID" question
Hello George, Am 28.01.2015 um 23:08 schrieb George:> The reason behind this question is the usual "accidentally deleted user".What you want is the AD recycle bin feature: https://wiki.samba.org/index.php/Restoring_deleted_AD_objects Regards, Marc
On Wed, Jan 28, 2015 at 7:50 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:> What you want is the AD recycle bin feature: > https://wiki.samba.org/index.php/Restoring_deleted_AD_object > <https://wiki.samba.org/index.php/Restoring_deleted_AD_objects>Good info, thanks. Didn't know there were bugs with the Windows tools and Samba. In the case I was talking about, someone tried to recover it with ldp.exe but the reanimated object ended up completely messed up. And just for learning purposes, I started thinking in the manual hack to the database. Any other thoughts?? George