samba - Dec 2015 - How can I change the localSID for a SAMBA Server?

Hi Rowland,

We need to change the SID on a standalone server because it needs to also
act as a File Server. The authentication comes from LDAP, and we have
existing entries in LDAP for SID of the domain. Instead of change all the
SID in ldap, we would like to be able to change it on the server.

Hope this helps.

Thanks,
Byron

-- 
*Byron Bogaert*

*IT System Administrator*
Wikimedia Foundation

Imagine a world in which every single human being can freely share in the
sum of all knowledge. Help us make it a reality!
https://donate.wikimedia.org

On Tue, Dec 15, 2015 at 1:05 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 15/12/15 20:58, Byron Bogaert wrote:
>
>> Hi Marc,
>>
>> We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. Is there
>> any
>> other specific information you need?
>>
>> Thanks,
>> Byron
>>
>>
> I can think of at least two things, what is in your smb.conf and why do
> you need to change the SID on a standalone server.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 15/12/15 21:16, Byron Bogaert wrote:
> Hi Rowland,
>
> We need to change the SID on a standalone server because it needs to 
> also act as a File Server. The authentication comes from LDAP, and we 
> have existing entries in LDAP for SID of the domain. Instead of change 
> all the SID in ldap, we would like to be able to change it on the server.
>
> Hope this helps.
>
> Thanks,
> Byron
>
> -- 
> */Byron Bogaert/*
> *IT System Administrator
> *
> Wikimedia Foundation
>
> Imagine a world in which every single human being can freely share 
> in the sum of all knowledge. Help us make it a reality!
> https://donate.wikimedia.org <https://donate.wikimedia.org/>
>
> On Tue, Dec 15, 2015 at 1:05 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 15/12/15 20:58, Byron Bogaert wrote:
>
>         Hi Marc,
>
>         We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS.
>         Is there any
>         other specific information you need?
>
>         Thanks,
>         Byron
>
>
>     I can think of at least two things, what is in your smb.conf and
>     why do you need to change the SID on a standalone server.
>
>     Rowland
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
Ah, that explains it then, you do not seem to be setting up a standalone 
server, please post your smb.conf

Rowland

Our Global Configuration is as follows:

#======================= Global Settings ======================
[global]
   workgroup = WIKIMEDIA
   netbios name = THEWIGGLE
server string = %h server (Samba, Ubuntu)
   security = user
   dns proxy = no

#### Debugging/Accounting ####
  log level = 2
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

####### Authentication #######
   server role = standalone server
   passdb backend = ldapsam:ldap://somehost.wikimedia.org
   ldap suffix = dc=wikimedia,dc=org
   ldap user suffix = ou=people
   ldap group suffix = ou=groups
   ldap machinesuffix = ou=computers
   ldap idmap suffix = ou=Idmap
   ldap ssl = start tls
   ldap admin dn = <Administrative dn in ldap>
   ldap password sync = yes
   obey pam restrictions = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

############ Misc ############

   usershare allow guests = yes


-- 
*Byron Bogaert*

*IT System Administrator*
Wikimedia Foundation

Imagine a world in which every single human being can freely share in the
sum of all knowledge. Help us make it a reality!
https://donate.wikimedia.org

On Tue, Dec 15, 2015 at 1:20 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 15/12/15 21:16, Byron Bogaert wrote:
>
>> Hi Rowland,
>>
>> We need to change the SID on a standalone server because it needs to
also
>> act as a File Server. The authentication comes from LDAP, and we have
>> existing entries in LDAP for SID of the domain. Instead of change all
the
>> SID in ldap, we would like to be able to change it on the server.
>>
>> Hope this helps.
>>
>> Thanks,
>> Byron
>>
>> --
>> */Byron Bogaert/*
>> *IT System Administrator
>> *
>> Wikimedia Foundation
>>
>> Imagine a world in which every single human being can freely share in
the
>> sum of all knowledge. Help us make it a reality!
>> https://donate.wikimedia.org <https://donate.wikimedia.org/>
>>
>> On Tue, Dec 15, 2015 at 1:05 PM, Rowland penny <rpenny at samba.org
<mailto:
>> rpenny at samba.org>> wrote:
>>
>>     On 15/12/15 20:58, Byron Bogaert wrote:
>>
>>         Hi Marc,
>>
>>         We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS.
>>         Is there any
>>         other specific information you need?
>>
>>         Thanks,
>>         Byron
>>
>>
>>     I can think of at least two things, what is in your smb.conf and
>>     why do you need to change the SID on a standalone server.
>>
>>     Rowland
>>
>>
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> Ah, that explains it then, you do not seem to be setting up a standalone
> server, please post your smb.conf
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 15.12.2015 22:16, Byron Bogaert wrote:
> We need to change the SID on a standalone server because it needs to also
> act as a File Server. The authentication comes from LDAP, and we have
> existing entries in LDAP for SID of the domain. Instead of change all the
> SID in ldap, we would like to be able to change it on the server.
I noticed something similar (though while testing on some older samba-3 
standalone servers, where I wanted to see if I could use ldap
instead of a rsync replicated smbpasswd file by setting the same SID on
all servers.)

The SID is locally stored in secure.tdb and you can see it with tdbtool
(though in hex, and need to know that the last three 10-digit numbers in 
the SID are 32-bits or 4-Byte each)

Seems net setlocalsid changed the sid in secrets.tdb, but the server
finds its SID in LDAP after that is set up in smb.conf, and there it was 
not changed.

I solved it by also changing it manually on the LDAP server, or made
sure that the sid was changed locally before starting up smbd with LDAP
configured, or deleted the LDAP entry for the server and restarted smbd
so it was generated anew.

YMMV.

On 15/12/15 22:27, Tetra wrote:
> On 15.12.2015 22:16, Byron Bogaert wrote:
>> We need to change the SID on a standalone server because it needs to 
>> also
>> act as a File Server. The authentication comes from LDAP, and we have
>> existing entries in LDAP for SID of the domain. Instead of change all 
>> the
>> SID in ldap, we would like to be able to change it on the server.
>
> I noticed something similar (though while testing on some older 
> samba-3 standalone servers, where I wanted to see if I could use ldap
> instead of a rsync replicated smbpasswd file by setting the same SID on
> all servers.)
>
> The SID is locally stored in secure.tdb and you can see it with tdbtool
> (though in hex, and need to know that the last three 10-digit numbers 
> in the SID are 32-bits or 4-Byte each)
>
> Seems net setlocalsid changed the sid in secrets.tdb, but the server
> finds its SID in LDAP after that is set up in smb.conf, and there it 
> was not changed.
>
> I solved it by also changing it manually on the LDAP server, or made
> sure that the sid was changed locally before starting up smbd with LDAP
> configured, or deleted the LDAP entry for the server and restarted smbd
> so it was generated anew.
>
> YMMV.
>
>
The problem is that the machine is supposed to be a standalone server 
and how can it be one, if it has the same SID as another machine, or am 
I missing something? Surely, if it does have the same SID, you are 
talking a basic domain.

As long as the computer can get the users details from ldap and the 
underlying OS can see this info, it shouldn't make any difference what 
its SID is i.e. as long as 'getent passwd <a user in ldap>'
returns the
required info.

Rowland