Solved

SAMBA - Problem modifying SID using pdbedit

Posted on 2006-07-04
9
827 Views
Last Modified: 2008-01-09
After changing the SID of any account, eg:

pdbedit -U S-1-5-21-2411803954-1159576741-3064619986-500 -u administrator -r

...the SID *is* changed successfully, but I get the following error:

| Unable to modify TDB passwd ! Error: Record does not exist
|  occured while storing the RID index (RID_000001f4)
| Unable to modify entry!

From this point whenever I try to change the password using smbpasswd, I get a similar error to that above.

Using pdbedit -x to remove the account gives the error "Unable to delete user <user>", but pdbedit -L doesn't list the account any more.

Using tdbdump I find there is a remnant left over in passdb.tdb.  Eg:

{
key(13) = "RID_00000bbc\00"
data(5) = "test\00"
}
{
key(13) = "INFO/version\00"
data(4) = "\02\00\00\00"
}

This problem only happens after changing the SID on an account.

Many thanks,
Steve :)
0
Comment
Question by:sda100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 17038521
only for comment
you need to have the same SID in the samba and in the system, change in the samba but change in the /etc/passwd file too and try again
0
 
LVL 9

Author Comment

by:sda100
ID: 17038650
Thanks pablouruguay...

AFAIK, the UID:GID in /etc/passwd bears no relation to the SID given to accounts by Samba.  However, I tried your suggestion and it didn't work.

/etc/passwd contains:

administrator:*:1001:1001:Domain Administrator:/home/administrator:/usr/sbin/nologin

pdbedit -Lv administrator gives (after I changed the SID):

Unix username:        administrator
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2411803954-1159576741-3064619986-500
Primary Group SID:    S-1-5-21-2411803954-1159576741-3064619986-512
Full Name:            Domain Administrator
0
 
LVL 27

Expert Comment

by:Nopius
ID: 17055919
Try the following (with another SID):
pdbedit -U S-1-5-21-2411803954-1159576741-3064619986-1001 -u administrator -r

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 9

Author Comment

by:sda100
ID: 17056417
Hi Nopius,

Nopes, same problem I'm afraid.  Anyway, I have to set the RID to 500 as per MS Windows 'well-known' RID which will then match the domain administrator.  I'm following the official Samba-3 Howto and reference guide, and I've also posted to the Samba lists, but no reply from them either :(

Steve
0
 
LVL 27

Expert Comment

by:Nopius
ID: 17056477
yes, I saw your post there. That's probably a bug unless a configuration error. Also I recommend you to compile the latest development version.
There where some SIP related bugs, probably fixed there.
I saw similar problem in mail archive, but it was resolved with ajusting SID to some other value, which is not your case.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 17057677
yes i agree with Nopius, is really extrange problem. maybe a bug
0
 
LVL 9

Author Comment

by:sda100
ID: 17214377
Well, I found a workaround, which is to delete the account, and set the RID in the same command as creating the account.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 17419344
PAQed with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question