SAMBA - Problem modifying SID using pdbedit

Posted on 2006-07-04
Medium Priority
Last Modified: 2008-01-09
After changing the SID of any account, eg:

pdbedit -U S-1-5-21-2411803954-1159576741-3064619986-500 -u administrator -r

...the SID *is* changed successfully, but I get the following error:

| Unable to modify TDB passwd ! Error: Record does not exist
|  occured while storing the RID index (RID_000001f4)
| Unable to modify entry!

From this point whenever I try to change the password using smbpasswd, I get a similar error to that above.

Using pdbedit -x to remove the account gives the error "Unable to delete user <user>", but pdbedit -L doesn't list the account any more.

Using tdbdump I find there is a remnant left over in passdb.tdb.  Eg:

key(13) = "RID_00000bbc\00"
data(5) = "test\00"
key(13) = "INFO/version\00"
data(4) = "\02\00\00\00"

This problem only happens after changing the SID on an account.

Many thanks,
Steve :)
Question by:sda100
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 14

Expert Comment

ID: 17038521
only for comment
you need to have the same SID in the samba and in the system, change in the samba but change in the /etc/passwd file too and try again

Author Comment

ID: 17038650
Thanks pablouruguay...

AFAIK, the UID:GID in /etc/passwd bears no relation to the SID given to accounts by Samba.  However, I tried your suggestion and it didn't work.

/etc/passwd contains:

administrator:*:1001:1001:Domain Administrator:/home/administrator:/usr/sbin/nologin

pdbedit -Lv administrator gives (after I changed the SID):

Unix username:        administrator
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2411803954-1159576741-3064619986-500
Primary Group SID:    S-1-5-21-2411803954-1159576741-3064619986-512
Full Name:            Domain Administrator
LVL 27

Expert Comment

ID: 17055919
Try the following (with another SID):
pdbedit -U S-1-5-21-2411803954-1159576741-3064619986-1001 -u administrator -r

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 17056417
Hi Nopius,

Nopes, same problem I'm afraid.  Anyway, I have to set the RID to 500 as per MS Windows 'well-known' RID which will then match the domain administrator.  I'm following the official Samba-3 Howto and reference guide, and I've also posted to the Samba lists, but no reply from them either :(

LVL 27

Expert Comment

ID: 17056477
yes, I saw your post there. That's probably a bug unless a configuration error. Also I recommend you to compile the latest development version.
There where some SIP related bugs, probably fixed there.
I saw similar problem in mail archive, but it was resolved with ajusting SID to some other value, which is not your case.
LVL 14

Expert Comment

ID: 17057677
yes i agree with Nopius, is really extrange problem. maybe a bug

Author Comment

ID: 17214377
Well, I found a workaround, which is to delete the account, and set the RID in the same command as creating the account.

Accepted Solution

DarthMod earned 0 total points
ID: 17419344
PAQed with points refunded (500)

Community Support Moderator

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question