Home / server / Questions / 200085
Accepted
Daniel C. Sobral
Asked: 2010-11-10 14:51:17 +0800 CST

Can two users share a sambaSID?

  • 772

I'm doing some sanity checking on an LDAP database in preparation for a version upgrade on our LDAP server, and I came upon a very few users sharing the same sambaSID attribute. I wonder if I should be concerned about it? And, if yes, what would be the easiest way to solve the problem?

samba ldap openldap

1 Answers

  1. Best Answer

    This is something you should be concerned about. In pure Microsoft networks a duplicate SID should never occur, as that's the primary-key that AD uses to determine which objects are which. Since this attribute is used by Samba operating in PDC mode while using LDAP as a back-end, Windows servers attempting to translate a SID into an object name will get inconsistent results for those objects.

    Fixing it is a four step process.

    1. Determine everywhere that SID is in use
    2. Figure out which areas need to be assigned to which user
    3. Change one of the SIDs to another unique value
    4. Re-permission the areas identified in step 2 so the re-SIDed account can access those locations

    Step 2 is the hardest by far. The complexity of your environment will determine how much pain it will cause to dig into. On Linux systems you may be able to dig filesystems looking for the right Owner information, as that may be set independently of the SID lookup. Your Windows systems are going to be a lot harder.

    • 3