[Samba] Re: Renamed PDC, now user profiles don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I don't mean to be a pest, but I felt that I should reiterate my questions again because I feel that it is an issue that recurrs enough to warrant inclusion in the HOWTO (or is it there and I'm just not seeing it?). And I'd like to re-emphasize that I'm offering to patch it. ;-) On Tue, 04 May 2004 10:24:05 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: On Tue, 04 May 2004 13:58:25 +1000 Andrew Bartlett [EMAIL PROTECTED] wrote: On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote: On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. It turned out that this particular machine had a very shaky network connection. Please disregard my post. ;-) However, as a warning to others - this can happen. There was an issue (and it still happens for domain members, for their 'local' users) where if you rename a Samba machine, it can regenerate the local SAM sid. On a PDC, this is also the domain SID. After I had replaced the cable, I discovered that the problem was that the user was assigned a new SID after all. Fortunately, the affected user stated that trashing the local profile was an option, so I just deleted the local copy and had the workstation snarf a fresh one off the server. A few questions, however: 1) Is a patch for this issue desirable? Do we *want* users to retain their SIDs after a machine gets a new name? My initial response would be yes, but I don't consider myself a M$ administration guru. 2a) What would be the proper procedure to follow in renaming a PDC? 2b) During a discussion on IRC, it was suggested (after I had already mucked about a bit and brought about the error in the first place) that I configure my new server name in the NetBIOS name parameter and my old one in the NetBIOS alias parameter. I wasn't told that this would actually fix the problem, but I was given the impression that if I were to do that first, then disjoin and rejoin my workstations to the domain, it might. Would it? 3) When I've got multiple workstations involved, one of my biggest concerns is that any changes that happen to the local profile during the name change get propagated to the server. Is this going to have to be done by hand if the SIDs change and the workstation doesn't reassociate the server UID with the new SID? P.S.: I know what an SID is. No, really. ;-) P.P.S.: Sorry for not mentioning this in my first post (I'm usually really good about doing so), but FWIW, I'm running 2.2.8a on FreeBSD 4.9-STABLE. I also apologize for not posting my smb.conf---I usually do that as well. I was in a bit of a hurry at the time. - -- Anthony Chavez http://www.anthonychavez.org/ mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAoSStbZTbIaRBRXERAgtLAKCBWyUvHWPoWfYCJ4eGNgL0KeV4uACfaeYP QVHfU+FjScMdxUO67e/DucU= =YFgh -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Renamed PDC, now user profiles don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 04 May 2004 13:58:25 +1000 Andrew Bartlett [EMAIL PROTECTED] wrote: On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote: On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. It turned out that this particular machine had a very shaky network connection. Please disregard my post. ;-) However, as a warning to others - this can happen. There was an issue (and it still happens for domain members, for their 'local' users) where if you rename a Samba machine, it can regenerate the local SAM sid. On a PDC, this is also the domain SID. After I had replaced the cable, I discovered that the problem was that the user was assigned a new SID after all. Fortunately, the affected user stated that trashing the local profile was an option, so I just deleted the local copy and had the workstation snarf a fresh one off the server. A few questions, however: 1) Is a patch for this issue desirable? Do we *want* users to retain their SIDs after a machine gets a new name? My initial response would be yes, but I don't consider myself a M$ administration guru. 2a) What would be the proper procedure to follow in renaming a PDC? 2b) During a discussion on IRC, it was suggested (after I had already mucked about a bit and brought about the error in the first place) that I configure my new server name in the NetBIOS name parameter and my old one in the NetBIOS alias parameter. I wasn't told that this would actually fix the problem, but I was given the impression that if I were to do that first, then disjoin and rejoin my workstations to the domain, it might. Would it? 3) When I've got multiple workstations involved, one of my biggest concerns is that any changes that happen to the local profile during the name change get propagated to the server. Is this going to have to be done by hand if the SIDs change and the workstation doesn't reassociate the server UID with the new SID? P.S.: I know what an SID is. No, really. ;-) P.P.S.: Sorry for not mentioning this in my first post (I'm usually really good about doing so), but FWIW, I'm running 2.2.8a on FreeBSD 4.9-STABLE. I also apologize for not posting my smb.conf---I usually do that as well. I was in a bit of a hurry at the time. - -- Anthony Chavez http://www.anthonychavez.org/ mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAl8OlbZTbIaRBRXERAk6gAJ0VqdwfAZo0KsZNF3ngeWWSTKUH5wCffl1e NAP6nOh4FiUQ+EtmyB9rRlw= =nXgN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Renamed PDC, now user profiles don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. It turned out that this particular machine had a very shaky network connection. Please disregard my post. ;-) - -- Anthony Chavez http://www.anthonychavez.org/ mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAlvYObZTbIaRBRXERAh0SAJ4rTe7+kLCS9WudItD93WipbtXmqQCeKJwA 9qZg+T4Y+4ZiIA30y5ciQaI= =3VD0 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Renamed PDC, now user profiles don't work
On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. It turned out that this particular machine had a very shaky network connection. Please disregard my post. ;-) However, as a warning to others - this can happen. There was an issue (and it still happens for domain members, for their 'local' users) where if you rename a Samba machine, it can regenerate the local SAM sid. On a PDC, this is also the domain SID. In current versions of Samba (3.0.1 or 3.0.2 I think) we make sure that the 'domain' sid takes precedence, otherwise this really can happen, and you need to get/set the domain sid. net getlocalsid OLDNETBIOSNAME net setlocalsid S-. should do the job, for 3.0. It also happens in Samba 2.2, but we don't have 'net' there, and it's harder to fix. I think there are details in the archives. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
