Managing Security Identifiers (SIDS)
The basic security identifier that is used by all Windows networking operations is the Windows security
identifier (SID). All Windows network machines (servers and workstations), users, and groups are
identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that
are specific to the SID of the domain to which the user belongs.
It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because
a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you
have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of
having to recover user desktop profiles and perhaps rejoin all member machines to the domain.
First, do not forget to store the local SID in a file. It is a good idea to put this in the directory
in which the
smb.conf file is also stored. Here is a simple action to achieve this:
root# net getlocalsid > /etc/samba/my-sid
Good, there is now a safe copy of the local machine SID. On a PDC/BDC this is the domain SID also.
The following command reveals what the former one should have placed into the file called
root# net getlocalsid
SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429
If ever it becomes necessary to restore the SID that has been stored in the
file, simply copy the SID (the string of characters that begins with
the command line shown here:
root# net setlocalsid S-1-5-21-1385457007-882775198-1210191635
Restoration of a machine SID is a simple operation, but the absence of a backup copy can be very
The following operation is useful only for machines that are being configured as a PDC or a BDC.
DMS and workstation clients should have their own machine SID to avoid
any potential namespace collision. Here is the way that the BDC SID can be synchronized to that
of the PDC (this is the default NT4 domain practice also):
root# net rpc getsid -S FRODO -Uroot%not24get
Storing SID S-1-5-21-726309263-4128913605-1168186429 \
for Domain MIDEARTH in secrets.tdb
Usually it is not necessary to specify the target server (-S FRODO) or the administrator account