Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

Managing Security Identifiers (SIDS)

The basic security identifier that is used by all Windows networking operations is the Windows security identifier (SID). All Windows network machines (servers and workstations), users, and groups are identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that are specific to the SID of the domain to which the user belongs.

It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of having to recover user desktop profiles and perhaps rejoin all member machines to the domain.

First, do not forget to store the local SID in a file. It is a good idea to put this in the directory in which the smb.conf file is also stored. Here is a simple action to achieve this:

root#  net getlocalsid > /etc/samba/my-sid

Good, there is now a safe copy of the local machine SID. On a PDC/BDC this is the domain SID also.

The following command reveals what the former one should have placed into the file called my-sid:

root#  net getlocalsid
SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429

If ever it becomes necessary to restore the SID that has been stored in the my-sid file, simply copy the SID (the string of characters that begins with S-1-5-21) to the command line shown here:

root#  net setlocalsid S-1-5-21-1385457007-882775198-1210191635

Restoration of a machine SID is a simple operation, but the absence of a backup copy can be very problematic.

The following operation is useful only for machines that are being configured as a PDC or a BDC. DMS and workstation clients should have their own machine SID to avoid any potential namespace collision. Here is the way that the BDC SID can be synchronized to that of the PDC (this is the default NT4 domain practice also):

root#  net rpc getsid -S FRODO -Uroot%not24get
Storing SID S-1-5-21-726309263-4128913605-1168186429 \
    for Domain MIDEARTH in secrets.tdb

Usually it is not necessary to specify the target server (-S FRODO) or the administrator account credentials (-Uroot%not24get).

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire