Problem: New users get an other domain sid, than existing users

Knowledge Base Community
1

Problem:

New users get an other domain sid, than existing users

Investigation

udm settings/sambadomain list
DN: sambaDomainName=SCHEIN,cn=samba,dc=schein,dc=me
  NextGroupRid: 1000
  NextRid: 1000
  NextUserRid: 1000
  SID: S-1-5-21-2258795110-56359529-1961293181
  badLockoutAttempts: 10
  disconnectTime: None
  domainPasswordComplex: 0
  domainPasswordStoreCleartext: 0
  domainPwdProperties: 0
  lockoutDuration: 30 minutes
  logonToChangePW: None
  maxPasswordAge: None
  minPasswordAge: None
  name: SCHEIN
  passwordHistory: 10
  passwordLength: 8
  refuseMachinePWChange: None
  resetCountMinutes: None

udm settings/sambadomain list
DN: sambaDomainName=SCHEIN,dc=schein,dc=me
  NextGroupRid: 1000
  NextUserRid: 1000
  SID: S-1-5-21-1283873862-739045995-469731046
  badLockoutAttempts: 10
  disconnectTime: None
  domainPasswordComplex: 0
  domainPasswordStoreCleartext: 0
  domainPwdProperties: 0
  lockoutDuration: 30 minutes
  logonToChangePW: None
  maxPasswordAge: None
  minPasswordAge: None
  name: SCHEIN
  passwordHistory: 10
  passwordLength: 8
  refuseMachinePWChange: None
  resetCountMinutes: None

Solution:

With

univention-ldapsearch -LLL sambaDomainName=* 
# or 
udm settings/sambadomain list

you will get all configured sambaDomains. There should be only one, because, our code expects only one sambaDomain.

But there might be situations, where additional sambaDomains are created, e.g if you have a seperate non UCS based samba server and change the workgroup in the samba specication there, we could see, that on UCS site a new sambaDomain was created. So these additional created sambaDomains should be deleted.
You have to check the path and the domain SID part, which is already allocated to existing users.
If in the meantime other domain SIDs are allocated to users, you have to remove them and give them the right one. This snippet should help for that:
(less is just for checking)

newdom="S-1-5-21-2258795110-56359529-1961293181"; univention-ldapsearch '(&(sambaSID=S-1-5-21-1283873862-739045995-469731046-*)(univentionObjectType=users/user))' sambaSID | awk -v nd="$newdom" '/^dn: /{print;print "changetype: modify";print "replace: sambaSID"} /^sambaSID: /{split($2,a,"-"); rid=a[length(a)]; print "sambaSID: " nd "-" rid "\n"}' |less
3

This topic was automatically closed after 24 hours. New replies are no longer allowed.