Enhancement #2840

Samba domain SID deep checking

Added by Davide Principi almost 7 years ago. Updated almost 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.5
Resolution: NEEDINFO:No

Description

The Windows network page easily allows switching between ADS and PDC role (possibly going through WS), leading to SID allocation problems if the same domain name is used on different roles.

Clear previously allocated SID entries in secrets.tdb and LDAP, to circumvent such situation.


Related issues

Related to NethServer 6 - Enhancement #2803: Edit workgroup name when role is Workstation CLOSED

Associated revisions

Revision 1a74268b
Added by Davide Principi almost 7 years ago

NethServer::Samba perl package: encapsulate workgroup name logic. Refs #2840

Revision 28b06221
Added by Davide Principi almost 7 years ago

nethserver-samba-save event: clear SID from LDAP and secrets.tdb. Refs #2840

This action clears any previously allocated domain SID and machine
password when role is switched between ADS and PDC. Moreover, if role
is switched again to ADS, a JOIN operation is forced.

History

#1 Updated by Davide Principi almost 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#2 Updated by Davide Principi almost 7 years ago

#3 Updated by Davide Principi almost 7 years ago

  • Assignee deleted (Davide Principi)

Test case 1

If role is PDC, after update to modified version, access to ibays and accounts must not be changed.

Test case 2

If role is ADS, after update to modified version, access to ibays and accounts must not be changed.

Test case 3

In Windows network page:

  • Select PDC mode and SUBMIT. We assume here the domain name is ADNETHESIS.
  • Check the domain SID is equal to local machine SID:
        # net getdomainsid
    SID for local machine DAVIDEP2 is: S-1-5-21-2283890016-2461737671-586395144
    SID for domain ADNETHESIS is: S-1-5-21-2283890016-2461737671-586395144
    
  • Select ADS mode to join an AD domain named the same (i.e. ADNETHESIS).
  • Check the domain SID has now changed (must reflect the AD one):
    net getdomainsid
    SID for local machine DAVIDEP2 is: S-1-5-21-2283890016-2461737671-586395144
    SID for domain ADNETHESIS is: S-1-5-21-<OTHERSID>
    
  • Select PDC role again: the local and domain SID must now be the same again.
  • Select ADS role: credentials to join the machine must be asked again, and domain SID differs from local machine SID.

#4 Updated by Davide Principi almost 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Davide Principi almost 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-samba-1.4.5-1.14git5c2b63f.ns6.noarch.rpm

#6 Updated by Giacomo Sanchietti almost 7 years ago

  • Assignee set to Giacomo Sanchietti

#7 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

Test case 1 and 2

Shared folders are still working in both configurations.

Test case 3

PDC:

[root@localhost ~]# net getdomainsid
SID for local machine LOCALHOST is: S-1-5-21-3202484130-3806397224-3565301972
SID for domain ADNETHESIS is: S-1-5-21-3202484130-3806397224-3565301972

AD join:

[root@localhost ~]# net getdomainsid
SID for local machine LOCALHOST is: S-1-5-21-3202484130-3806397224-3565301972
SID for domain ADNETHESIS is: S-1-5-21-2862346328-3280081581-3042534603

Tried to change swap configurations multiple times: all works fine.

#8 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Package in nethserver-updates:
  • nethserver-samba-1.4.6-1.ns6.noarch.rpm

Also available in: Atom PDF