Enhancement #2840
Samba domain SID deep checking
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-samba | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
The Windows network page easily allows switching between ADS and PDC role (possibly going through WS), leading to SID allocation problems if the same domain name is used on different roles.
Clear previously allocated SID entries in secrets.tdb
and LDAP, to circumvent such situation.
Related issues
Associated revisions
NethServer::Samba perl package: encapsulate workgroup name logic. Refs #2840
nethserver-samba-save event: clear SID from LDAP and secrets.tdb. Refs #2840
This action clears any previously allocated domain SID and machine
password when role is switched between ADS and PDC. Moreover, if role
is switched again to ADS, a JOIN operation is forced.
History
#1 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#2 Updated by Davide Principi almost 7 years ago
- Related to Enhancement #2803: Edit workgroup name when role is Workstation added
#3 Updated by Davide Principi almost 7 years ago
- Assignee deleted (
Davide Principi)
Test case 1
If role is PDC, after update to modified version, access to ibays and accounts must not be changed.
Test case 2
If role is ADS, after update to modified version, access to ibays and accounts must not be changed.
Test case 3
In Windows network page
:
- Select PDC mode and SUBMIT. We assume here the domain name is ADNETHESIS.
- Check the domain SID is equal to local machine SID:
# net getdomainsid SID for local machine DAVIDEP2 is: S-1-5-21-2283890016-2461737671-586395144 SID for domain ADNETHESIS is: S-1-5-21-2283890016-2461737671-586395144
- Select ADS mode to join an AD domain named the same (i.e. ADNETHESIS).
- Check the domain SID has now changed (must reflect the AD one):
net getdomainsid SID for local machine DAVIDEP2 is: S-1-5-21-2283890016-2461737671-586395144 SID for domain ADNETHESIS is: S-1-5-21-<OTHERSID>
- Select PDC role again: the local and domain SID must now be the same again.
- Select ADS role: credentials to join the machine must be asked again, and domain SID differs from local machine SID.
#4 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#5 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-samba-1.4.5-1.14git5c2b63f.ns6.noarch.rpm
#6 Updated by Giacomo Sanchietti almost 7 years ago
- Assignee set to Giacomo Sanchietti
#7 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
Test case 1 and 2
Shared folders are still working in both configurations.
Test case 3
PDC:
[root@localhost ~]# net getdomainsid SID for local machine LOCALHOST is: S-1-5-21-3202484130-3806397224-3565301972 SID for domain ADNETHESIS is: S-1-5-21-3202484130-3806397224-3565301972
AD join:
[root@localhost ~]# net getdomainsid SID for local machine LOCALHOST is: S-1-5-21-3202484130-3806397224-3565301972 SID for domain ADNETHESIS is: S-1-5-21-2862346328-3280081581-3042534603
Tried to change swap configurations multiple times: all works fine.
#8 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-samba-1.4.6-1.ns6.noarch.rpm