ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006181ClearOSapp-samba - Windows Networkingpublic2015-11-12 15:102017-08-18 10:02
Reporterdloper 
Assigned To 
PrioritynormalSeveritytrivialReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version 
Target Version7.4.0 UpdatesFixed in Version 
Summary0006181: Full BDC functionality
DescriptionBackup domain controllers should use the SID of the domain for their localsid. This is necessary for using a BDC as a domain controller on a remote LAN. Without this, current BDCs are not able to authenticate users. This becomes particularly painful on remote networks where local authentication is required.

Samba documentation has this to say:

"The following operation is useful only for machines that are being configured as a PDC or a BDC. DMS and workstation clients should have their own machine SID to avoid any potential namespace collision. Here is the way that the BDC SID can be synchronized to that of the PDC (this is the default NT4 domain practice also):root# net rpc getsid -S FRODO -Uroot%not24get" (DMS means domain member server)

All workstations joined to the domain already have the domain SID set to the same as the domain. This statement means that the localSID should be the same and when performing this in real world scenarios where the BDC is offsite, it resolves domain join and authentication issues.

While the documentation states that 'net rpc getsid -S SERVERNAME -Uwinadmin%password' should perform the task, it doesn't work.

Per the suggestion of the documentation where this appears (https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html [^]), it would be wise to backup the localsid before replacing it in case a server ever needs to be removed as a BDC/PDC on the network.

net getlocalsid > /etc/samba/my-sid

-or-

net getlocalsid > /var/lib/samba/deprecated-local-sid

As a note, once this is done on the BDC, anyone logging into the domain controller will be given the logon scripts from the local netlogon. which should be enabled if enabled on the PDC and replicated. Currently it is disabled on the BDC as a share. Change:

Available = No

-to-

Available = Yes
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2015-11-12 15:10 dloper New Issue
2016-02-16 12:54 pbaldwin Status new => acknowledged
2016-02-16 12:54 pbaldwin Target Version 6.7.0 Updates => 6.8.0 Updates
2017-01-03 10:50 pbaldwin Product Version 6.7.0 =>
2017-01-03 10:50 pbaldwin Target Version 6.8.0 Updates => 7.4.0 Beta 1
2017-08-18 10:02 pbaldwin Target Version 7.4.0 Beta 1 => 7.4.0 Updates