[Samba] Administrators SID is invalid.
mots
nibutif at gmail.com
Mon Oct 20 12:32:45 MDT 2014
I think I've made some progress:
It's not actually the user "Administrator" that's broken, it's the group
"Administrators".
Its SID in both sam.ldf and idmap.ldf is S-1-5-32-544, which looks kind
of short. Is there another place where the SID for groups is stored?
Kind regards,
mots
Am 20.10.2014 um 14:41 schrieb mots:
> Alright, now it's getting weird.
>
> I've restored the whole /usr/local/samba/private directory from a one
> month old backup, yet I'm still getting the same error.
>
> Does anyone have an idea where else the problem could be?
>
> Kind regards,
>
> mots
>
> Am 18.10.2014 um 14:18 schrieb Rowland Penny:
>> On 18/10/14 12:26, mots wrote:
>>> My smb.conf file is really basic. I've only added a few lines for the
>>> print server and enabled schema updates so I could install the zarafa AD
>>> integration. It hasn't been changed since 29.09.2014.
>>>
>>> -rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = CLUSTER
>>> realm = CLUSTER.DOMAIN.CH
>>> netbios name = SAMBA
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>> rpc_server:spoolss = external
>>> rpc_daemon:spoolssd = fork
>>> load printers = yes
>>> spoolss: architecture = Windows x64
>>> unix extensions = no
>>> dsdb:schema update allowed = true
>>> load printers = yes
>>>
>>>
>>> [netlogon]
>>> path =
>>> /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /usr/local/samba/var/locks/sysvol
>>> read only = No
>>>
>>> [printers]
>>> path = /var/spool/samba
>>> printable = yes
>>> printing = CUPS
>>>
>>> [print$]
>>> path = /var/shares/Printer_drivers
>>> comment = Printer Drivers
>>> writeable = yes
>>>
>>> [profile$]
>>> path = /var/shares/profiles
>>> read only = no
>>>
>>> [doc$]
>>> path = /var/shares/docs
>>> read only = no
>>>
>>> [Customer]
>>> path = /var/shares/customer
>>> read only = No
>>> [Buspro]
>>> path = /var/shares/buspro
>>> read only = No
>>>
>>> [Daten]
>>> path = /var/shares/daten
>>> read only = no
>>>
>>> Am 18.10.2014 um 13:18 schrieb Rowland Penny:
>>>> On 18/10/14 12:06, mots wrote:
>>>>> Yes, the output maches the one from before.
>>>>>
>>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555
>>>>>
>>>>> Am 18.10.2014 um 12:56 schrieb Rowland Penny:
>>>> OK, everything about the Administrator account seems correct (even the
>>>> accountExpires attribute, concentrating on the expiry day & month, I
>>>> totally missed that it wouldn't expire until the year 4253 LOL ) so I
>>>> am at a bit of a loss now. Perhaps there is something in smb.conf that
>>>> is causing this, so could you post your smb.conf.
>>>>
>>>> Rowland
>>>>
>>>>>> On 18/10/14 11:45, mots wrote:
>>>>>>> Thanks, but that didn't work, I'm still getting the same error.
>>>>>>>
>>>>>>> Also weird: If the account was expired, then I shouldn't have been
>>>>>>> able
>>>>>>> to log in at all, right?
>>>>>>>
>>>>>>> Kind regards,
>>>>>>>
>>>>>>> mots
>>>>>>>
>>>>>>> Am 18.10.2014 um 11:50 schrieb Rowland Penny:
>>>>>>>> On 18/10/14 10:20, mots wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>>>> now. It
>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>
>>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>>> can't
>>>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>>>> error
>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>
>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>
>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>>>> server
>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>> NT_STATUS_INVALID_SID".
>>>>>>>>>
>>>>>>>>> Is there a way to fix this without restoring the database from
>>>>>>>>> backup?
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>>
>>>>>>>>> mots
>>>>>>>> possibly, have you done anything to the Administrator account ?
>>>>>>>>
>>>>>>>> Also can you post the (sanitized) result of:
>>>>>>>>
>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>>>>>>>
>>>>>>>> You may have to alter '/var/lib/samba/private/sam.ldb' with the
>>>>>>>> path
>>>>>>>> to your sam.ldb
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>> That was the only obvious problem, ok lets check if the Administrator
>>>>>> has the correct SID:
>>>>>>
>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep
>>>>>> objectSid
>>>>>>
>>>>>> does the result match what you posted earlier ?
>>>>>>
>>>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
>>>>>>
>>>>>> Note: ignore the -500, this is the Administrator's RID and is always
>>>>>> '500'
>>>>>>
>>>>>> Rowland
>>>>>>
>> Hm, you said that you were using samba 4.2 and your smb.conf confirms
>> this (you are using the new(old) winbind 'winbindd') and I would have
>> thought that there would now be some of the familiar 'winbind' lines
>> in smb.conf. I would have thought the lines to map the builtin users
>> would be there:
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>>
>> But I suppose that idmap.ldb is still doing this.
>>
>> This leads to what I think must be last thoughts on this, I wonder if
>> the Administrators SID is wrong in idmap.ldb:
>>
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>
>> Search for -500 and check the SID to see if it matches what you found
>> earlier.
>>
>> Rowland
>>
More information about the samba
mailing list