[Samba] Administrators SID is invalid.
Carlo
mail.list.it at gmail.com
Sun Jan 18 11:10:11 MST 2015
Il 17/01/15 17:10, Rowland Penny ha scritto:
> On 17/01/15 14:39, Carlo wrote:
>>
>>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>>>>>>>> now. It
>>>>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>>>>>>> can't
>>>>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>>>>>>>> error
>>>>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>>>>
>>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>>>>
>>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>>>>>>>> server
>>>>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>>>>> NT_STATUS_INVALID_SID".
>> Hello to all.
>>
>> i am still under this problem in 2 samba server 4.2*
>>
>> same problem and same behavior after a month for one server and two week for
>> another
>>
>> My system is:
>> Centos 6.5
>> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC
>> 2014 x86_64 x86_64 x86_64 GNU/Linux
>> and Samba version 4.2.0rc2
>>
>>
>> then i have done the Rowland suggestion about check the administrator sid and
>> the results was:
>>
>> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
>> cn=Administrator
>> dn: CN=Administrator,CN=Users,DC=domain,DC=lan
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Administrator
>> description: Built-in account for administering the computer/domain
>> instanceType: 4
>> whenCreated: 20140918163432.0Z
>> uSNCreated: 3545
>> name: Administrator
>> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>> adminCount: 1
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: Administrator
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
>> isCriticalSystemObject: TRUE
>> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
>> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
>> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
>> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
>> userAccountControl: 66048
>> msDS-SupportedEncryptionTypes: 0
>> pwdLastSet: 130658091420000000
>> whenChanged: 20150115152542.0Z
>> uSNChanged: 4885
>> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
>>
>> # Referral
>> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
>>
>> # Referral
>> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
>>
>> # Referral
>> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>>
>>
>> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
>> DC=domain | grep objectSid
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802
>>
>>
>> ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb
>>
>> # record 39
>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>> cn: S-1-5-21-2643849351-2101160060-2305757802-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>>
>>
>> as reported the time is correct and administrator account never expire
>> you can check here
>> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
>>
>> i have noted that sid error "sometimes" (30 sec on 2/3 hour sometimes)not
>> appear and i can work correctly with my administrator account for 30-40 sec.
>> the same thing is on both of samba 4.2*
>>
>> i've tested this error from winxp/7/8/8.1 and is always the same.
>>
>>
>>
>> i post the smb.conf
>>
>> # Global parameters
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.LAN
>> netbios name = ADDOMAIN
>> server role = active directory domain controller
>> dns forwarder = 8.8.8.8
>> idmap_ldb:use rfc2307 = yes
>> spoolss: architecture = Windows x64
>>
>>
>>
>> [netlogon]
>> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
>> read only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> [public]
>> path = /dati/public
>> read only = No
>>
>> [users]
>> path = /dati/users
>> read only = No
>>
>> [profiles]
>> path = /dati/profiles
>> read only = No
>> oplocks=no
>>
>> [printers]
>> path = /var/spool/samba
>> printable = yes
>> printing = CUPS
>>
>> [print$]
>> path = /srv/samba/Printer_drivers
>> comment = Printer Drivers
>> writeable = yes
>>
>>
>>
>> in messages.log i have something when i try to login with administrator
>> account with the right password; here i have a "Unable to convert SID"
>>
>>
>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0]
>> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID
>> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user token to a
>> GID. Conversion was returned as type 1, full token:
>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13):
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]:
>> S-1-5-21-2643849351-2101160060-2305757802-500
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]:
>> S-1-5-21-2643849351-2101160060-2305757802-513
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]:
>> S-1-5-21-2643849351-2101160060-2305757802-520
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]:
>> S-1-5-21-2643849351-2101160060-2305757802-572
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]:
>> S-1-5-21-2643849351-2101160060-2305757802-519
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]:
>> S-1-5-21-2643849351-2101160060-2305757802-518
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]:
>> S-1-5-21-2643849351-2101160060-2305757802-512
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545
>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554
>> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00):
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]:
>> SeTakeOwnershipPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: SeBackupPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: SeRestorePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]:
>> SeRemoteShutdownPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: SeSecurityPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: SeSystemtimePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: SeShutdownPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: SeDebugPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]:
>> SeSystemEnvironmentPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]:
>> SeSystemProfilePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]:
>> SeProfileSingleProcessPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]:
>> SeIncreaseBasePriorityPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: SeLoadDriverPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]:
>> SeCreatePagefilePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]:
>> SeIncreaseQuotaPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]:
>> SeChangeNotifyPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: SeUndockPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]:
>> SeManageVolumePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: SeImpersonatePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]:
>> SeCreateGlobalPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]:
>> SeEnableDelegationPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403):
>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: SeInteractiveLogonRight
>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight
>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]:
>> SeRemoteInteractiveLogonRight
>>
>>
>> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?
>>
>> maybe this is an interesting part but i don't understand where to look.
>>
>> ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb
>> # record 37
>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>> cn: S-1-5-21-2643849351-2101160060-2305757802-512
>> objectClass: sidMap
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
>> type: ID_TYPE_BOTH
>> xidNumber: 3000008
>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>>
>>
>> Someone have my similar behavior?
>>
>> any kind of help or suggestion is welcome.
>>
>> Many thanks in advance!
>>
>> Regards
>>
>> Charles
>>
>
> OK, I am a bit lost here, I can login as Administrator to my DC, so when you
> say 'when i try to login with administrator account with the right password',
> just how are you trying to login ?
I've tried to login with "Administrator" user in shared folder or in user login
at windows start.
login with "Administrator" user with a wrong password samba denies correctly the
login and don't tell nothing about SID.
Only if i put the correct password samba respond to me the Invalid SID error and
write log in messages.log and not let me to login or use shared folder
>
> Also, why are you using 4.2.0rc2, is this a test domain or production ?
> If it is production, why are you ignoring what it says here:
> https://wiki.samba.org/index.php/Obtaining_Samba
>
> *Warning: Never install a development version in production! It may contain
> untested features and can cause damages to your installation! Development
> releases are for testing purposes only!
>
> *Also**why are you ignoring what it says here:
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions
testing and all of them have the same behavior after some time.
this thread was not started by me but i've made too many piece cut of old thread
and done some misunderstanding sorry...
>
> We /*_do not recommend_* using the Domain Controller as a file Server. This is
> due to issues with the winbind internal to the Domain Controller. The
> recommendation is to run separate file or Member Servers
> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.
ok i'll use kvm to separate fileserver from domain controller in production
because i've only one server.
>
> This still goes with 4.2
>
> I recommend that you try again with the latest stable release, 4.1.16 and see
> if the problem still persists, if it does we stand a better chance of fixing it.
With the latest stable release on 4.1.16 seems work well.
No more SID error
tomorrow i'll do some more accurate test
Thank you for your support Rowland
testing the 4.2rc4 the problem still exist
do you reccomend me to write something of this behaviour at
https://bugzilla.samba.org/?
i still can reproduce the SID error with4.2rc2 /rc3 /rc4
charles
>
> Rowland
>
> /
More information about the samba
mailing list