[Samba] The security id structure is invalid
Ron García-Vidal
ron at riomargroup.com
Tue Oct 4 18:00:02 UTC 2016
I recently upgraded Samba on my DC from a working 4.3 installation to
4.5.0. Once done, I followed the instructions here:
https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes
and ran:
samba-tool dbcheck --cross-ncs --fix --yes
After that, I can no longer access the shares on this machine. I get the
"Security ID structure is invalid" error above. In addition, the RSAT
can't speak to the DC, and other linux boxes (running sssd) are saying
"Authentication server cannot be found"
I am able to access the server using an ldap browser and am trying to
piece my way to fixing this, but am coming up empty handed. This is my
home server and only has three users, so I could technically wipe and
rebuild the server, but since I have many clients who use Samba, I would
like to figure out how to fix this in case it comes up again.
The syslog is giving the following errors:
ct 4 13:56:15 harleyquinn smbd[17702]: Unable to convert SID
(S-1-5-11) at index 5 in user token to a GID. Conversion was returned
as type 0, full token:
Oct 4 13:56:15 harleyquinn smbd[17702]: [2016/10/04 13:56:15.283772,
0] ../libcli/security/security_token.c:63(security_token_debug)
Oct 4 13:56:15 harleyquinn smbd[17702]: Security token SIDs (8):
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1105
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 2]:
S-1-5-21-1319907214-2951884047-2640289736-513
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 3]: S-1-1-0
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 4]: S-1-5-2
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 5]: S-1-5-11
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 6]: S-1-5-32-545
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 7]: S-1-5-32-554
Oct 4 13:56:15 harleyquinn smbd[17702]: Privileges (0x 800000):
Oct 4 13:56:15 harleyquinn smbd[17702]: Privilege[ 0]:
SeChangeNotifyPrivilege
Oct 4 13:56:15 harleyquinn smbd[17702]: Rights (0x 400):
Oct 4 13:56:15 harleyquinn smbd[17702]: Right[ 0]:
SeRemoteInteractiveLogonRight
Oct 4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367502,
0] ../source4/auth/unix_token.c:107(security_token_to_unix_token)
Oct 4 13:56:15 harleyquinn smbd[17703]: Unable to convert SID
(S-1-5-11) at index 5 in user token to a GID. Conversion was returned
as type 0, full token:
Oct 4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367835,
0] ../libcli/security/security_token.c:63(security_token_debug)
Oct 4 13:56:15 harleyquinn smbd[17703]: Security token SIDs (8):
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1105
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 2]:
S-1-5-21-1319907214-2951884047-2640289736-513
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 3]: S-1-1-0
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 4]: S-1-5-2
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 5]: S-1-5-11
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 6]: S-1-5-32-545
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 7]: S-1-5-32-554
Oct 4 13:56:15 harleyquinn smbd[17703]: Privileges (0x 800000):
Oct 4 13:56:15 harleyquinn smbd[17703]: Privilege[ 0]:
SeChangeNotifyPrivilege
Oct 4 13:56:15 harleyquinn smbd[17703]: Rights (0x 400):
Oct 4 13:56:15 harleyquinn smbd[17703]: Right[ 0]:
SeRemoteInteractiveLogonRight
These are repeated for various SIDs.
Also, the samba-tool dbcheck is unable to fix the following:
ERROR: incorrect GUID component for member in object CN=Domain
Admins,CN=Users,DC=dc1,DC=evilgenius,DC=net -
<GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Change DN to
<GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
ERROR: Failed to fix incorrect GUID on attribute member : (53,
'Attribute member already deleted for target GUID
a8e1e07a-cab8-4222-a024-97d59084268b')
I'm not even sure where to start fixing this and am not finding anything
similar via google.
-Ron
--
Riomar Group <http://www.riomargroup.com>*Ron García-Vidal | President |
Riomar Group
(A NYC, NYS & PANYNJ Certified MBE & DBE)*
1315 Prospect Ave., First Floor | Brooklyn, NY 11218
7400 SW 50th Street, Unit 304 | Miami, FL 33155
(347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
ron at riomargroup.com <mailto:ron at riomargroup.com>
More information about the samba
mailing list