[Samba] The security id structure is invalid

Ron García-Vidal ron at riomargroup.com
Tue Oct 4 18:00:02 UTC 2016 

I recently upgraded Samba on my DC from a working 4.3 installation to 
4.5.0. Once done, I followed the instructions here:

https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes

and ran:

samba-tool dbcheck --cross-ncs --fix --yes

After that, I can no longer access the shares on this machine. I get the 
"Security ID structure is invalid" error above. In addition, the RSAT 
can't speak to the DC, and other linux boxes (running sssd) are saying 
"Authentication server cannot be found"

I am able to access the server using an ldap browser and am trying to 
piece my way to fixing this, but am coming up empty handed. This is my 
home server and only has three users, so I could technically wipe and 
rebuild the server, but since I have many clients who use Samba, I would 
like to figure out how to fix this in case it comes up again.

The syslog is giving the following errors:

ct  4 13:56:15 harleyquinn smbd[17702]:   Unable to convert SID 
(S-1-5-11) at index 5 in user token to a GID.  Conversion was returned 
as type 0, full token:
Oct  4 13:56:15 harleyquinn smbd[17702]: [2016/10/04 13:56:15.283772,  
0] ../libcli/security/security_token.c:63(security_token_debug)
Oct  4 13:56:15 harleyquinn smbd[17702]:   Security token SIDs (8):
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  0]: 
S-1-5-21-1319907214-2951884047-2640289736-1105
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  1]: 
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  2]: 
S-1-5-21-1319907214-2951884047-2640289736-513
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  3]: S-1-1-0
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  4]: S-1-5-2
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  5]: S-1-5-11
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  6]: S-1-5-32-545
Oct  4 13:56:15 harleyquinn smbd[17702]:     SID[  7]: S-1-5-32-554
Oct  4 13:56:15 harleyquinn smbd[17702]:    Privileges (0x          800000):
Oct  4 13:56:15 harleyquinn smbd[17702]:     Privilege[  0]: 
SeChangeNotifyPrivilege
Oct  4 13:56:15 harleyquinn smbd[17702]:    Rights (0x 400):
Oct  4 13:56:15 harleyquinn smbd[17702]:     Right[  0]: 
SeRemoteInteractiveLogonRight
Oct  4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367502,  
0] ../source4/auth/unix_token.c:107(security_token_to_unix_token)
Oct  4 13:56:15 harleyquinn smbd[17703]:   Unable to convert SID 
(S-1-5-11) at index 5 in user token to a GID.  Conversion was returned 
as type 0, full token:
Oct  4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367835,  
0] ../libcli/security/security_token.c:63(security_token_debug)
Oct  4 13:56:15 harleyquinn smbd[17703]:   Security token SIDs (8):
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  0]: 
S-1-5-21-1319907214-2951884047-2640289736-1105
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  1]: 
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  2]: 
S-1-5-21-1319907214-2951884047-2640289736-513
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  3]: S-1-1-0
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  4]: S-1-5-2
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  5]: S-1-5-11
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  6]: S-1-5-32-545
Oct  4 13:56:15 harleyquinn smbd[17703]:     SID[  7]: S-1-5-32-554
Oct  4 13:56:15 harleyquinn smbd[17703]:    Privileges (0x          800000):
Oct  4 13:56:15 harleyquinn smbd[17703]:     Privilege[  0]: 
SeChangeNotifyPrivilege
Oct  4 13:56:15 harleyquinn smbd[17703]:    Rights (0x 400):
Oct  4 13:56:15 harleyquinn smbd[17703]:     Right[  0]: 
SeRemoteInteractiveLogonRight

These are repeated for various SIDs.

Also, the samba-tool dbcheck is unable to fix the following:

ERROR: incorrect GUID component for member in object CN=Domain 
Admins,CN=Users,DC=dc1,DC=evilgenius,DC=net - 
<GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP 
User,CN=Users,DC=dc1,DC=mydomain,DC=net

Change DN to 
<GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP 
User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
ERROR: Failed to fix incorrect GUID on attribute member : (53, 
'Attribute member already deleted for target GUID 
a8e1e07a-cab8-4222-a024-97d59084268b')

I'm not even sure where to start fixing this and am not finding anything 
similar via google.

-Ron



-- 

Riomar Group <http://www.riomargroup.com>*Ron García-Vidal | President | 
Riomar Group
(A NYC, NYS & PANYNJ Certified MBE & DBE)*
1315 Prospect Ave., First Floor | Brooklyn, NY 11218
7400 SW 50th Street, Unit 304 | Miami, FL 33155
(347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
ron at riomargroup.com <mailto:ron at riomargroup.com>

More information about the samba mailing list