[Samba] NT_STATUS_INVALID_SID

Ryan Ashley ryana at reachtechfp.com
Thu Oct 27 21:16:59 UTC 2016 

More information, now that I have the SID in question.

root at dc01:~# wbinfo --sid-to-gid S-1-5-11
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-11 to gid
root at dc01:~# wbinfo --sid-to-uid S-1-5-11
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-11 to uid
root at dc01:~# wbinfo --sid-to-name S-1-5-11
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-11
root at dc01:~# wbinfo --sid-to-fullname S-1-5-11
failed to call wbcGetDisplayName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-11

This works for other SIDs, just not S-1-5-11.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/27/2016 04:57 PM, Ryan Ashley via samba wrote:
> I just found this in a log. It is the smbd log, to be exact.
> 
> [2016/10/27 16:54:11.689360,  0]
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>   Unable to convert SID (S-1-5-11) at index 9 in user token to a GID.
> Conversion was returned as type 0, full token:
> [2016/10/27 16:54:11.689734,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (13):
>     SID[  0]: S-1-5-21-1106274642-2786564146-798650368-500
>     SID[  1]: S-1-5-21-1106274642-2786564146-798650368-513
>     SID[  2]: S-1-5-21-1106274642-2786564146-798650368-520
>     SID[  3]: S-1-5-21-1106274642-2786564146-798650368-572
>     SID[  4]: S-1-5-21-1106274642-2786564146-798650368-519
>     SID[  5]: S-1-5-21-1106274642-2786564146-798650368-518
>     SID[  6]: S-1-5-21-1106274642-2786564146-798650368-512
>     SID[  7]: S-1-1-0
>     SID[  8]: S-1-5-2
>     SID[  9]: S-1-5-11
>     SID[ 10]: S-1-5-32-544
>     SID[ 11]: S-1-5-32-545
>     SID[ 12]: S-1-5-32-554
>    Privileges (0x        1FFFFF00):
>     Privilege[  0]: SeTakeOwnershipPrivilege
>     Privilege[  1]: SeBackupPrivilege
>     Privilege[  2]: SeRestorePrivilege
>     Privilege[  3]: SeRemoteShutdownPrivilege
>     Privilege[  4]: SeSecurityPrivilege
>     Privilege[  5]: SeSystemtimePrivilege
>     Privilege[  6]: SeShutdownPrivilege
>     Privilege[  7]: SeDebugPrivilege
>     Privilege[  8]: SeSystemEnvironmentPrivilege
>     Privilege[  9]: SeSystemProfilePrivilege
>     Privilege[ 10]: SeProfileSingleProcessPrivilege
>     Privilege[ 11]: SeIncreaseBasePriorityPrivilege
>     Privilege[ 12]: SeLoadDriverPrivilege
>     Privilege[ 13]: SeCreatePagefilePrivilege
>     Privilege[ 14]: SeIncreaseQuotaPrivilege
>     Privilege[ 15]: SeChangeNotifyPrivilege
>     Privilege[ 16]: SeUndockPrivilege
>     Privilege[ 17]: SeManageVolumePrivilege
>     Privilege[ 18]: SeImpersonatePrivilege
>     Privilege[ 19]: SeCreateGlobalPrivilege
>     Privilege[ 20]: SeEnableDelegationPrivilege
>    Rights (0x             403):
>     Right[  0]: SeInteractiveLogonRight
>     Right[  1]: SeNetworkLogonRight
>     Right[  2]: SeRemoteInteractiveLogonRight
> 
> Isn't this the builtin group?
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 10/27/2016 04:21 PM, Rowland Penny via samba wrote:
>> On Thu, 27 Oct 2016 15:52:09 -0400
>> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>>
>>> Slightly off-topic, but I thought setting those set the limits for
>>> going into the NIS attributes tab in Windows. I understood the Samba
>>> wiki to explain that using those lines is how you set the upper and
>>> lower limits that Windows sees and uses. Is this incorrect?
>>>
>>> Lead IT/IS Specialist
>>> Reach Technology FP, Inc
>>>
>>> On 10/27/2016 03:42 PM, Rowland Penny via samba wrote:
>>>> On Thu, 27 Oct 2016 17:23:43 -0200
>>>> Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Hi Rowland,
>>>>>
>>>>>      Just to let you know, we removed all the idmap entries we had
>>>>> on the smb.conf of our two DCs and the ids reported by getent
>>>>> passwd at the DCs were in the 3.000.000 range, as you said. We had
>>>>> to add back 'idmap_ldb:use rfc2307 = yes' to get the user listing
>>>>> with the original numbers on the DCs.
>>>>>
>>>>> Here's what we commented out on the configurationfiles.
>>>>>
>>>>>          # Default idmap config used for BUILTIN and local
>>>>> accounts/groups #idmap config *:backend = ad
>>>>>          #idmap config *:range = 2000-9999
>>>>>
>>>>>          # idmap config for domain E-TRUST
>>>>>          #idmap config E-TRUST:backend = ad
>>>>>          #idmap config E-TRUST:schema_mode = rfc2307
>>>>>          #idmap config E-TRUST:range = 10000-40000
>>>>>          #idmap cache time = 1
>>>>>          #idmap negative cache time = 1
>>>>>          #winbind cache time = 1
>>>>>          idmap_ldb:use rfc2307 = yes
>>>>>
>>>>
>>>> Yes those are the lines you should only have on a domain member (aka
>>>> fileserver, printserver). The only idmap line you should have on a
>>>> DC is the 'idmap_ldb:use rfc2307 = yes' line, without this line,
>>>> rfc2307 will not be used and unfortunately it is not added
>>>> automatically to any DCs that are joined to the domain.
>>>>
>>>> Rowland
>>>>  
>>>>
>>>
>>
>> OK, when you first provision Samba as an AD DC, it uses 'xidNumber'
>> attributes stored in 'idmap.ldb', these numbers are in the '3000000'
>> range. These numbers are allocated on a first come basis (this is why
>> you get different IDs on subsequent DCs)
>>
>> The only way to get different ID numbers on a DC, use uidNumber &
>> gidNumber attributes, but you don't need to add anything to smb.conf.
>>
>> On a domain member it is different, there are several 'idmap' winbind
>> backends you can use, but the two main ones are 'ad' and 'rid'.
>>
>> If you haven't added any uidNumber & gidNumber attributes to AD, then
>> you should use the 'rid' backend, this calculates the users (or group)
>> ID from its RID (the only real constant in all of this) and as long as
>> you use the same range on all Unix domain members, you will get
>> the same ID on them.
>>
>> If you have added uidNumber & gidNumber attributes to AD, then you
>> should use the 'ad' backend, again, if you use the same range on all
>> the domain members, you will get the same ID's everywhere including
>> the DC's.
>>
>> The ranges (whether you use 'rid' or 'ad') must not overlap and if
>> you use 'ad', you must give 'Domain Users' a gidNumber.
>>
>> If you use the 'rid' backend, the ID's will be set from the range you
>> set in smb.conf, whereas, if you use the 'ad' backend, you set the
>> range from the numbers you set in AD.
>>
>> Rowland  
>>
>

More information about the samba mailing list