[Samba] NT_STATUS_INVALID_SID error
Kai
l1800turbo at gmail.com
Mon Mar 25 06:39:21 UTC 2024
Hello everyone,
I have a Samba setup with an AD controller (DC01) and set up a second
system which should work as file share (filesrv01).
I was setting it up using this manual:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Somehow, I broke the administrator's account. After I set up a test
share, I got RPC server unavailable errors. I started investigating and
found test commands like this:
rpcclient -I 10.18.1.4 -U administrator -c srvinfo atr2
Password for [JUE\administrator]:
Cannot connect to server. Error was NT_STATUS_INVALID_SID
Here I got this invalid SID error. The log file shows me:
[2024/03/24 22:23:53.903483, 0]
../../source4/auth/unix_token.c:95(security_token_to_unix_token)
Unable to convert first SID
(S-1-5-21-3102633239-3317503863-27722425-500) in user token to a UID.
Conversion was returned as type 0, full token:
[2024/03/24 22:23:53.903588, 0]
../../libcli/security/security_token.c:51(security_token_debug)
Security token SIDs (14):
SID[ 0]: S-1-5-21-3102633239-3317503863-27722425-500
SID[ 1]: S-1-5-21-3102633239-3317503863-27722425-513
SID[ 2]: S-1-5-21-3102633239-3317503863-27722425-512
SID[ 3]: S-1-5-21-3102633239-3317503863-27722425-572
SID[ 4]: S-1-5-21-3102633239-3317503863-27722425-519
SID[ 5]: S-1-5-21-3102633239-3317503863-27722425-518
SID[ 6]: S-1-5-21-3102633239-3317503863-27722425-520
SID[ 7]: S-1-1-0
SID[ 8]: S-1-5-2
SID[ 9]: S-1-5-11
SID[ 10]: S-1-5-64-10
SID[ 11]: S-1-5-32-544
SID[ 12]: S-1-5-32-545
SID[ 13]: S-1-5-32-554
Privileges (0x 1FFFFF00):
Privilege[ 0]: SeTakeOwnershipPrivilege
Privilege[ 1]: SeBackupPrivilege
Privilege[ 2]: SeRestorePrivilege
Privilege[ 3]: SeRemoteShutdownPrivilege
Privilege[ 4]: SeSecurityPrivilege
Privilege[ 5]: SeSystemtimePrivilege
Privilege[ 6]: SeShutdownPrivilege
Privilege[ 7]: SeDebugPrivilege
Privilege[ 8]: SeSystemEnvironmentPrivilege
Privilege[ 9]: SeSystemProfilePrivilege
Privilege[ 10]: SeProfileSingleProcessPrivilege
Privilege[ 11]: SeIncreaseBasePriorityPrivilege
Privilege[ 12]: SeLoadDriverPrivilege
Privilege[ 13]: SeCreatePagefilePrivilege
Privilege[ 14]: SeIncreaseQuotaPrivilege
Privilege[ 15]: SeChangeNotifyPrivilege
Privilege[ 16]: SeUndockPrivilege
Privilege[ 17]: SeManageVolumePrivilege
Privilege[ 18]: SeImpersonatePrivilege
Privilege[ 19]: SeCreateGlobalPrivilege
Privilege[ 20]: SeEnableDelegationPrivilege
Rights (0x 403):
Right[ 0]: SeInteractiveLogonRight
Right[ 1]: SeNetworkLogonRight
Right[ 2]: SeRemoteInteractiveLogonRight
It seems as if I've got a problem between Unix and Windows user IDs, but
I don't know how to check without further destruction.
Currently my only idea was the command
net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U
"JUE\administrator"
from the manual which could have caused problems as all other ones
should only have local effect on the file server.
Could this be? Did I forget some Unix attachment?
I don't know if it's helpful, but this is the smb.conf of the domain
controller:
[global]
netbios name = DC01
realm = JUE.BRK
server role = active directory domain controller
workgroup = JUE
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
tls enabled = yes
tls keyfile = tls/dc01.jue.brk.key
tls certfile = tls/dc01.jue.brk.crt
tls cafile = tls/rootCA.crt
template shell = /bin/bash
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config JUE : backend = ldap
idmap config JUE : range = 100000-999999
template shell = /bin/bash
winbind nss info = template
include = /etc/samba/shares.conf
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/jue.brk/scripts
read only = No
Thank you for any hints!
Kai
More information about the samba
mailing list