[Samba] NT_STATUS_INVALID_SID error

Kai l1800turbo at gmail.com
Mon Mar 25 12:08:13 UTC 2024 


Am 25.03.24 um 10:01 schrieb Rowland Penny via samba:
> On Mon, 25 Mar 2024 07:39:21 +0100
> Kai via samba<samba at lists.samba.org>  wrote:
>
>> Hello everyone,
>>
>> I have a Samba setup with an AD controller (DC01) and set up a second
>> system which should work as file share (filesrv01).
>> I was setting it up using this manual:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> Somehow, I broke the administrator's account.
> No, I doubt if you have.
>
>> After I set up a test
>> share, I got RPC server unavailable errors. I started investigating
>> and found test commands like this:
>> rpcclient -I 10.18.1.4 -U administrator -c srvinfo atr2
> Hmm, you appear to be trying to connect to a computer called 'atr2',
> yet your DC is called 'DC01' and your Unix domain member is called
> 'filesrv01'
I copied the command from the web page, not the shell and modified only 
the IP, my mistake as below.
The shell command is:
root at dc01:~# rpcclient -I 10.18.1.4 -U administrator -c srvinfo dc01
Password for [JUE\administrator]:
Cannot connect to server.  Error was NT_STATUS_INVALID_SID


The command didn't seem to get that far anyway..

>
>> Password for [JUE\administrator]:
>> Cannot connect to server.  Error was NT_STATUS_INVALID_SID
>>
>> Here I got this invalid SID error. The log file shows me:
>> [2024/03/24 22:23:53.903483,  0]
>> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
>>    Unable to convert first SID
>> (S-1-5-21-3102633239-3317503863-27722425-500) in user token to a UID.
>>    Conversion was returned as type 0, full token:
>> [2024/03/24 22:23:53.903588,  0]
>> ../../libcli/security/security_token.c:51(security_token_debug)
>>    Security token SIDs (14):
>>      SID[  0]: S-1-5-21-3102633239-3317503863-27722425-500
> '500' is the RID for Administrator, so you do not appear to have broken
> it.
>
>>      SID[  1]: S-1-5-21-3102633239-3317503863-27722425-513
>>      SID[  2]: S-1-5-21-3102633239-3317503863-27722425-512
>>      SID[  3]: S-1-5-21-3102633239-3317503863-27722425-572
>>      SID[  4]: S-1-5-21-3102633239-3317503863-27722425-519
>>      SID[  5]: S-1-5-21-3102633239-3317503863-27722425-518
>>      SID[  6]: S-1-5-21-3102633239-3317503863-27722425-520
>>      SID[  7]: S-1-1-0
>>      SID[  8]: S-1-5-2
>>      SID[  9]: S-1-5-11
>>      SID[ 10]: S-1-5-64-10
>>      SID[ 11]: S-1-5-32-544
>>      SID[ 12]: S-1-5-32-545
>>      SID[ 13]: S-1-5-32-554
>>     Privileges (0x        1FFFFF00):
>>      Privilege[  0]: SeTakeOwnershipPrivilege
>>      Privilege[  1]: SeBackupPrivilege
>>      Privilege[  2]: SeRestorePrivilege
>>      Privilege[  3]: SeRemoteShutdownPrivilege
>>      Privilege[  4]: SeSecurityPrivilege
>>      Privilege[  5]: SeSystemtimePrivilege
>>      Privilege[  6]: SeShutdownPrivilege
>>      Privilege[  7]: SeDebugPrivilege
>>      Privilege[  8]: SeSystemEnvironmentPrivilege
>>      Privilege[  9]: SeSystemProfilePrivilege
>>      Privilege[ 10]: SeProfileSingleProcessPrivilege
>>      Privilege[ 11]: SeIncreaseBasePriorityPrivilege
>>      Privilege[ 12]: SeLoadDriverPrivilege
>>      Privilege[ 13]: SeCreatePagefilePrivilege
>>      Privilege[ 14]: SeIncreaseQuotaPrivilege
>>      Privilege[ 15]: SeChangeNotifyPrivilege
>>      Privilege[ 16]: SeUndockPrivilege
>>      Privilege[ 17]: SeManageVolumePrivilege
>>      Privilege[ 18]: SeImpersonatePrivilege
>>      Privilege[ 19]: SeCreateGlobalPrivilege
>>      Privilege[ 20]: SeEnableDelegationPrivilege
>>     Rights (0x             403):
>>      Right[  0]: SeInteractiveLogonRight
>>      Right[  1]: SeNetworkLogonRight
>>      Right[  2]: SeRemoteInteractiveLogonRight
>>
>> It seems as if I've got a problem between Unix and Windows user IDs,
>> but I don't know how to check without further destruction.
>> Currently my only idea was the command
>> net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege
>> -U "JUE\administrator"
> If you entered the command exactly as above, then you have a major
> error. The wiki is written from the perspective of a self compiled
> version of Samba and uses 'SAMDOM' as an example NetBIOS domain name.
> Anywhere you see 'SAMDOM' on the wiki, you are supposed to replace it
> with your NetBIOS domain name.
Same mistake, sorry. That was the original command:
JUE\administrator at filesrv01:~$ net rpc rights grant "JUE\Domain Admins" 
SeDiskOperatorPrivilege -U "JUE\administrator"
Password for [JUE\administrator]:
Successfully granted rights.
>   
>> from the manual which could have caused problems as all other ones
>> should only have local effect on the file server.
>>
>> Could this be? Did I forget some Unix attachment?
>>
>> I don't know if it's helpful, but this is the smb.conf of the domain
>> controller:
>> [global]
>>          netbios name = DC01
>>          realm = JUE.BRK
>>          server role = active directory domain controller
>>          workgroup = JUE
>>
>>          dns forwarder = 8.8.8.8
>>
>>          idmap_ldb:use rfc2307 = yes
>>
>>          tls enabled  = yes
>>          tls keyfile  = tls/dc01.jue.brk.key
>>          tls certfile = tls/dc01.jue.brk.crt
>>          tls cafile   = tls/rootCA.crt
>>
>>          template shell = /bin/bash
>>          template homedir = /home/%U
>>
>>     idmap config * :              backend = tdb
>>     idmap config * :              range   = 3000-7999
>>     idmap config JUE : backend = ldap
>>     idmap config JUE : range   = 100000-999999
> The 'idmap config' lines do NOTHING on a DC, I suggest you remove them.
Wasn't shure about it, tdb didn't seem right. It was from a previous 
test I but in as a whole block.
I'll remove it completely
>
>>     template shell = /bin/bash
> So good that you have it twice.
 From the copied block by accident...
>
>>           winbind nss info = template
> Again, the line above does nothing on a DC.
>
>>          include = /etc/samba/shares.conf
> You have a fileserver, yet you are adding shares to a DC ?
That was the first approach before I read the recommendation of using a 
seperate file server where I wanted to move over to before I remove it.
>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/jue.brk/scripts
>>          read only = No
>>
>> Thank you for any hints!
>> Kai
> Please post the output of 'testparm -s' when ran on your fileserver.
>
> Rowland
>

Testparm -s of the fileserver:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        realm = JUE.BRK
        server role = member server
        server string = %h server (Samba, Ubuntu)
        template homedir = /home/%U
        template shell = /bin/bash
        unix password sync = Yes
        usershare allow guests = Yes
        workgroup = JUE
        idmap config * : range = 10000 - 20000
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr


[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/tmp
        printable = Yes


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[Demo]
        path = /srv/demo_share
        read only = No



I can access the Demo share, but the assignment of rights didn't work so 
that I started investigating and ran to the RPC unavailable in first place..


Thank you!
Kai

More information about the samba mailing list