NT_STATUS_INVALID_SID and idmap corruption
Andrew Bartlett
abartlet at samba.org
Tue Nov 8 21:15:39 MST 2011
On Wed, 2011-11-02 at 12:01 -0400, Adam Tauno Williams wrote:
> Quoting Andrew Bartlett <abartlet at samba.org>:
> > On Mon, 2011-10-31 at 15:54 -0400, Adam Tauno Williams wrote:
> >> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >> >> So I have an S4 instance I've built from an upgrade of a Samba 3
> >> >> LDAPSAM domain.
> >> >> I took an XP workstation off the production network, created the
> >> >> Samba4 instance, brought it up on its own network and connected the
> >> >> XP workstation. Attempting to login on the XP workstation and it
> >> >> says "domain unavailable". Hrmm....
> >> >> I can get tickets as an 'upgraded' domain user.
> >> >> kinit adam at MICORE.US
> >> >> DNS is working.
> >> >> host -t SRV _ldap._tcp.micore.us.
> >> >> host -t SRV _kerberos._udp.micore.us.
> >> >> host -t A barbel.micore.us.
> >> >> But -
> >> >> Ignoring unknown parameter "server role"
> >> >> SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> >> >> barbel:~ # net getdomainsid
> >> >> Ignoring unknown parameter "server role"
> >> >> SID for local machine BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> >> >> Could not fetch domain SID
> >> >> ... should the domain SID be fetchable? Is the upgraded domain
> >> >> somehow disabled?
> >> >> That is the same SID as the S3 DC.
> >> > Attempting to access the domain from the XP workstation by
> >> > specifying \\{serverName}\netlogon and using "BACKBONE\adam" and the
> >> > password appears to authenticate but then fails with a "The security
> >> > ID structure is invalid." [BACKBONE was the NetBIOS domain of the
> >> > upgraded domain].
> >>
> >> I Updated the Samba4 to the latest git [4.0.0alpha18-GIT-63c7107]
> >>
> >> It appears the error is here -
> >> [2011/10/31 15:49:00, 5]
> >> ../source4/dsdb/samdb/samdb.c:81(samdb_credentials)
> >> (normal if no LDAP backend) Could not find entry to match filter:
> >> '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such
> >> object: (null)
> >> [2011/10/31 15:49:00, 5]
> >> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> >> Starting GENSEC mechanism spnego
> >> [2011/10/31 15:49:00, 5]
> >> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> >> Starting GENSEC submechanism gssapi_krb5
> >> [2011/10/31 15:49:00, 1]
> >> ../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
> >> GSS server Update(krb5)(1) Update failed: An unsupported mechanism
> >> was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
> >> [2011/10/31 15:49:00, 1]
> >> ../source4/auth/gensec/spnego.c:555(gensec_spnego_parse_negTokenInit)
> >> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> >> [2011/10/31 15:49:00, 2]
> >> ../source4/auth/gensec/spnego.c:727(gensec_spnego_server_negTokenTarg)
> >> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> >> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> >> smbsrv_recv
> >> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> >> smbsrv_recv
> >> [2011/10/31 15:49:00, 5]
> >> ../source4/smb_server/smb/receive.c:507(switch_message)
> >> switch message SMBtconX (task_id 0:2328.0)
> >> Is this a problem in the provisioned database [No such object: (null)]
> >> or in some interaction with the XP client [unknown mech-code 0 for
> >> mech].
> > I'm not really sure what is wrong here. It isn't the [No such object:
> > (null)] because that is '(normal if no LDAP backend)'. I will remove
> > the confusing error message here to avoid this being raised again.
> > Somehow the ticket isn't being accepted by GSSAPI, and we need to work
> > out why that is. Does the same thing happen with smbcleint (from
> > samba4) using this command?
> > smbclient //server/share -k yes
>
> barbel:~ # smbclient //barbel/tmp -k yes
> smb: \> ls
> NT_STATUS_INVALID_SID listing \*
> Error in dskattr: NT_STATUS_INVALID_SID
> smb: \>
This error is returned when the idmap database holds sids with an
unexpected type, which could certainly happen due to an error during the
import. In particular, this happens when a SID which is expected to be
a UID resolves to a GID, or a SID expected to be a GID resolves to a
UID.
Traditionally in Samba4, all SIDs resolve to BOTH a UID and GID, which
avoids this issue, but to maintain file permissions, we have to import
the database as-is. If you can show me the contents (privatly if you
desire) of your idmap.ldb with 'ldbsearch -H idmap.ldb', we may get a
clue. I'll also need a list of SID -> name mappings to confirm what
each SID really is.
In the short term, to show that this is the issue, if you remove all the
mappings from the idmap.ldb, it should re-create mappings of type BOTH,
and allow access (but as the wrong UID and GIDs).
The error may also have been introduced by the passdb bug I mentioned in
my other mail, so please try again after applying my patches, before we
chase this down further.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list