[Samba] Administrators SID is invalid.
Rowland Penny
rowlandpenny at googlemail.com
Sat Oct 18 04:37:44 MDT 2014
On 18/10/14 11:04, mots wrote:
> No, not while it was working. Though I did change the password today
> while trying to figure out what still works.
>
> Also, I can still get Kerberos tickets with the account. (using kinit
> and klist)
>
> Here's the output:
> root at samba:~# ldbsearch -H /usr/local/samba/private/sam.ldb cn=Administrator
> # record 1
> dn: CN=Administrator,CN=Users,DC=cluster,DC=domain,DC=ch
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20140912070407.0Z
> uSNCreated: 3545
> name: Administrator
> objectGUID: 9d41ebd9-7c5a-48d0-b953-85eab1e55429
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=cluster,DC=domain,DC=ch
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=cluster,DC=domain,DC=ch
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=cluster,DC=domain,DC=ch
> memberOf: CN=Enterprise Admins,CN=Users,DC=cluster,DC=domain,DC=ch
> memberOf: CN=Schema Admins,CN=Users,DC=cluster,DC=domain,DC=ch
> memberOf: CN=Domain Admins,CN=Users,DC=cluster,DC=domain,DC=ch
> userAccountControl: 66048
> msDS-SupportedEncryptionTypes: 0
> pwdLastSet: 130580955130000000
> whenChanged: 20141018084513.0Z
> uSNChanged: 27862
> distinguishedName: CN=Administrator,CN=Users,DC=cluster,DC=domain,DC=ch
>
> # Referral
> ref: ldap://cluster.domain.ch/CN=Configuration,DC=cluster,DC=domain,DC=ch
>
> # Referral
> ref: ldap://cluster.domain.ch/DC=DomainDnsZones,DC=cluster,DC=domain,DC=ch
>
> # Referral
> ref: ldap://cluster.domain.ch/DC=ForestDnsZones,DC=cluster,DC=domain,DC=ch
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
> mots
>
> Am 18.10.2014 um 11:50 schrieb Rowland Penny:
>> On 18/10/14 10:20, mots wrote:
>>> Hello,
>>>
>>> I've got a samba 4.2 DC, which has worked well for about a month now. It
>>> still works for all users except "Administrator".
>>>
>>> If I login to a Windows box with the Administrator account, I can't
>>> connect to any shares and clicking on a mapped drive returns the error
>>> "The security ID structure is invalid".
>>>
>>> Opening "Active Directory Users and Computers" on the Windows box
>>> returns "The RPC server is unavailable".
>>>
>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux server
>>> running samba I receife this error: "session setup failed:
>>> NT_STATUS_INVALID_SID".
>>>
>>> Is there a way to fix this without restoring the database from backup?
>>>
>>> Kind regards,
>>>
>>> mots
>> possibly, have you done anything to the Administrator account ?
>>
>> Also can you post the (sanitized) result of:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>
>> You may have to alter '/var/lib/samba/private/sam.ldb' with the path
>> to your sam.ldb
>>
>> Rowland
>>
Hi, the Administrator account has expired:
accountExpires: 9223372036854775807 = Sat, 09 Oct 4523 21:52:49 GMT
The quick way out of this:
ldbedit -e nano -H /var/lib/samba/private/sam.ldb cn=Administrator
Change:
accountExpires: 9223372036854775807
To:
accountExpires: 0
Rowland
More information about the samba
mailing list