[Samba] Administrators SID is invalid.
mots
nibutif at gmail.com
Sat Oct 18 05:26:46 MDT 2014
My smb.conf file is really basic. I've only added a few lines for the
print server and enabled schema updates so I could install the zarafa AD
integration. It hasn't been changed since 29.09.2014.
-rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = CLUSTER
realm = CLUSTER.DOMAIN.CH
netbios name = SAMBA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
load printers = yes
spoolss: architecture = Windows x64
unix extensions = no
dsdb:schema update allowed = true
load printers = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /var/shares/Printer_drivers
comment = Printer Drivers
writeable = yes
[profile$]
path = /var/shares/profiles
read only = no
[doc$]
path = /var/shares/docs
read only = no
[Customer]
path = /var/shares/customer
read only = No
[Buspro]
path = /var/shares/buspro
read only = No
[Daten]
path = /var/shares/daten
read only = no
Am 18.10.2014 um 13:18 schrieb Rowland Penny:
> On 18/10/14 12:06, mots wrote:
>> Yes, the output maches the one from before.
>>
>> objectSid: S-1-5-21-4290789724-2746532821-3856153555
>>
>> Am 18.10.2014 um 12:56 schrieb Rowland Penny:
> OK, everything about the Administrator account seems correct (even the
> accountExpires attribute, concentrating on the expiry day & month, I
> totally missed that it wouldn't expire until the year 4253 LOL ) so I
> am at a bit of a loss now. Perhaps there is something in smb.conf that
> is causing this, so could you post your smb.conf.
>
> Rowland
>
>>> On 18/10/14 11:45, mots wrote:
>>>> Thanks, but that didn't work, I'm still getting the same error.
>>>>
>>>> Also weird: If the account was expired, then I shouldn't have been
>>>> able
>>>> to log in at all, right?
>>>>
>>>> Kind regards,
>>>>
>>>> mots
>>>>
>>>> Am 18.10.2014 um 11:50 schrieb Rowland Penny:
>>>>> On 18/10/14 10:20, mots wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>> now. It
>>>>>> still works for all users except "Administrator".
>>>>>>
>>>>>> If I login to a Windows box with the Administrator account, I can't
>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>> error
>>>>>> "The security ID structure is invalid".
>>>>>>
>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>> returns "The RPC server is unavailable".
>>>>>>
>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>> server
>>>>>> running samba I receife this error: "session setup failed:
>>>>>> NT_STATUS_INVALID_SID".
>>>>>>
>>>>>> Is there a way to fix this without restoring the database from
>>>>>> backup?
>>>>>>
>>>>>> Kind regards,
>>>>>>
>>>>>> mots
>>>>> possibly, have you done anything to the Administrator account ?
>>>>>
>>>>> Also can you post the (sanitized) result of:
>>>>>
>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>>>>
>>>>> You may have to alter '/var/lib/samba/private/sam.ldb' with the path
>>>>> to your sam.ldb
>>>>>
>>>>> Rowland
>>>>>
>>> That was the only obvious problem, ok lets check if the Administrator
>>> has the correct SID:
>>>
>>> ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep objectSid
>>>
>>> does the result match what you posted earlier ?
>>>
>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
>>>
>>> Note: ignore the -500, this is the Administrator's RID and is always
>>> '500'
>>>
>>> Rowland
>>>
>
More information about the samba
mailing list