[Samba] Administrators SID is invalid.
Rowland Penny
rowlandpenny at googlemail.com
Sat Oct 18 06:18:28 MDT 2014
On 18/10/14 12:26, mots wrote:
> My smb.conf file is really basic. I've only added a few lines for the
> print server and enabled schema updates so I could install the zarafa AD
> integration. It hasn't been changed since 29.09.2014.
>
> -rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf
>
> # Global parameters
> [global]
> workgroup = CLUSTER
> realm = CLUSTER.DOMAIN.CH
> netbios name = SAMBA
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
> load printers = yes
> spoolss: architecture = Windows x64
> unix extensions = no
> dsdb:schema update allowed = true
> load printers = yes
>
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [printers]
> path = /var/spool/samba
> printable = yes
> printing = CUPS
>
> [print$]
> path = /var/shares/Printer_drivers
> comment = Printer Drivers
> writeable = yes
>
> [profile$]
> path = /var/shares/profiles
> read only = no
>
> [doc$]
> path = /var/shares/docs
> read only = no
>
> [Customer]
> path = /var/shares/customer
> read only = No
> [Buspro]
> path = /var/shares/buspro
> read only = No
>
> [Daten]
> path = /var/shares/daten
> read only = no
>
> Am 18.10.2014 um 13:18 schrieb Rowland Penny:
>> On 18/10/14 12:06, mots wrote:
>>> Yes, the output maches the one from before.
>>>
>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555
>>>
>>> Am 18.10.2014 um 12:56 schrieb Rowland Penny:
>> OK, everything about the Administrator account seems correct (even the
>> accountExpires attribute, concentrating on the expiry day & month, I
>> totally missed that it wouldn't expire until the year 4253 LOL ) so I
>> am at a bit of a loss now. Perhaps there is something in smb.conf that
>> is causing this, so could you post your smb.conf.
>>
>> Rowland
>>
>>>> On 18/10/14 11:45, mots wrote:
>>>>> Thanks, but that didn't work, I'm still getting the same error.
>>>>>
>>>>> Also weird: If the account was expired, then I shouldn't have been
>>>>> able
>>>>> to log in at all, right?
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> mots
>>>>>
>>>>> Am 18.10.2014 um 11:50 schrieb Rowland Penny:
>>>>>> On 18/10/14 10:20, mots wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>> now. It
>>>>>>> still works for all users except "Administrator".
>>>>>>>
>>>>>>> If I login to a Windows box with the Administrator account, I can't
>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>> error
>>>>>>> "The security ID structure is invalid".
>>>>>>>
>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>> returns "The RPC server is unavailable".
>>>>>>>
>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>> server
>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>> NT_STATUS_INVALID_SID".
>>>>>>>
>>>>>>> Is there a way to fix this without restoring the database from
>>>>>>> backup?
>>>>>>>
>>>>>>> Kind regards,
>>>>>>>
>>>>>>> mots
>>>>>> possibly, have you done anything to the Administrator account ?
>>>>>>
>>>>>> Also can you post the (sanitized) result of:
>>>>>>
>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>>>>>
>>>>>> You may have to alter '/var/lib/samba/private/sam.ldb' with the path
>>>>>> to your sam.ldb
>>>>>>
>>>>>> Rowland
>>>>>>
>>>> That was the only obvious problem, ok lets check if the Administrator
>>>> has the correct SID:
>>>>
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep objectSid
>>>>
>>>> does the result match what you posted earlier ?
>>>>
>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
>>>>
>>>> Note: ignore the -500, this is the Administrator's RID and is always
>>>> '500'
>>>>
>>>> Rowland
>>>>
Hm, you said that you were using samba 4.2 and your smb.conf confirms
this (you are using the new(old) winbind 'winbindd') and I would have
thought that there would now be some of the familiar 'winbind' lines in
smb.conf. I would have thought the lines to map the builtin users would
be there:
idmap config * : backend = tdb
idmap config * : range = 2000-9999
But I suppose that idmap.ldb is still doing this.
This leads to what I think must be last thoughts on this, I wonder if
the Administrators SID is wrong in idmap.ldb:
ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
Search for -500 and check the SID to see if it matches what you found
earlier.
Rowland
More information about the samba
mailing list