[Samba] Administrators SID is invalid.

Rowland Penny rowlandpenny at googlemail.com
Sat Oct 18 06:18:28 MDT 2014


On 18/10/14 12:26, mots wrote:
> My smb.conf file is really basic. I've only added a few lines for the
> print server and enabled schema updates so I could install the zarafa AD
> integration. It hasn't been changed since 29.09.2014.
>
> -rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf
>
> # Global parameters
> [global]
>          workgroup = CLUSTER
>          realm = CLUSTER.DOMAIN.CH
>          netbios name = SAMBA
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>          rpc_server:spoolss = external
>          rpc_daemon:spoolssd = fork
>          load printers = yes
>          spoolss: architecture = Windows x64
>          unix extensions = no
>          dsdb:schema update allowed = true
>          load printers = yes
>
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> [printers]
>       path = /var/spool/samba
>       printable = yes
>       printing = CUPS
>
> [print$]
>       path = /var/shares/Printer_drivers
>       comment = Printer Drivers
>       writeable = yes
>
> [profile$]
>          path = /var/shares/profiles
>          read only = no
>
> [doc$]
>          path = /var/shares/docs
>          read only = no
>
> [Customer]
>          path = /var/shares/customer
>          read only = No
> [Buspro]
>          path = /var/shares/buspro
>          read only = No
>
> [Daten]
>          path = /var/shares/daten
>          read only = no
>
> Am 18.10.2014 um 13:18 schrieb Rowland Penny:
>> On 18/10/14 12:06, mots wrote:
>>> Yes, the output maches the one from before.
>>>
>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555
>>>
>>> Am 18.10.2014 um 12:56 schrieb Rowland Penny:
>> OK, everything about the Administrator account seems correct (even the
>> accountExpires attribute, concentrating on the expiry day & month, I
>> totally missed that it wouldn't expire until the year 4253 LOL ) so I
>> am at a bit of a loss now. Perhaps there is something in smb.conf that
>> is causing this, so could you post your smb.conf.
>>
>> Rowland
>>
>>>> On 18/10/14 11:45, mots wrote:
>>>>> Thanks, but that didn't work, I'm still getting the same error.
>>>>>
>>>>> Also weird: If the account was expired, then I shouldn't have been
>>>>> able
>>>>> to log in at all, right?
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> mots
>>>>>
>>>>> Am 18.10.2014 um 11:50 schrieb Rowland Penny:
>>>>>> On 18/10/14 10:20, mots wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>> now. It
>>>>>>> still works for all users except "Administrator".
>>>>>>>
>>>>>>> If I login to a Windows box with the Administrator account, I can't
>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>> error
>>>>>>> "The security ID structure is invalid".
>>>>>>>
>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>> returns "The RPC server is unavailable".
>>>>>>>
>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>> server
>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>> NT_STATUS_INVALID_SID".
>>>>>>>
>>>>>>> Is there a way to fix this without restoring the database from
>>>>>>> backup?
>>>>>>>
>>>>>>> Kind regards,
>>>>>>>
>>>>>>> mots
>>>>>> possibly, have you done anything to the Administrator account ?
>>>>>>
>>>>>> Also can you post the (sanitized) result of:
>>>>>>
>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>>>>>
>>>>>> You may have to alter '/var/lib/samba/private/sam.ldb' with the path
>>>>>> to your sam.ldb
>>>>>>
>>>>>> Rowland
>>>>>>
>>>> That was the only obvious problem, ok lets check if the Administrator
>>>> has the correct SID:
>>>>
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep objectSid
>>>>
>>>> does the result match what you posted earlier ?
>>>>
>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
>>>>
>>>> Note: ignore the -500, this is the Administrator's RID and is always
>>>> '500'
>>>>
>>>> Rowland
>>>>
Hm, you said that you were using samba 4.2 and your smb.conf confirms 
this (you are using the new(old) winbind 'winbindd') and I would have 
thought that there would now be some of the familiar 'winbind' lines in 
smb.conf. I would have thought the lines to map the builtin users would 
be there:

         idmap config * : backend = tdb
         idmap config * : range = 2000-9999

But I suppose that idmap.ldb is still doing this.

This leads to what I think must be last thoughts on this, I wonder if 
the Administrators SID is wrong in idmap.ldb:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

Search for -500 and check the SID to see if it matches what you found 
earlier.

Rowland



More information about the samba mailing list