[Samba] Administrators SID is invalid.

mots nibutif at gmail.com
Sat Oct 18 06:31:36 MDT 2014 

dn: CN=S-1-5-21-4290789724-2746532821-3856153555-500
cn: S-1-5-21-4290789724-2746532821-3856153555-500
objectClass: sidMap
objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
xidNumber: 0
type: ID_TYPE_UID
distinguishedName: CN=S-1-5-21-4290789724-2746532821-3856153555-500

The objectSid matches the one from before, though the two fields "dn"
and "distinguishedName" have different values. Is that normal?

Am 18.10.2014 um 14:18 schrieb Rowland Penny:
> On 18/10/14 12:26, mots wrote:
>> My smb.conf file is really basic. I've only added a few lines for the
>> print server and enabled schema updates so I could install the zarafa AD
>> integration. It hasn't been changed since 29.09.2014.
>>
>> -rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf
>>
>> # Global parameters
>> [global]
>>          workgroup = CLUSTER
>>          realm = CLUSTER.DOMAIN.CH
>>          netbios name = SAMBA
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          idmap_ldb:use rfc2307 = yes
>>          rpc_server:spoolss = external
>>          rpc_daemon:spoolssd = fork
>>          load printers = yes
>>          spoolss: architecture = Windows x64
>>          unix extensions = no
>>          dsdb:schema update allowed = true
>>          load printers = yes
>>
>>
>> [netlogon]
>>          path =
>> /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /usr/local/samba/var/locks/sysvol
>>          read only = No
>>
>> [printers]
>>       path = /var/spool/samba
>>       printable = yes
>>       printing = CUPS
>>
>> [print$]
>>       path = /var/shares/Printer_drivers
>>       comment = Printer Drivers
>>       writeable = yes
>>
>> [profile$]
>>          path = /var/shares/profiles
>>          read only = no
>>
>> [doc$]
>>          path = /var/shares/docs
>>          read only = no
>>
>> [Customer]
>>          path = /var/shares/customer
>>          read only = No
>> [Buspro]
>>          path = /var/shares/buspro
>>          read only = No
>>
>> [Daten]
>>          path = /var/shares/daten
>>          read only = no
>>
>> Am 18.10.2014 um 13:18 schrieb Rowland Penny:
>>> On 18/10/14 12:06, mots wrote:
>>>> Yes, the output maches the one from before.
>>>>
>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555
>>>>
>>>> Am 18.10.2014 um 12:56 schrieb Rowland Penny:
>>> OK, everything about the Administrator account seems correct (even the
>>> accountExpires attribute, concentrating on the expiry day & month, I
>>> totally missed that it wouldn't expire until the year 4253 LOL ) so I
>>> am at a bit of a loss now. Perhaps there is something in smb.conf that
>>> is causing this, so could you post your smb.conf.
>>>
>>> Rowland
>>>
>>>>> On 18/10/14 11:45, mots wrote:
>>>>>> Thanks, but that didn't work, I'm still getting the same error.
>>>>>>
>>>>>> Also weird: If the account was expired, then I shouldn't have been
>>>>>> able
>>>>>> to log in at all, right?
>>>>>>
>>>>>> Kind regards,
>>>>>>
>>>>>> mots
>>>>>>
>>>>>> Am 18.10.2014 um 11:50 schrieb Rowland Penny:
>>>>>>> On 18/10/14 10:20, mots wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>>> now. It
>>>>>>>> still works for all users except "Administrator".
>>>>>>>>
>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>> can't
>>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>>> error
>>>>>>>> "The security ID structure is invalid".
>>>>>>>>
>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>
>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>>> server
>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>> NT_STATUS_INVALID_SID".
>>>>>>>>
>>>>>>>> Is there a way to fix this without restoring the database from
>>>>>>>> backup?
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>>
>>>>>>>> mots
>>>>>>> possibly, have you done anything to the Administrator account ?
>>>>>>>
>>>>>>> Also can you post the (sanitized) result of:
>>>>>>>
>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>>>>>>
>>>>>>> You may have to alter '/var/lib/samba/private/sam.ldb' with the
>>>>>>> path
>>>>>>> to your sam.ldb
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>> That was the only obvious problem, ok lets check if the Administrator
>>>>> has the correct SID:
>>>>>
>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep
>>>>> objectSid
>>>>>
>>>>> does the result match what you posted earlier ?
>>>>>
>>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
>>>>>
>>>>> Note: ignore the -500, this is the Administrator's RID and is always
>>>>> '500'
>>>>>
>>>>> Rowland
>>>>>
> Hm, you said that you were using samba 4.2 and your smb.conf confirms
> this (you are using the new(old) winbind 'winbindd') and I would have
> thought that there would now be some of the familiar 'winbind' lines
> in smb.conf. I would have thought the lines to map the builtin users
> would be there:
>
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>
> But I suppose that idmap.ldb is still doing this.
>
> This leads to what I think must be last thoughts on this, I wonder if
> the Administrators SID is wrong in idmap.ldb:
>
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>
> Search for -500 and check the SID to see if it matches what you found
> earlier.
>
> Rowland
>

More information about the samba mailing list