[Samba] Administrators SID is invalid.
Rowland Penny
rowlandpenny at googlemail.com
Mon Oct 20 12:40:52 MDT 2014
On 20/10/14 19:32, mots wrote:
> I think I've made some progress:
>
> It's not actually the user "Administrator" that's broken, it's the group
> "Administrators".
> Its SID in both sam.ldf and idmap.ldf is S-1-5-32-544, which looks kind
> of short.
No, that is the complete SID, have a look here:
http://support.microsoft.com/kb/243330#
Rowland
> Is there another place where the SID for groups is stored?
>
> Kind regards,
>
> mots
>
> Am 20.10.2014 um 14:41 schrieb mots:
>> Alright, now it's getting weird.
>>
>> I've restored the whole /usr/local/samba/private directory from a one
>> month old backup, yet I'm still getting the same error.
>>
>> Does anyone have an idea where else the problem could be?
>>
>> Kind regards,
>>
>> mots
>>
>> Am 18.10.2014 um 14:18 schrieb Rowland Penny:
>>> On 18/10/14 12:26, mots wrote:
>>>> My smb.conf file is really basic. I've only added a few lines for the
>>>> print server and enabled schema updates so I could install the zarafa AD
>>>> integration. It hasn't been changed since 29.09.2014.
>>>>
>>>> -rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf
>>>>
>>>> # Global parameters
>>>> [global]
>>>> workgroup = CLUSTER
>>>> realm = CLUSTER.DOMAIN.CH
>>>> netbios name = SAMBA
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>> idmap_ldb:use rfc2307 = yes
>>>> rpc_server:spoolss = external
>>>> rpc_daemon:spoolssd = fork
>>>> load printers = yes
>>>> spoolss: architecture = Windows x64
>>>> unix extensions = no
>>>> dsdb:schema update allowed = true
>>>> load printers = yes
>>>>
>>>>
>>>> [netlogon]
>>>> path =
>>>> /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>> [printers]
>>>> path = /var/spool/samba
>>>> printable = yes
>>>> printing = CUPS
>>>>
>>>> [print$]
>>>> path = /var/shares/Printer_drivers
>>>> comment = Printer Drivers
>>>> writeable = yes
>>>>
>>>> [profile$]
>>>> path = /var/shares/profiles
>>>> read only = no
>>>>
>>>> [doc$]
>>>> path = /var/shares/docs
>>>> read only = no
>>>>
>>>> [Customer]
>>>> path = /var/shares/customer
>>>> read only = No
>>>> [Buspro]
>>>> path = /var/shares/buspro
>>>> read only = No
>>>>
>>>> [Daten]
>>>> path = /var/shares/daten
>>>> read only = no
>>>>
>>>> Am 18.10.2014 um 13:18 schrieb Rowland Penny:
>>>>> On 18/10/14 12:06, mots wrote:
>>>>>> Yes, the output maches the one from before.
>>>>>>
>>>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555
>>>>>>
>>>>>> Am 18.10.2014 um 12:56 schrieb Rowland Penny:
>>>>> OK, everything about the Administrator account seems correct (even the
>>>>> accountExpires attribute, concentrating on the expiry day & month, I
>>>>> totally missed that it wouldn't expire until the year 4253 LOL ) so I
>>>>> am at a bit of a loss now. Perhaps there is something in smb.conf that
>>>>> is causing this, so could you post your smb.conf.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>> On 18/10/14 11:45, mots wrote:
>>>>>>>> Thanks, but that didn't work, I'm still getting the same error.
>>>>>>>>
>>>>>>>> Also weird: If the account was expired, then I shouldn't have been
>>>>>>>> able
>>>>>>>> to log in at all, right?
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>>
>>>>>>>> mots
>>>>>>>>
>>>>>>>> Am 18.10.2014 um 11:50 schrieb Rowland Penny:
>>>>>>>>> On 18/10/14 10:20, mots wrote:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>>>>> now. It
>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>
>>>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>>>> can't
>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>>>>> error
>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>
>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>
>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>>>>> server
>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>> NT_STATUS_INVALID_SID".
>>>>>>>>>>
>>>>>>>>>> Is there a way to fix this without restoring the database from
>>>>>>>>>> backup?
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>>
>>>>>>>>>> mots
>>>>>>>>> possibly, have you done anything to the Administrator account ?
>>>>>>>>>
>>>>>>>>> Also can you post the (sanitized) result of:
>>>>>>>>>
>>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>>>>>>>>
>>>>>>>>> You may have to alter '/var/lib/samba/private/sam.ldb' with the
>>>>>>>>> path
>>>>>>>>> to your sam.ldb
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> That was the only obvious problem, ok lets check if the Administrator
>>>>>>> has the correct SID:
>>>>>>>
>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep
>>>>>>> objectSid
>>>>>>>
>>>>>>> does the result match what you posted earlier ?
>>>>>>>
>>>>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
>>>>>>>
>>>>>>> Note: ignore the -500, this is the Administrator's RID and is always
>>>>>>> '500'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>> Hm, you said that you were using samba 4.2 and your smb.conf confirms
>>> this (you are using the new(old) winbind 'winbindd') and I would have
>>> thought that there would now be some of the familiar 'winbind' lines
>>> in smb.conf. I would have thought the lines to map the builtin users
>>> would be there:
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>>
>>> But I suppose that idmap.ldb is still doing this.
>>>
>>> This leads to what I think must be last thoughts on this, I wonder if
>>> the Administrators SID is wrong in idmap.ldb:
>>>
>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>>
>>> Search for -500 and check the SID to see if it matches what you found
>>> earlier.
>>>
>>> Rowland
>>>
More information about the samba
mailing list