[Samba] Administrators SID is invalid.
Carlo
mail.list.it at gmail.com
Sat Jan 17 07:39:41 MST 2015
>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>>>>>> now. It
>>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>>
>>>>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>>>>> can't
>>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>>>>>> error
>>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>>
>>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>>
>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>>>>>> server
>>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>>> NT_STATUS_INVALID_SID".
>>>> Hm, you said that you were using samba 4.2 and your smb.conf confirms
>>>> this (you are using the new(old) winbind 'winbindd') and I would have
>>>> thought that there would now be some of the familiar 'winbind' lines
>>>> in smb.conf. I would have thought the lines to map the builtin users
>>>> would be there:
>>>>
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>>
>>>> But I suppose that idmap.ldb is still doing this.
>>>>
>>>> This leads to what I think must be last thoughts on this, I wonder if
>>>> the Administrators SID is wrong in idmap.ldb:
Hello to all.
i am still under this problem in 2 samba server 4.2*
same problem and same behavior after a month for one server and two week for another
My system is:
Centos 6.5
addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
and Samba version 4.2.0rc2
then i have done the Rowland suggestion about check the administrator sid and
the results was:
---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
cn=Administrator
dn: CN=Administrator,CN=Users,DC=domain,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20140918163432.0Z
uSNCreated: 3545
name: Administrator
objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
userAccountControl: 66048
msDS-SupportedEncryptionTypes: 0
pwdLastSet: 130658091420000000
whenChanged: 20150115152542.0Z
uSNChanged: 4885
distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
# Referral
ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
# Referral
ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
# Referral
ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
# returned 4 records
# 1 entries
# 3 referrals
---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb DC=domain
| grep objectSid
objectSid: S-1-5-21-2643849351-2101160060-2305757802
---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb
# record 39
dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
cn: S-1-5-21-2643849351-2101160060-2305757802-500
objectClass: sidMap
objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
as reported the time is correct and administrator account never expire
you can check here
http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
i have noted that sid error "sometimes" (30 sec on 2/3 hour sometimes)not appear
and i can work correctly with my administrator account for 30-40 sec.
the same thing is on both of samba 4.2*
i've tested this error from winxp/7/8/8.1 and is always the same.
i post the smb.conf
# Global parameters
[global]
workgroup = DOMAIN
realm = DOMAIN.LAN
netbios name = ADDOMAIN
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
spoolss: architecture = Windows x64
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[public]
path = /dati/public
read only = No
[users]
path = /dati/users
read only = No
[profiles]
path = /dati/profiles
read only = No
oplocks=no
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /srv/samba/Printer_drivers
comment = Printer Drivers
writeable = yes
in messages.log i have something when i try to login with administrator account
with the right password; here i have a "Unable to convert SID"
Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0]
../source4/auth/unix_token.c:107(security_token_to_unix_token)
Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID
(S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user token to a
GID. Conversion was returned as type 1, full token:
Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0]
../libcli/security/security_token.c:63(security_token_debug)
Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13):
Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]:
S-1-5-21-2643849351-2101160060-2305757802-500
Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]:
S-1-5-21-2643849351-2101160060-2305757802-513
Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]:
S-1-5-21-2643849351-2101160060-2305757802-520
Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]:
S-1-5-21-2643849351-2101160060-2305757802-572
Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]:
S-1-5-21-2643849351-2101160060-2305757802-519
Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]:
S-1-5-21-2643849351-2101160060-2305757802-518
Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]:
S-1-5-21-2643849351-2101160060-2305757802-512
Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0
Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2
Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11
Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544
Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545
Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554
Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00):
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: SeTakeOwnershipPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: SeBackupPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: SeRestorePrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: SeRemoteShutdownPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: SeSecurityPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: SeSystemtimePrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: SeShutdownPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: SeDebugPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]:
SeSystemEnvironmentPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: SeSystemProfilePrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]:
SeProfileSingleProcessPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]:
SeIncreaseBasePriorityPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: SeLoadDriverPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: SeCreatePagefilePrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: SeIncreaseQuotaPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: SeChangeNotifyPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: SeUndockPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: SeManageVolumePrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: SeImpersonatePrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: SeCreateGlobalPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]:
SeEnableDelegationPrivilege
Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403):
Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: SeInteractiveLogonRight
Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight
Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: SeRemoteInteractiveLogonRight
maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?
maybe this is an interesting part but i don't understand where to look.
---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb
# record 37
dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
cn: S-1-5-21-2643849351-2101160060-2305757802-512
objectClass: sidMap
objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
Someone have my similar behavior?
any kind of help or suggestion is welcome.
Many thanks in advance!
Regards
Charles
More information about the samba
mailing list