[Samba] Administrators SID is invalid.

Rowland Penny rowlandpenny at googlemail.com
Sat Jan 17 09:10:41 MST 2015 

On 17/01/15 14:39, Carlo wrote:
>
>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a 
>>>>>>>>>>>> month
>>>>>>>>>>>> now. It
>>>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>>>
>>>>>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>>>>>> can't
>>>>>>>>>>>> connect to any shares and clicking on a mapped drive 
>>>>>>>>>>>> returns the
>>>>>>>>>>>> error
>>>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>>>
>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the 
>>>>>>>>>>>> Windows box
>>>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>>>
>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the 
>>>>>>>>>>>> GNU/Linux
>>>>>>>>>>>> server
>>>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>>>> NT_STATUS_INVALID_SID".
>
>>>>> Hm, you said that you were using samba 4.2 and your smb.conf confirms
>>>>> this (you are using the new(old) winbind 'winbindd') and I would have
>>>>> thought that there would now be some of the familiar 'winbind' lines
>>>>> in smb.conf. I would have thought the lines to map the builtin users
>>>>> would be there:
>>>>>
>>>>>          idmap config * : backend = tdb
>>>>>          idmap config * : range = 2000-9999
>>>>>
>>>>> But I suppose that idmap.ldb is still doing this.
>>>>>
>>>>> This leads to what I think must be last thoughts on this, I wonder if
>>>>> the Administrators SID is wrong in idmap.ldb:
>
> Hello to all.
>
> i am still under this problem in 2 samba server 4.2*
>
> same problem and same behavior after a month for one server and two 
> week for another
>
> My system is:
> Centos 6.5
> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 
> 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> and Samba version 4.2.0rc2
>
>
> then i have done the Rowland suggestion about check the administrator 
> sid and the results was:
>
> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
> cn=Administrator
> dn: CN=Administrator,CN=Users,DC=domain,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20140918163432.0Z
> uSNCreated: 3545
> name: Administrator
> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
> userAccountControl: 66048
> msDS-SupportedEncryptionTypes: 0
> pwdLastSet: 130658091420000000
> whenChanged: 20150115152542.0Z
> uSNChanged: 4885
> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
>
> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
> DC=domain | grep objectSid
> objectSid: S-1-5-21-2643849351-2101160060-2305757802
>
>
> ---/usr/local/samba/bin/ldbedit -e vi -H 
> /usr/local/samba/private/idmap.ldb
>
> # record 39
> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
> cn: S-1-5-21-2643849351-2101160060-2305757802-500
> objectClass: sidMap
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>
>
> as reported the time is correct and administrator account never expire
> you can check here 
> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
>
> i have noted that sid error "sometimes" (30 sec on 2/3 hour 
> sometimes)not appear and i can work correctly with my administrator 
> account for 30-40 sec.
> the same thing is on both of samba 4.2*
>
> i've tested this error from winxp/7/8/8.1 and is always the same.
>
>
>
> i post the smb.conf
>
> # Global parameters
> [global]
>     workgroup = DOMAIN
>     realm = DOMAIN.LAN
>     netbios name = ADDOMAIN
>     server role = active directory domain controller
>     dns forwarder = 8.8.8.8
>     idmap_ldb:use rfc2307 = yes
>     spoolss: architecture = Windows x64
>
>
>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
>     read only = No
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
> [public]
>         path = /dati/public
>         read only = No
>
> [users]
>         path = /dati/users
>         read only = No
>
> [profiles]
>         path = /dati/profiles
>         read only = No
>     oplocks=no
>
> [printers]
>      path = /var/spool/samba
>      printable = yes
>      printing = CUPS
>
> [print$]
>      path = /srv/samba/Printer_drivers
>      comment = Printer Drivers
>      writeable = yes
>
>
>
> in messages.log i have something when i try to login with 
> administrator account with the right password; here i have a "Unable 
> to convert SID"
>
>
> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] 
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
> Jan 17 15:08:52 addomain smbd[21942]:   Unable to convert SID 
> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user 
> token to a GID.  Conversion was returned as type 1, full token:
> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] 
> ../libcli/security/security_token.c:63(security_token_debug)
> Jan 17 15:08:52 addomain smbd[21942]:   Security token SIDs (13):
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  0]: 
> S-1-5-21-2643849351-2101160060-2305757802-500
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  1]: 
> S-1-5-21-2643849351-2101160060-2305757802-513
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  2]: 
> S-1-5-21-2643849351-2101160060-2305757802-520
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  3]: 
> S-1-5-21-2643849351-2101160060-2305757802-572
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  4]: 
> S-1-5-21-2643849351-2101160060-2305757802-519
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  5]: 
> S-1-5-21-2643849351-2101160060-2305757802-518
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  6]: 
> S-1-5-21-2643849351-2101160060-2305757802-512
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  7]: S-1-1-0
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  8]: S-1-5-2
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  9]: S-1-5-11
> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 10]: S-1-5-32-544
> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 11]: S-1-5-32-545
> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 12]: S-1-5-32-554
> Jan 17 15:08:52 addomain smbd[21942]:    Privileges (0x 1FFFFF00):
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  0]: 
> SeTakeOwnershipPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  1]: 
> SeBackupPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  2]: 
> SeRestorePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  3]: 
> SeRemoteShutdownPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  4]: 
> SeSecurityPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  5]: 
> SeSystemtimePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  6]: 
> SeShutdownPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  7]: 
> SeDebugPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  8]: 
> SeSystemEnvironmentPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  9]: 
> SeSystemProfilePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 10]: 
> SeProfileSingleProcessPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 11]: 
> SeIncreaseBasePriorityPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 12]: 
> SeLoadDriverPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 13]: 
> SeCreatePagefilePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 14]: 
> SeIncreaseQuotaPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 15]: 
> SeChangeNotifyPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 16]: 
> SeUndockPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 17]: 
> SeManageVolumePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 18]: 
> SeImpersonatePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 19]: 
> SeCreateGlobalPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 20]: 
> SeEnableDelegationPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:    Rights (0x 403):
> Jan 17 15:08:52 addomain smbd[21942]:     Right[  0]: 
> SeInteractiveLogonRight
> Jan 17 15:08:52 addomain smbd[21942]:     Right[  1]: SeNetworkLogonRight
> Jan 17 15:08:52 addomain smbd[21942]:     Right[  2]: 
> SeRemoteInteractiveLogonRight
>
>
> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?
>
> maybe this is an interesting part but i don't understand where to look.
>
> ---/usr/local/samba/bin/ldbedit -e vi -H 
> /usr/local/samba/private/idmap.ldb
> # record 37
> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
> cn: S-1-5-21-2643849351-2101160060-2305757802-512
> objectClass: sidMap
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
> type: ID_TYPE_BOTH
> xidNumber: 3000008
> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>
>
> Someone have my similar behavior?
>
> any kind of help or suggestion is welcome.
>
> Many thanks in advance!
>
> Regards
>
> Charles
>

OK, I am a bit lost here, I can login as Administrator to my DC, so when 
you say 'when i try to login with administrator account with the right 
password', just how are you trying to login ?

Also, why are you using 4.2.0rc2, is this a test domain or production ?
If it is production, why are you ignoring what it says here: 
https://wiki.samba.org/index.php/Obtaining_Samba

*Warning: Never install a development version in production! It may 
contain untested features and can cause damages to your installation! 
Development releases are for testing purposes only!

*Also**why are you ignoring what it says here: 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions

We /*_do not recommend_* using the Domain Controller as a file Server. 
This is due to issues with the winbind internal to the Domain 
Controller. The recommendation is to run separate file or Member Servers 
<https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.

This still goes with 4.2

I recommend that you try again with the latest stable release, 4.1.16 
and see if the problem still persists, if it does we stand a better 
chance of fixing it.

Rowland

/

More information about the samba mailing list