[Samba] Administrators SID is invalid.
Rowland Penny
rowlandpenny at googlemail.com
Sat Jan 17 09:10:41 MST 2015
On 17/01/15 14:39, Carlo wrote:
>
>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a
>>>>>>>>>>>> month
>>>>>>>>>>>> now. It
>>>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>>>
>>>>>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>>>>>> can't
>>>>>>>>>>>> connect to any shares and clicking on a mapped drive
>>>>>>>>>>>> returns the
>>>>>>>>>>>> error
>>>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>>>
>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the
>>>>>>>>>>>> Windows box
>>>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>>>
>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the
>>>>>>>>>>>> GNU/Linux
>>>>>>>>>>>> server
>>>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>>>> NT_STATUS_INVALID_SID".
>
>>>>> Hm, you said that you were using samba 4.2 and your smb.conf confirms
>>>>> this (you are using the new(old) winbind 'winbindd') and I would have
>>>>> thought that there would now be some of the familiar 'winbind' lines
>>>>> in smb.conf. I would have thought the lines to map the builtin users
>>>>> would be there:
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>>
>>>>> But I suppose that idmap.ldb is still doing this.
>>>>>
>>>>> This leads to what I think must be last thoughts on this, I wonder if
>>>>> the Administrators SID is wrong in idmap.ldb:
>
> Hello to all.
>
> i am still under this problem in 2 samba server 4.2*
>
> same problem and same behavior after a month for one server and two
> week for another
>
> My system is:
> Centos 6.5
> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9
> 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> and Samba version 4.2.0rc2
>
>
> then i have done the Rowland suggestion about check the administrator
> sid and the results was:
>
> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
> cn=Administrator
> dn: CN=Administrator,CN=Users,DC=domain,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20140918163432.0Z
> uSNCreated: 3545
> name: Administrator
> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
> userAccountControl: 66048
> msDS-SupportedEncryptionTypes: 0
> pwdLastSet: 130658091420000000
> whenChanged: 20150115152542.0Z
> uSNChanged: 4885
> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
>
> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
> DC=domain | grep objectSid
> objectSid: S-1-5-21-2643849351-2101160060-2305757802
>
>
> ---/usr/local/samba/bin/ldbedit -e vi -H
> /usr/local/samba/private/idmap.ldb
>
> # record 39
> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
> cn: S-1-5-21-2643849351-2101160060-2305757802-500
> objectClass: sidMap
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>
>
> as reported the time is correct and administrator account never expire
> you can check here
> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
>
> i have noted that sid error "sometimes" (30 sec on 2/3 hour
> sometimes)not appear and i can work correctly with my administrator
> account for 30-40 sec.
> the same thing is on both of samba 4.2*
>
> i've tested this error from winxp/7/8/8.1 and is always the same.
>
>
>
> i post the smb.conf
>
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LAN
> netbios name = ADDOMAIN
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> spoolss: architecture = Windows x64
>
>
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [public]
> path = /dati/public
> read only = No
>
> [users]
> path = /dati/users
> read only = No
>
> [profiles]
> path = /dati/profiles
> read only = No
> oplocks=no
>
> [printers]
> path = /var/spool/samba
> printable = yes
> printing = CUPS
>
> [print$]
> path = /srv/samba/Printer_drivers
> comment = Printer Drivers
> writeable = yes
>
>
>
> in messages.log i have something when i try to login with
> administrator account with the right password; here i have a "Unable
> to convert SID"
>
>
> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0]
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID
> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user
> token to a GID. Conversion was returned as type 1, full token:
> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13):
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]:
> S-1-5-21-2643849351-2101160060-2305757802-500
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]:
> S-1-5-21-2643849351-2101160060-2305757802-513
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]:
> S-1-5-21-2643849351-2101160060-2305757802-520
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]:
> S-1-5-21-2643849351-2101160060-2305757802-572
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]:
> S-1-5-21-2643849351-2101160060-2305757802-519
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]:
> S-1-5-21-2643849351-2101160060-2305757802-518
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]:
> S-1-5-21-2643849351-2101160060-2305757802-512
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545
> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554
> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00):
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]:
> SeTakeOwnershipPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]:
> SeBackupPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]:
> SeRestorePrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]:
> SeRemoteShutdownPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]:
> SeSecurityPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]:
> SeSystemtimePrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]:
> SeShutdownPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]:
> SeDebugPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]:
> SeSystemEnvironmentPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]:
> SeSystemProfilePrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]:
> SeProfileSingleProcessPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]:
> SeIncreaseBasePriorityPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]:
> SeLoadDriverPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]:
> SeCreatePagefilePrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]:
> SeIncreaseQuotaPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]:
> SeChangeNotifyPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]:
> SeUndockPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]:
> SeManageVolumePrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]:
> SeImpersonatePrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]:
> SeCreateGlobalPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]:
> SeEnableDelegationPrivilege
> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403):
> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]:
> SeInteractiveLogonRight
> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight
> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]:
> SeRemoteInteractiveLogonRight
>
>
> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?
>
> maybe this is an interesting part but i don't understand where to look.
>
> ---/usr/local/samba/bin/ldbedit -e vi -H
> /usr/local/samba/private/idmap.ldb
> # record 37
> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
> cn: S-1-5-21-2643849351-2101160060-2305757802-512
> objectClass: sidMap
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
> type: ID_TYPE_BOTH
> xidNumber: 3000008
> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>
>
> Someone have my similar behavior?
>
> any kind of help or suggestion is welcome.
>
> Many thanks in advance!
>
> Regards
>
> Charles
>
OK, I am a bit lost here, I can login as Administrator to my DC, so when
you say 'when i try to login with administrator account with the right
password', just how are you trying to login ?
Also, why are you using 4.2.0rc2, is this a test domain or production ?
If it is production, why are you ignoring what it says here:
https://wiki.samba.org/index.php/Obtaining_Samba
*Warning: Never install a development version in production! It may
contain untested features and can cause damages to your installation!
Development releases are for testing purposes only!
*Also**why are you ignoring what it says here:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions
We /*_do not recommend_* using the Domain Controller as a file Server.
This is due to issues with the winbind internal to the Domain
Controller. The recommendation is to run separate file or Member Servers
<https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.
This still goes with 4.2
I recommend that you try again with the latest stable release, 4.1.16
and see if the problem still persists, if it does we stand a better
chance of fixing it.
Rowland
/
More information about the samba
mailing list