[Samba] Administrators SID is invalid.
Rowland Penny
rowlandpenny at googlemail.com
Sun Jan 18 11:27:05 MST 2015
On 18/01/15 18:10, Carlo wrote:
> Il 17/01/15 17:10, Rowland Penny ha scritto:
>> On 17/01/15 14:39, Carlo wrote:
>>>
>>>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about
>>>>>>>>>>>>>> a month
>>>>>>>>>>>>>> now. It
>>>>>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If I login to a Windows box with the Administrator
>>>>>>>>>>>>>> account, I
>>>>>>>>>>>>>> can't
>>>>>>>>>>>>>> connect to any shares and clicking on a mapped drive
>>>>>>>>>>>>>> returns the
>>>>>>>>>>>>>> error
>>>>>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the
>>>>>>>>>>>>>> Windows box
>>>>>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the
>>>>>>>>>>>>>> GNU/Linux
>>>>>>>>>>>>>> server
>>>>>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>>>>>> NT_STATUS_INVALID_SID".
>>> Hello to all.
>>>
>>> i am still under this problem in 2 samba server 4.2*
>>>
>>> same problem and same behavior after a month for one server and two
>>> week for another
>>>
>>> My system is:
>>> Centos 6.5
>>> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9
>>> 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>> and Samba version 4.2.0rc2
>>>
>>>
>>> then i have done the Rowland suggestion about check the
>>> administrator sid and the results was:
>>>
>>> ---/usr/local/samba/bin/ldbsearch -H
>>> /usr/local/samba/private/sam.ldb cn=Administrator
>>> dn: CN=Administrator,CN=Users,DC=domain,DC=lan
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Administrator
>>> description: Built-in account for administering the computer/domain
>>> instanceType: 4
>>> whenCreated: 20140918163432.0Z
>>> uSNCreated: 3545
>>> name: Administrator
>>> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>>> adminCount: 1
>>> accountExpires: 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: Administrator
>>> sAMAccountType: 805306368
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
>>> isCriticalSystemObject: TRUE
>>> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
>>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
>>> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
>>> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
>>> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
>>> userAccountControl: 66048
>>> msDS-SupportedEncryptionTypes: 0
>>> pwdLastSet: 130658091420000000
>>> whenChanged: 20150115152542.0Z
>>> uSNChanged: 4885
>>> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
>>>
>>> # Referral
>>> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
>>>
>>> # Referral
>>> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
>>>
>>> # Referral
>>> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
>>>
>>> # returned 4 records
>>> # 1 entries
>>> # 3 referrals
>>>
>>>
>>> ---/usr/local/samba/bin/ldbsearch -H
>>> /usr/local/samba/private/sam.ldb DC=domain | grep objectSid
>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802
>>>
>>>
>>> ---/usr/local/samba/bin/ldbedit -e vi -H
>>> /usr/local/samba/private/idmap.ldb
>>>
>>> # record 39
>>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>>> cn: S-1-5-21-2643849351-2101160060-2305757802-500
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>>> type: ID_TYPE_UID
>>> xidNumber: 0
>>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>>>
>>>
>>> as reported the time is correct and administrator account never expire
>>> you can check here
>>> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
>>>
>>> i have noted that sid error "sometimes" (30 sec on 2/3 hour
>>> sometimes)not appear and i can work correctly with my administrator
>>> account for 30-40 sec.
>>> the same thing is on both of samba 4.2*
>>>
>>> i've tested this error from winxp/7/8/8.1 and is always the same.
>>>
>>>
>>>
>>> i post the smb.conf
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = DOMAIN
>>> realm = DOMAIN.LAN
>>> netbios name = ADDOMAIN
>>> server role = active directory domain controller
>>> dns forwarder = 8.8.8.8
>>> idmap_ldb:use rfc2307 = yes
>>> spoolss: architecture = Windows x64
>>>
>>>
>>>
>>> [netlogon]
>>> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /usr/local/samba/var/locks/sysvol
>>> read only = No
>>>
>>> [public]
>>> path = /dati/public
>>> read only = No
>>>
>>> [users]
>>> path = /dati/users
>>> read only = No
>>>
>>> [profiles]
>>> path = /dati/profiles
>>> read only = No
>>> oplocks=no
>>>
>>> [printers]
>>> path = /var/spool/samba
>>> printable = yes
>>> printing = CUPS
>>>
>>> [print$]
>>> path = /srv/samba/Printer_drivers
>>> comment = Printer Drivers
>>> writeable = yes
>>>
>>>
>>>
>>> in messages.log i have something when i try to login with
>>> administrator account with the right password; here i have a "Unable
>>> to convert SID"
>>>
>>>
>>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545,
>>> 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>>> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID
>>> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user
>>> token to a GID. Conversion was returned as type 1, full token:
>>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612,
>>> 0] ../libcli/security/security_token.c:63(security_token_debug)
>>> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13):
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]:
>>> S-1-5-21-2643849351-2101160060-2305757802-500
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]:
>>> S-1-5-21-2643849351-2101160060-2305757802-513
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]:
>>> S-1-5-21-2643849351-2101160060-2305757802-520
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]:
>>> S-1-5-21-2643849351-2101160060-2305757802-572
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]:
>>> S-1-5-21-2643849351-2101160060-2305757802-519
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]:
>>> S-1-5-21-2643849351-2101160060-2305757802-518
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]:
>>> S-1-5-21-2643849351-2101160060-2305757802-512
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545
>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554
>>> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00):
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]:
>>> SeTakeOwnershipPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]:
>>> SeBackupPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]:
>>> SeRestorePrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]:
>>> SeRemoteShutdownPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]:
>>> SeSecurityPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]:
>>> SeSystemtimePrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]:
>>> SeShutdownPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]:
>>> SeDebugPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]:
>>> SeSystemEnvironmentPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]:
>>> SeSystemProfilePrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]:
>>> SeProfileSingleProcessPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]:
>>> SeIncreaseBasePriorityPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]:
>>> SeLoadDriverPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]:
>>> SeCreatePagefilePrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]:
>>> SeIncreaseQuotaPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]:
>>> SeChangeNotifyPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]:
>>> SeUndockPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]:
>>> SeManageVolumePrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]:
>>> SeImpersonatePrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]:
>>> SeCreateGlobalPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]:
>>> SeEnableDelegationPrivilege
>>> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403):
>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]:
>>> SeInteractiveLogonRight
>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]:
>>> SeNetworkLogonRight
>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]:
>>> SeRemoteInteractiveLogonRight
>>>
>>>
>>> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?
>>>
>>> maybe this is an interesting part but i don't understand where to look.
>>>
>>> ---/usr/local/samba/bin/ldbedit -e vi -H
>>> /usr/local/samba/private/idmap.ldb
>>> # record 37
>>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>>> cn: S-1-5-21-2643849351-2101160060-2305757802-512
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000008
>>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>>>
>>>
>>> Someone have my similar behavior?
>>>
>>> any kind of help or suggestion is welcome.
>>>
>>> Many thanks in advance!
>>>
>>> Regards
>>>
>>> Charles
>>>
>>
>> OK, I am a bit lost here, I can login as Administrator to my DC, so
>> when you say 'when i try to login with administrator account with the
>> right password', just how are you trying to login ?
> I've tried to login with "Administrator" user in shared folder or in
> user login at windows start.
Sorry, but I still don't understand just where you are trying to logging
into and how. I think you mean that you cannot log into a domain joined
machine as Administrator and when you try to connect to the share as
Administrator when logged in as another user, you cannot connect. Is
this correct ??
>
> login with "Administrator" user with a wrong password samba denies
> correctly the login and don't tell nothing about SID.
> Only if i put the correct password samba respond to me the Invalid SID
> error and write log in messages.log and not let me to login or use
> shared folder
>>
>> Also, why are you using 4.2.0rc2, is this a test domain or production ?
>> If it is production, why are you ignoring what it says here:
>> https://wiki.samba.org/index.php/Obtaining_Samba
>>
>> *Warning: Never install a development version in production! It may
>> contain untested features and can cause damages to your installation!
>> Development releases are for testing purposes only!
>>
>> *Also**why are you ignoring what it says here:
>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions
> testing and all of them have the same behavior after some time.
> this thread was not started by me but i've made too many piece cut of
> old thread and done some misunderstanding sorry...
>
>>
>> We /*_do not recommend_* using the Domain Controller as a file
>> Server. This is due to issues with the winbind internal to the Domain
>> Controller. The recommendation is to run separate file or Member
>> Servers
>> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.
> ok i'll use kvm to separate fileserver from domain controller in
> production because i've only one server.
>>
>> This still goes with 4.2
>>
>> I recommend that you try again with the latest stable release, 4.1.16
>> and see if the problem still persists, if it does we stand a better
>> chance of fixing it.
>
> With the latest stable release on 4.1.16 seems work well.
> No more SID error
> tomorrow i'll do some more accurate test
> Thank you for your support Rowland
>
> testing the 4.2rc4 the problem still exist
> do you reccomend me to write something of this behaviour at
> https://bugzilla.samba.org/?
> i still can reproduce the SID error with4.2rc2 /rc3 /rc4
If it works with 4.1.16 but not with 4.2.0rc4 and everything else is the
same, then yes it does seem that it is a bug. You could try changing the
winbind daemon used by the 4.2.0rc4 machine, you would this by adding
'server services = +winbind -winbindd' to smb.conf and restarting.
If this works and you can now login as 'Administrator', then you need to
file a bug report about this.
Rowland
>
> charles
>>
>> Rowland
>>
>> /
>
>
More information about the samba
mailing list