[Samba] Administrators SID is invalid.
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 19 04:25:27 MST 2015
On 18/01/15 18:27, Rowland Penny wrote:
> On 18/01/15 18:10, Carlo wrote:
>> Il 17/01/15 17:10, Rowland Penny ha scritto:
>>> On 17/01/15 14:39, Carlo wrote:
>>>>
>>>>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about
>>>>>>>>>>>>>>> a month
>>>>>>>>>>>>>>> now. It
>>>>>>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If I login to a Windows box with the Administrator
>>>>>>>>>>>>>>> account, I
>>>>>>>>>>>>>>> can't
>>>>>>>>>>>>>>> connect to any shares and clicking on a mapped drive
>>>>>>>>>>>>>>> returns the
>>>>>>>>>>>>>>> error
>>>>>>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the
>>>>>>>>>>>>>>> Windows box
>>>>>>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the
>>>>>>>>>>>>>>> GNU/Linux
>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>>>>>>> NT_STATUS_INVALID_SID".
>>>> Hello to all.
>>>>
>>>> i am still under this problem in 2 samba server 4.2*
>>>>
>>>> same problem and same behavior after a month for one server and two
>>>> week for another
>>>>
>>>> My system is:
>>>> Centos 6.5
>>>> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9
>>>> 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>> and Samba version 4.2.0rc2
>>>>
>>>>
>>>> then i have done the Rowland suggestion about check the
>>>> administrator sid and the results was:
>>>>
>>>> ---/usr/local/samba/bin/ldbsearch -H
>>>> /usr/local/samba/private/sam.ldb cn=Administrator
>>>> dn: CN=Administrator,CN=Users,DC=domain,DC=lan
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Administrator
>>>> description: Built-in account for administering the computer/domain
>>>> instanceType: 4
>>>> whenCreated: 20140918163432.0Z
>>>> uSNCreated: 3545
>>>> name: Administrator
>>>> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>>>> adminCount: 1
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: Administrator
>>>> sAMAccountType: 805306368
>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
>>>> isCriticalSystemObject: TRUE
>>>> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
>>>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
>>>> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
>>>> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
>>>> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
>>>> userAccountControl: 66048
>>>> msDS-SupportedEncryptionTypes: 0
>>>> pwdLastSet: 130658091420000000
>>>> whenChanged: 20150115152542.0Z
>>>> uSNChanged: 4885
>>>> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
>>>>
>>>> # Referral
>>>> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
>>>>
>>>> # Referral
>>>> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
>>>>
>>>> # Referral
>>>> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
>>>>
>>>> # returned 4 records
>>>> # 1 entries
>>>> # 3 referrals
>>>>
>>>>
>>>> ---/usr/local/samba/bin/ldbsearch -H
>>>> /usr/local/samba/private/sam.ldb DC=domain | grep objectSid
>>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802
>>>>
>>>>
>>>> ---/usr/local/samba/bin/ldbedit -e vi -H
>>>> /usr/local/samba/private/idmap.ldb
>>>>
>>>> # record 39
>>>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>>>> cn: S-1-5-21-2643849351-2101160060-2305757802-500
>>>> objectClass: sidMap
>>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>>>> type: ID_TYPE_UID
>>>> xidNumber: 0
>>>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>>>>
>>>>
>>>> as reported the time is correct and administrator account never expire
>>>> you can check here
>>>> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
>>>>
>>>> i have noted that sid error "sometimes" (30 sec on 2/3 hour
>>>> sometimes)not appear and i can work correctly with my administrator
>>>> account for 30-40 sec.
>>>> the same thing is on both of samba 4.2*
>>>>
>>>> i've tested this error from winxp/7/8/8.1 and is always the same.
>>>>
>>>>
>>>>
>>>> i post the smb.conf
>>>>
>>>> # Global parameters
>>>> [global]
>>>> workgroup = DOMAIN
>>>> realm = DOMAIN.LAN
>>>> netbios name = ADDOMAIN
>>>> server role = active directory domain controller
>>>> dns forwarder = 8.8.8.8
>>>> idmap_ldb:use rfc2307 = yes
>>>> spoolss: architecture = Windows x64
>>>>
>>>>
>>>>
>>>> [netlogon]
>>>> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>> [public]
>>>> path = /dati/public
>>>> read only = No
>>>>
>>>> [users]
>>>> path = /dati/users
>>>> read only = No
>>>>
>>>> [profiles]
>>>> path = /dati/profiles
>>>> read only = No
>>>> oplocks=no
>>>>
>>>> [printers]
>>>> path = /var/spool/samba
>>>> printable = yes
>>>> printing = CUPS
>>>>
>>>> [print$]
>>>> path = /srv/samba/Printer_drivers
>>>> comment = Printer Drivers
>>>> writeable = yes
>>>>
>>>>
>>>>
>>>> in messages.log i have something when i try to login with
>>>> administrator account with the right password; here i have a
>>>> "Unable to convert SID"
>>>>
>>>>
>>>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545,
>>>> 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>>>> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID
>>>> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user
>>>> token to a GID. Conversion was returned as type 1, full token:
>>>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612,
>>>> 0] ../libcli/security/security_token.c:63(security_token_debug)
>>>> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13):
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]:
>>>> S-1-5-21-2643849351-2101160060-2305757802-500
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]:
>>>> S-1-5-21-2643849351-2101160060-2305757802-513
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]:
>>>> S-1-5-21-2643849351-2101160060-2305757802-520
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]:
>>>> S-1-5-21-2643849351-2101160060-2305757802-572
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]:
>>>> S-1-5-21-2643849351-2101160060-2305757802-519
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]:
>>>> S-1-5-21-2643849351-2101160060-2305757802-518
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]:
>>>> S-1-5-21-2643849351-2101160060-2305757802-512
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545
>>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00):
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]:
>>>> SeTakeOwnershipPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]:
>>>> SeBackupPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]:
>>>> SeRestorePrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]:
>>>> SeRemoteShutdownPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]:
>>>> SeSecurityPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]:
>>>> SeSystemtimePrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]:
>>>> SeShutdownPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]:
>>>> SeDebugPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]:
>>>> SeSystemEnvironmentPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]:
>>>> SeSystemProfilePrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]:
>>>> SeProfileSingleProcessPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]:
>>>> SeIncreaseBasePriorityPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]:
>>>> SeLoadDriverPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]:
>>>> SeCreatePagefilePrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]:
>>>> SeIncreaseQuotaPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]:
>>>> SeChangeNotifyPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]:
>>>> SeUndockPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]:
>>>> SeManageVolumePrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]:
>>>> SeImpersonatePrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]:
>>>> SeCreateGlobalPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]:
>>>> SeEnableDelegationPrivilege
>>>> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403):
>>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]:
>>>> SeInteractiveLogonRight
>>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]:
>>>> SeNetworkLogonRight
>>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]:
>>>> SeRemoteInteractiveLogonRight
>>>>
>>>>
>>>> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?
>>>>
>>>> maybe this is an interesting part but i don't understand where to
>>>> look.
>>>>
>>>> ---/usr/local/samba/bin/ldbedit -e vi -H
>>>> /usr/local/samba/private/idmap.ldb
>>>> # record 37
>>>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>>>> cn: S-1-5-21-2643849351-2101160060-2305757802-512
>>>> objectClass: sidMap
>>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
>>>> type: ID_TYPE_BOTH
>>>> xidNumber: 3000008
>>>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>>>>
>>>>
>>>> Someone have my similar behavior?
>>>>
>>>> any kind of help or suggestion is welcome.
>>>>
>>>> Many thanks in advance!
>>>>
>>>> Regards
>>>>
>>>> Charles
>>>>
>>>
>>> OK, I am a bit lost here, I can login as Administrator to my DC, so
>>> when you say 'when i try to login with administrator account with
>>> the right password', just how are you trying to login ?
>> I've tried to login with "Administrator" user in shared folder or in
>> user login at windows start.
>
> Sorry, but I still don't understand just where you are trying to
> logging into and how. I think you mean that you cannot log into a
> domain joined machine as Administrator and when you try to connect to
> the share as Administrator when logged in as another user, you cannot
> connect. Is this correct ??
>
>
>>
>> login with "Administrator" user with a wrong password samba denies
>> correctly the login and don't tell nothing about SID.
>> Only if i put the correct password samba respond to me the Invalid
>> SID error and write log in messages.log and not let me to login or
>> use shared folder
>>>
>>> Also, why are you using 4.2.0rc2, is this a test domain or production ?
>>> If it is production, why are you ignoring what it says here:
>>> https://wiki.samba.org/index.php/Obtaining_Samba
>>>
>>> *Warning: Never install a development version in production! It may
>>> contain untested features and can cause damages to your
>>> installation! Development releases are for testing purposes only!
>>>
>>> *Also**why are you ignoring what it says here:
>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions
>> testing and all of them have the same behavior after some time.
>> this thread was not started by me but i've made too many piece cut of
>> old thread and done some misunderstanding sorry...
>>
>>>
>>> We /*_do not recommend_* using the Domain Controller as a file
>>> Server. This is due to issues with the winbind internal to the
>>> Domain Controller. The recommendation is to run separate file or
>>> Member Servers
>>> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.
>> ok i'll use kvm to separate fileserver from domain controller in
>> production because i've only one server.
>>>
>>> This still goes with 4.2
>>>
>>> I recommend that you try again with the latest stable release,
>>> 4.1.16 and see if the problem still persists, if it does we stand a
>>> better chance of fixing it.
>>
>> With the latest stable release on 4.1.16 seems work well.
>> No more SID error
>> tomorrow i'll do some more accurate test
>> Thank you for your support Rowland
>>
>> testing the 4.2rc4 the problem still exist
>> do you reccomend me to write something of this behaviour at
>> https://bugzilla.samba.org/?
>> i still can reproduce the SID error with4.2rc2 /rc3 /rc4
>
> If it works with 4.1.16 but not with 4.2.0rc4 and everything else is
> the same, then yes it does seem that it is a bug. You could try
> changing the winbind daemon used by the 4.2.0rc4 machine, you would
> this by adding 'server services = +winbind -winbindd' to smb.conf and
> restarting.
>
> If this works and you can now login as 'Administrator', then you need
> to file a bug report about this.
>
> Rowland
>>
>> charles
>>>
>>> Rowland
>>>
>>> /
>>
>>
>
OK, did a bit more investigation into this and I can login into a samba
4.2.0rc2 DC as 'Administrator', but I had to do a bit more config than
the standard './configure, make, make install' gives.
I had to install 'apt-get install libpam-krb5' (this is on Debian Wheezy)
Link some files:
ln -s /usr/local/samba/lib/libnss_winbind.so
/lib/x86_64-linux-gnu/libnss_winbind.so
ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2
ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
ln -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so
Create a pam config file:
nano /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok
try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
Add a line to smb.conf:
template shell = /bin/bash
Add 'winbind' to the 'passwd' & 'group' lines in /etc/nsswitch.conf
Allowed root to login via ssh
ran 'ssh Administrator at 192.168.0.245'
Administrator at 192.168.0.245's password:
Creating directory '/home/%D/%U'.
Linux dc42 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
So as you can see, it works for me.
Rowland
More information about the samba
mailing list