[Samba] Administrators SID is invalid.

Carlo mail.list.it at gmail.com
Mon Jan 19 15:41:27 MST 2015 

Il 19/01/15 12:25, Rowland Penny ha scritto:
> On 18/01/15 18:27, Rowland Penny wrote:
>> On 18/01/15 18:10, Carlo wrote:
>>> Il 17/01/15 17:10, Rowland Penny ha scritto:
>>>> On 17/01/15 14:39, Carlo wrote:
>>>>>
>>>>>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month
>>>>>>>>>>>>>>>> now. It
>>>>>>>>>>>>>>>> still works for all users except "Administrator".
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If I login to a Windows box with the Administrator account, I
>>>>>>>>>>>>>>>> can't
>>>>>>>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the
>>>>>>>>>>>>>>>> error
>>>>>>>>>>>>>>>> "The security ID structure is invalid".
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box
>>>>>>>>>>>>>>>> returns "The RPC server is unavailable".
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux
>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>> running samba I receife this error: "session setup failed:
>>>>>>>>>>>>>>>> NT_STATUS_INVALID_SID".
>>>>> Hello to all.
>>>>>
>>>>> i am still under this problem in 2 samba server 4.2*
>>>>>
>>>>> same problem and same behavior after a month for one server and two week 
>>>>> for another
>>>>>
>>>>> My system is:
>>>>> Centos 6.5
>>>>> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 
>>>>> UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>> and Samba version 4.2.0rc2
>>>>>
>>>>> i have noted that sid error "sometimes" (30 sec on 2/3 hour sometimes)not 
>>>>> appear and i can work correctly with my administrator account for 30-40 sec.
>>>>> the same thing is on both of samba 4.2*
>>>>>
>>>>> i've tested this error from winxp/7/8/8.1 and is always the same.
>>>>>
>>>>> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?
>>>>>
>>>>>
>>>>> Someone have my similar behavior?
>>>>>
>>>>> any kind of help or suggestion is welcome.
>>>>>
>>>>> Many thanks in advance!
>>>>>
>>>>> Regards
>>>>>
>>>>> Charles
>>>>>
>>>>
>>>> OK, I am a bit lost here, I can login as Administrator to my DC, so when 
>>>> you say 'when i try to login with administrator account with the right 
>>>> password', just how are you trying to login ?
>>> I've tried to login with "Administrator" user in shared folder or in user 
>>> login at windows start.
>>
>> Sorry, but I still don't understand just where you are trying to logging into 
>> and how. I think you mean that you cannot log into a domain joined machine as 
>> Administrator and when you try to connect to the share as Administrator when 
>> logged in as another user, you cannot connect. Is this correct ??

I'm Sorry for my bad english
I cannot login under administrator with a non joined machine on the share or 
windows tools to administrate the samba server (with a joined machine can't 
login as administrator)
i'll try to explain well

for example:

pc is a windows 7 out of domain, dns point correctly to samba domain.

on domain i have user
john (generic user)
administrator (the domain admin)

the ip of samba is 192.168.99.250


\\192.168.99.250 (ip of samba) with a non joined machine, no other user 
connected o other admin.
a window appear with a user and password requirement for access the share.

-if i put here as username 'mydomain\john' or 'john' with the right password the 
samba let me to see all the share of john can see.
-if i put here as username  'mydomain\administrator' or 'administrator' and the 
right password the result will be a box with a red cross and The security ID 
structure is invalid (same if 'smbclient -L localhost -U Administrator' on samba 
server cli)

>>
>>
>>>
>>> login with "Administrator" user with a wrong password samba denies correctly 
>>> the login and don't tell nothing about SID.
>>> Only if i put the correct password samba respond to me the Invalid SID error 
>>> and write log in messages.log and not let me to login or use shared folder
>>>>
>>>> Also, why are you using 4.2.0rc2, is this a test domain or production ?
>>>> If it is production, why are you ignoring what it says here: 
>>>> https://wiki.samba.org/index.php/Obtaining_Samba
>>>>
>>>> *Warning: Never install a development version in production! It may contain 
>>>> untested features and can cause damages to your installation! Development 
>>>> releases are for testing purposes only!
>>>>
>>>> *Also**why are you ignoring what it says here: 
>>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions
>>> testing and all of them have the same behavior after some time.
>>> this thread was not started by me but i've made too many piece cut of old 
>>> thread and done some misunderstanding sorry...
>>>
>>>>
>>>> We /*_do not recommend_* using the Domain Controller as a file Server. This 
>>>> is due to issues with the winbind internal to the Domain Controller. The 
>>>> recommendation is to run separate file or Member Servers 
>>>> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.
>>> ok i'll use kvm to separate fileserver from domain controller in production 
>>> because i've only one server.
>>>>
>>>> This still goes with 4.2
>>>>
>>>> I recommend that you try again with the latest stable release, 4.1.16 and 
>>>> see if the problem still persists, if it does we stand a better chance of 
>>>> fixing it.
>>>
>>> With the latest stable release on 4.1.16  seems work well.
>>> No more SID error
>>> tomorrow i'll do some more accurate test
>>> Thank you for your support Rowland
>>>
>>> testing the 4.2rc4 the problem still exist
>>> do you reccomend me to write something of this behaviour at 
>>> https://bugzilla.samba.org/?
>>> i still can reproduce the SID error with4.2rc2 /rc3 /rc4
>>
>> If it works with 4.1.16 but not with 4.2.0rc4 and everything else is the 
>> same, then yes it does seem that it is a bug. You could try changing the 
>> winbind daemon used by the 4.2.0rc4 machine, you would this by adding 'server 
>> services = +winbind -winbindd' to smb.conf and restarting.
>>
>> If this works and you can now login as 'Administrator', then you need to file 
>> a bug report about this.
Great Rowland this works!!!
on samba 4.2* with 'server services = +winbind -winbindd' now administrator can 
login well.
So this is a bug i'll report.

> OK, did a bit more investigation into this and I can login into a samba 
> 4.2.0rc2 DC as 'Administrator', but I had to do a bit more config than the 
> standard './configure, make, make install' gives.
>
> I had to install 'apt-get install libpam-krb5' (this is on Debian Wheezy)
>
> Link some files:
>
> ln -s /usr/local/samba/lib/libnss_winbind.so 
> /lib/x86_64-linux-gnu/libnss_winbind.so
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> ln -s /usr/local/samba/lib/libnss_wins.so.2 
> /lib/x86_64-linux-gnu/libnss_wins.so.2
> ln -s /usr/local/samba/lib/security/pam_winbind.so 
> /lib/x86_64-linux-gnu/security/pam_winbind.so
>
> Create a pam config file:
>
> nano /usr/share/pam-configs/winbind
>
> Name: Winbind NT/Active Directory authentication
> Default: yes
> Priority: 192
> Auth-Type: Primary
> Auth:
>     [success=end default=ignore]    pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE cached_login try_first_pass
> Auth-Initial:
>     [success=end default=ignore]    pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE cached_login
> Account-Type: Primary
> Account:
>     [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
> Password-Type: Primary
> Password:
>     [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
> Password-Initial:
>     [success=end default=ignore]    pam_winbind.so
> Session-Type: Additional
> Session:
>     optional            pam_winbind.so
>
> Add a line to smb.conf:
>
> template shell = /bin/bash
>
> Add 'winbind' to the 'passwd' & 'group' lines in /etc/nsswitch.conf
>
> Allowed root to login via ssh
>
> ran 'ssh Administrator at 192.168.0.245'
>
> Administrator at 192.168.0.245's password:
> Creating directory '/home/%D/%U'.
> Linux dc42 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u1 x86_64
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
>
> So as you can see, it works for me.
Sorry for my late reply
I thank you for thats very useful code line, i'll use in some other case if i 
need a ssh access with samba credentials!
i'm very thankful for your quick and experienced support.

Best regards

Charles

More information about the samba mailing list