[Samba] Unable to convert first SID ( user DOMAIN\Administrator )

L.P.H. van Belle belle at bazuin.nl
Tue Dec 20 13:18:38 UTC 2016


Hai, 

 

! this problem came and is gone again but its an intresting thing thats why im putting it on the samba list. 

I added time  in the message to make more clear when what is done. 

 

Upgrade samba from 4.4.5-3 to 4.5.3 yesterday. 

 

Time : 10:15 in the morning. 

Environment: 

DC1 : debian Jessie samba 4.5.3 

DC2 : debian Jessie samba 4.5.3 

MEMBERs : in general samba 4.5.3 ( few 4.4.5-3 , 4.2.10, 3.6.6 ) 

 

Today i rebooted  my management pc (win7 64bit) , and logged in as DOMAIN\Administrator. 

This works fine, GPO is applied correctly untill I needed to edit my GPO. 

 

Starting GPO editoring, give mesage RPC server is not available. 

 

Now im unable to browse to \\dc1.domain.tld with explore but I can browse to \\dc2.domain.tld.

 

DC1 is the DC with the FSMO roles. 

I cant edit GPO through both servers atm, sometimes im able to connect to dc2, not every attempt. 

 

I noticed the following in the logs. ( DC1 ) 

 

[2016/12/20 11:14:04.328604,  0] ../source4/auth/unix_token.c:79(security_token_to_unix_token)

  Unable to convert first SID (S-1-5-21-2934682428-1234567789-696969692-500) in user token to a UID.  Conversion was returned as type 0, full token:

[2016/12/20 11:14:04.328687,  0] ../libcli/security/security_token.c:63(security_token_debug)

  Security token SIDs (14):

    SID[  0]: S-1-5-21-2934682428-1234567789-696969692-500

    SID[  1]: S-1-5-21-2934682428-1234567789-696969692-513

    SID[  2]: S-1-5-21-2934682428-1234567789-696969692-520

    SID[  3]: S-1-5-21-2934682428-1234567789-696969692-572

    SID[  4]: S-1-5-21-2934682428-1234567789-696969692-519

    SID[  5]: S-1-5-21-2934682428-1234567789-696969692-518

    SID[  6]: S-1-5-21-2934682428-1234567789-696969692-512

    SID[  7]: S-1-5-21-2934682428-1234567789-696969692-1399

    SID[  8]: S-1-1-0

    SID[  9]: S-1-5-2

    SID[ 10]: S-1-5-11

    SID[ 11]: S-1-5-32-544

    SID[ 12]: S-1-5-32-545

    SID[ 13]: S-1-5-32-554

   Privileges (0x        1FFFFFF0):

    Privilege[  0]: SeMachineAccountPrivilege

    Privilege[  1]: SeTakeOwnershipPrivilege

    Privilege[  2]: SeBackupPrivilege

    Privilege[  3]: SeRestorePrivilege

    Privilege[  4]: SeRemoteShutdownPrivilege

    Privilege[  5]: SePrintOperatorPrivilege

    Privilege[  6]: SeAddUsersPrivilege

    Privilege[  7]: SeDiskOperatorPrivilege

    Privilege[  8]: SeSecurityPrivilege

    Privilege[  9]: SeSystemtimePrivilege

    Privilege[ 10]: SeShutdownPrivilege

    Privilege[ 11]: SeDebugPrivilege

    Privilege[ 12]: SeSystemEnvironmentPrivilege

    Privilege[ 13]: SeSystemProfilePrivilege

    Privilege[ 14]: SeProfileSingleProcessPrivilege

    Privilege[ 15]: SeIncreaseBasePriorityPrivilege

    Privilege[ 16]: SeLoadDriverPrivilege

    Privilege[ 17]: SeCreatePagefilePrivilege

    Privilege[ 18]: SeIncreaseQuotaPrivilege

    Privilege[ 19]: SeChangeNotifyPrivilege

    Privilege[ 20]: SeUndockPrivilege

    Privilege[ 21]: SeManageVolumePrivilege

    Privilege[ 22]: SeImpersonatePrivilege

    Privilege[ 23]: SeCreateGlobalPrivilege

    Privilege[ 24]: SeEnableDelegationPrivilege

   Rights (0x             403):

    Right[  0]: SeInteractiveLogonRight

    Right[  1]: SeNetworkLogonRight

    Right[  2]: SeRemoteInteractiveLogonRight

 

 

Few tests. 

Time : 10:45 in the morning.  ( yeah i have more todo.. ) 

wbinfo --sid-aliases S-1-5-21-2934682428-1234567789-696969692-500

reports nothing 

 

wbinfo --user-sids S-1-5-21-2934682428-1234567789-696969692-500

S-1-5-21-2934682428-1234567789-696969692-500

S-1-5-21-2934682428-1234567789-696969692-513

S-1-5-21-2934682428-1234567789-696969692-520

S-1-5-21-2934682428-1234567789-696969692-1399

S-1-5-21-2934682428-1234567789-696969692-519

S-1-5-21-2934682428-1234567789-696969692-512

S-1-5-21-2934682428-1234567789-696969692-518

S-1-5-21-2934682428-1234567789-696969692-572

S-1-5-32-545

S-1-5-32-544

 

Time : 13:00 in the midday.

wbinfo --user-sidinfo S-1-5-21-2934682428-1234567789-696969692-500

NTDOM\administrator:*:0:10000::/home/users/administrator:/bin/bash

 

wbinfo -s S-1-5-21-2934682428-1234567789-696969692-500

NTDOM\Administrator 1

 

wbinfo -S S-1-5-21-2934682428-1234567789-696969692-500

0

 

And DC2 logs (* i cleared them all after the upgrade yesterday)  4.4.5 => 4.5.3 

The only log message and looks ok. 

log.smbd

[2016/12/20 08:00:45.047802,  0] ../source3/smbd/smbd_cleanupd.c:172(smbd_cleanupd_process_exited)

  smbd_cleanupd_process_exited: got 0 cleanup events, expected at least 1

 

Time : 13:15 in the midday.

Both database replicatons tested are without errors. 

samba-tool ldapcmp --filter='whenChanged' ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld

samba-tool drs showrepl 

 

Time : 13:20 in the midday.

After i noticed the log messages i did ran: 

samba-tool dbcheck --cross-ncs --fix and that fixed 936 errors out of 910 object :-/ ? 

 

! the problem still exists after the fix. 

 

smb.conf of both DC’s. are the same except the IP and hostnames. 

 

[global]

        workgroup = NTDOM

        realm = INTERNAL.REALM

 

        # By default the netbios name is the system hostname. 

        netbios name = DC1

 

        server role = active directory domain controller

        server services = -dns

 

        interfaces = 192.168.0.1 127.0.0.1

        bind interfaces only = yes

        time server = yes

 

        ## Dont forget to set the idmap_ldb on ALL DC's if you use it

        idmap_ldb:use rfc2307 = yes

 

        ## Keep this off!!  

        ## This is only used for modify-ing the AD Schema and only done on the DC with the FSMO Roles. 

        sdb:schema update allowed = no

 

        winbind nss info = rfc2307

        winbind expand groups = 4

 

        template shell = /bin/bash

        template homedir = /home/users/%U

 

        # disable printing completely, no error messages in the logs.

        load printers = no

        printing = bsd

        printcap name = /dev/null

        disable spoolss = yes

 

        # disable usershares creating, when set empty, no error messages in the logs.

        usershare path =

 

         # Add and Update TLS Key

         tls enabled = yes

         tls keyfile = /etc/ssl/local/private/dc1.key.pem

         tls certfile = /etc/ssl/local/certs/dc1.cert.pem

         tls cafile = /etc/ssl/certs/company-ca.pem

 

#        log level = 10

#        debug timestamp = yes

 

[sysvol]

        path = /home/samba/sysvol

        read only = No

        acl_xattr:ignore system acls = yes

 

[netlogon]

        path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts

        read only = No

        acl_xattr:ignore system acls = yes

 

 

Im only wondering why my Domain Administrator account gives these messages. 

I can login with me “extra”  domain admin account everything works fine. 

Beside that, everything else sofar checked works fine. 

 

So im bit puzzled here. What happend to the Administrator account, and why only on DC1? 

 

Time : 14:00

Anyone? Any tips? 

 

P.S. time 14:15

Now i did check for a last time, and suddenly everything is working again. 

And i didnt touch the samba servers, only login with the “domain\Administrator” again. 

Very strange. 

 

Or Rowland, tel me what i forgot :-))   ;-) 

 

 

Greetz, 

 

Louis

 



More information about the samba mailing list