[Samba] Unable to convert first SID ( user DOMAIN\Administrator )
L.P.H. van Belle
belle at bazuin.nl
Tue Dec 20 13:18:38 UTC 2016
Hai,
! this problem came and is gone again but its an intresting thing thats why im putting it on the samba list.
I added time in the message to make more clear when what is done.
Upgrade samba from 4.4.5-3 to 4.5.3 yesterday.
Time : 10:15 in the morning.
Environment:
DC1 : debian Jessie samba 4.5.3
DC2 : debian Jessie samba 4.5.3
MEMBERs : in general samba 4.5.3 ( few 4.4.5-3 , 4.2.10, 3.6.6 )
Today i rebooted my management pc (win7 64bit) , and logged in as DOMAIN\Administrator.
This works fine, GPO is applied correctly untill I needed to edit my GPO.
Starting GPO editoring, give mesage RPC server is not available.
Now im unable to browse to \\dc1.domain.tld with explore but I can browse to \\dc2.domain.tld.
DC1 is the DC with the FSMO roles.
I cant edit GPO through both servers atm, sometimes im able to connect to dc2, not every attempt.
I noticed the following in the logs. ( DC1 )
[2016/12/20 11:14:04.328604, 0] ../source4/auth/unix_token.c:79(security_token_to_unix_token)
Unable to convert first SID (S-1-5-21-2934682428-1234567789-696969692-500) in user token to a UID. Conversion was returned as type 0, full token:
[2016/12/20 11:14:04.328687, 0] ../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (14):
SID[ 0]: S-1-5-21-2934682428-1234567789-696969692-500
SID[ 1]: S-1-5-21-2934682428-1234567789-696969692-513
SID[ 2]: S-1-5-21-2934682428-1234567789-696969692-520
SID[ 3]: S-1-5-21-2934682428-1234567789-696969692-572
SID[ 4]: S-1-5-21-2934682428-1234567789-696969692-519
SID[ 5]: S-1-5-21-2934682428-1234567789-696969692-518
SID[ 6]: S-1-5-21-2934682428-1234567789-696969692-512
SID[ 7]: S-1-5-21-2934682428-1234567789-696969692-1399
SID[ 8]: S-1-1-0
SID[ 9]: S-1-5-2
SID[ 10]: S-1-5-11
SID[ 11]: S-1-5-32-544
SID[ 12]: S-1-5-32-545
SID[ 13]: S-1-5-32-554
Privileges (0x 1FFFFFF0):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 403):
Right[ 0]: SeInteractiveLogonRight
Right[ 1]: SeNetworkLogonRight
Right[ 2]: SeRemoteInteractiveLogonRight
Few tests.
Time : 10:45 in the morning. ( yeah i have more todo.. )
wbinfo --sid-aliases S-1-5-21-2934682428-1234567789-696969692-500
reports nothing
wbinfo --user-sids S-1-5-21-2934682428-1234567789-696969692-500
S-1-5-21-2934682428-1234567789-696969692-500
S-1-5-21-2934682428-1234567789-696969692-513
S-1-5-21-2934682428-1234567789-696969692-520
S-1-5-21-2934682428-1234567789-696969692-1399
S-1-5-21-2934682428-1234567789-696969692-519
S-1-5-21-2934682428-1234567789-696969692-512
S-1-5-21-2934682428-1234567789-696969692-518
S-1-5-21-2934682428-1234567789-696969692-572
S-1-5-32-545
S-1-5-32-544
Time : 13:00 in the midday.
wbinfo --user-sidinfo S-1-5-21-2934682428-1234567789-696969692-500
NTDOM\administrator:*:0:10000::/home/users/administrator:/bin/bash
wbinfo -s S-1-5-21-2934682428-1234567789-696969692-500
NTDOM\Administrator 1
wbinfo -S S-1-5-21-2934682428-1234567789-696969692-500
0
And DC2 logs (* i cleared them all after the upgrade yesterday) 4.4.5 => 4.5.3
The only log message and looks ok.
log.smbd
[2016/12/20 08:00:45.047802, 0] ../source3/smbd/smbd_cleanupd.c:172(smbd_cleanupd_process_exited)
smbd_cleanupd_process_exited: got 0 cleanup events, expected at least 1
Time : 13:15 in the midday.
Both database replicatons tested are without errors.
samba-tool ldapcmp --filter='whenChanged' ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld
samba-tool drs showrepl
Time : 13:20 in the midday.
After i noticed the log messages i did ran:
samba-tool dbcheck --cross-ncs --fix and that fixed 936 errors out of 910 object :-/ ?
! the problem still exists after the fix.
smb.conf of both DC’s. are the same except the IP and hostnames.
[global]
workgroup = NTDOM
realm = INTERNAL.REALM
# By default the netbios name is the system hostname.
netbios name = DC1
server role = active directory domain controller
server services = -dns
interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
time server = yes
## Dont forget to set the idmap_ldb on ALL DC's if you use it
idmap_ldb:use rfc2307 = yes
## Keep this off!!
## This is only used for modify-ing the AD Schema and only done on the DC with the FSMO Roles.
sdb:schema update allowed = no
winbind nss info = rfc2307
winbind expand groups = 4
template shell = /bin/bash
template homedir = /home/users/%U
# disable printing completely, no error messages in the logs.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# disable usershares creating, when set empty, no error messages in the logs.
usershare path =
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/dc1.key.pem
tls certfile = /etc/ssl/local/certs/dc1.cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem
# log level = 10
# debug timestamp = yes
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
[netlogon]
path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
read only = No
acl_xattr:ignore system acls = yes
Im only wondering why my Domain Administrator account gives these messages.
I can login with me “extra” domain admin account everything works fine.
Beside that, everything else sofar checked works fine.
So im bit puzzled here. What happend to the Administrator account, and why only on DC1?
Time : 14:00
Anyone? Any tips?
P.S. time 14:15
Now i did check for a last time, and suddenly everything is working again.
And i didnt touch the samba servers, only login with the “domain\Administrator” again.
Very strange.
Or Rowland, tel me what i forgot :-)) ;-)
Greetz,
Louis
More information about the samba
mailing list