[Samba] Unable to convert first SID ( user DOMAIN\Administrator )

L.P.H. van Belle belle at bazuin.nl
Tue Dec 20 13:37:29 UTC 2016 

Ok i found. 
https://bugzilla.samba.org/show_bug.cgi?id=12410 

now i can related to this. 

Yesterday i was having the old idmap config ... in the smb.conf.

Today at around 8:30 i cleanup my smb.conf to match the 4.5.x defaults on both DC's. 

I rebooted the servers after the change, but problem was still there. 

The problem is probely fixed after running : net cache flush 
At around 14:10 it only took a few min after that i noticed that it worked. 

Sorry for the noice. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: dinsdag 20 december 2016 14:19
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Unable to convert first SID ( user DOMAIN\Administrator
> )
> 
> Hai,
> 
> 
> 
> ! this problem came and is gone again but its an intresting thing thats
> why im putting it on the samba list.
> 
> I added time  in the message to make more clear when what is done.
> 
> 
> 
> Upgrade samba from 4.4.5-3 to 4.5.3 yesterday.
> 
> 
> 
> Time : 10:15 in the morning.
> 
> Environment:
> 
> DC1 : debian Jessie samba 4.5.3
> 
> DC2 : debian Jessie samba 4.5.3
> 
> MEMBERs : in general samba 4.5.3 ( few 4.4.5-3 , 4.2.10, 3.6.6 )
> 
> 
> 
> Today i rebooted  my management pc (win7 64bit) , and logged in as
> DOMAIN\Administrator.
> 
> This works fine, GPO is applied correctly untill I needed to edit my GPO.
> 
> 
> 
> Starting GPO editoring, give mesage RPC server is not available.
> 
> 
> 
> Now im unable to browse to \\dc1.domain.tld with explore but I can browse
> to \\dc2.domain.tld.
> 
> 
> 
> DC1 is the DC with the FSMO roles.
> 
> I cant edit GPO through both servers atm, sometimes im able to connect to
> dc2, not every attempt.
> 
> 
> 
> I noticed the following in the logs. ( DC1 )
> 
> 
> 
> [2016/12/20 11:14:04.328604,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
> 
>   Unable to convert first SID (S-1-5-21-2934682428-1234567789-696969692-
> 500) in user token to a UID.  Conversion was returned as type 0, full
> token:
> 
> [2016/12/20 11:14:04.328687,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
> 
>   Security token SIDs (14):
> 
>     SID[  0]: S-1-5-21-2934682428-1234567789-696969692-500
> 
>     SID[  1]: S-1-5-21-2934682428-1234567789-696969692-513
> 
>     SID[  2]: S-1-5-21-2934682428-1234567789-696969692-520
> 
>     SID[  3]: S-1-5-21-2934682428-1234567789-696969692-572
> 
>     SID[  4]: S-1-5-21-2934682428-1234567789-696969692-519
> 
>     SID[  5]: S-1-5-21-2934682428-1234567789-696969692-518
> 
>     SID[  6]: S-1-5-21-2934682428-1234567789-696969692-512
> 
>     SID[  7]: S-1-5-21-2934682428-1234567789-696969692-1399
> 
>     SID[  8]: S-1-1-0
> 
>     SID[  9]: S-1-5-2
> 
>     SID[ 10]: S-1-5-11
> 
>     SID[ 11]: S-1-5-32-544
> 
>     SID[ 12]: S-1-5-32-545
> 
>     SID[ 13]: S-1-5-32-554
> 
>    Privileges (0x        1FFFFFF0):
> 
>     Privilege[  0]: SeMachineAccountPrivilege
> 
>     Privilege[  1]: SeTakeOwnershipPrivilege
> 
>     Privilege[  2]: SeBackupPrivilege
> 
>     Privilege[  3]: SeRestorePrivilege
> 
>     Privilege[  4]: SeRemoteShutdownPrivilege
> 
>     Privilege[  5]: SePrintOperatorPrivilege
> 
>     Privilege[  6]: SeAddUsersPrivilege
> 
>     Privilege[  7]: SeDiskOperatorPrivilege
> 
>     Privilege[  8]: SeSecurityPrivilege
> 
>     Privilege[  9]: SeSystemtimePrivilege
> 
>     Privilege[ 10]: SeShutdownPrivilege
> 
>     Privilege[ 11]: SeDebugPrivilege
> 
>     Privilege[ 12]: SeSystemEnvironmentPrivilege
> 
>     Privilege[ 13]: SeSystemProfilePrivilege
> 
>     Privilege[ 14]: SeProfileSingleProcessPrivilege
> 
>     Privilege[ 15]: SeIncreaseBasePriorityPrivilege
> 
>     Privilege[ 16]: SeLoadDriverPrivilege
> 
>     Privilege[ 17]: SeCreatePagefilePrivilege
> 
>     Privilege[ 18]: SeIncreaseQuotaPrivilege
> 
>     Privilege[ 19]: SeChangeNotifyPrivilege
> 
>     Privilege[ 20]: SeUndockPrivilege
> 
>     Privilege[ 21]: SeManageVolumePrivilege
> 
>     Privilege[ 22]: SeImpersonatePrivilege
> 
>     Privilege[ 23]: SeCreateGlobalPrivilege
> 
>     Privilege[ 24]: SeEnableDelegationPrivilege
> 
>    Rights (0x             403):
> 
>     Right[  0]: SeInteractiveLogonRight
> 
>     Right[  1]: SeNetworkLogonRight
> 
>     Right[  2]: SeRemoteInteractiveLogonRight
> 
> 
> 
> 
> 
> Few tests.
> 
> Time : 10:45 in the morning.  ( yeah i have more todo.. )
> 
> wbinfo --sid-aliases S-1-5-21-2934682428-1234567789-696969692-500
> 
> reports nothing
> 
> 
> 
> wbinfo --user-sids S-1-5-21-2934682428-1234567789-696969692-500
> 
> S-1-5-21-2934682428-1234567789-696969692-500
> 
> S-1-5-21-2934682428-1234567789-696969692-513
> 
> S-1-5-21-2934682428-1234567789-696969692-520
> 
> S-1-5-21-2934682428-1234567789-696969692-1399
> 
> S-1-5-21-2934682428-1234567789-696969692-519
> 
> S-1-5-21-2934682428-1234567789-696969692-512
> 
> S-1-5-21-2934682428-1234567789-696969692-518
> 
> S-1-5-21-2934682428-1234567789-696969692-572
> 
> S-1-5-32-545
> 
> S-1-5-32-544
> 
> 
> 
> Time : 13:00 in the midday.
> 
> wbinfo --user-sidinfo S-1-5-21-2934682428-1234567789-696969692-500
> 
> NTDOM\administrator:*:0:10000::/home/users/administrator:/bin/bash
> 
> 
> 
> wbinfo -s S-1-5-21-2934682428-1234567789-696969692-500
> 
> NTDOM\Administrator 1
> 
> 
> 
> wbinfo -S S-1-5-21-2934682428-1234567789-696969692-500
> 
> 0
> 
> 
> 
> And DC2 logs (* i cleared them all after the upgrade yesterday)  4.4.5 =>
> 4.5.3
> 
> The only log message and looks ok.
> 
> log.smbd
> 
> [2016/12/20 08:00:45.047802,  0]
> ../source3/smbd/smbd_cleanupd.c:172(smbd_cleanupd_process_exited)
> 
>   smbd_cleanupd_process_exited: got 0 cleanup events, expected at least 1
> 
> 
> 
> Time : 13:15 in the midday.
> 
> Both database replicatons tested are without errors.
> 
> samba-tool ldapcmp --filter='whenChanged' ldap://dc1.internal.domain.tld
> ldap://dc2.internal.domain.tld
> 
> samba-tool drs showrepl
> 
> 
> 
> Time : 13:20 in the midday.
> 
> After i noticed the log messages i did ran:
> 
> samba-tool dbcheck --cross-ncs --fix and that fixed 936 errors out of 910
> object :-/ ?
> 
> 
> 
> ! the problem still exists after the fix.
> 
> 
> 
> smb.conf of both DC?s. are the same except the IP and hostnames.
> 
> 
> 
> [global]
> 
>         workgroup = NTDOM
> 
>         realm = INTERNAL.REALM
> 
> 
> 
>         # By default the netbios name is the system hostname.
> 
>         netbios name = DC1
> 
> 
> 
>         server role = active directory domain controller
> 
>         server services = -dns
> 
> 
> 
>         interfaces = 192.168.0.1 127.0.0.1
> 
>         bind interfaces only = yes
> 
>         time server = yes
> 
> 
> 
>         ## Dont forget to set the idmap_ldb on ALL DC's if you use it
> 
>         idmap_ldb:use rfc2307 = yes
> 
> 
> 
>         ## Keep this off!!
> 
>         ## This is only used for modify-ing the AD Schema and only done on
> the DC with the FSMO Roles.
> 
>         sdb:schema update allowed = no
> 
> 
> 
>         winbind nss info = rfc2307
> 
>         winbind expand groups = 4
> 
> 
> 
>         template shell = /bin/bash
> 
>         template homedir = /home/users/%U
> 
> 
> 
>         # disable printing completely, no error messages in the logs.
> 
>         load printers = no
> 
>         printing = bsd
> 
>         printcap name = /dev/null
> 
>         disable spoolss = yes
> 
> 
> 
>         # disable usershares creating, when set empty, no error messages
> in the logs.
> 
>         usershare path =
> 
> 
> 
>          # Add and Update TLS Key
> 
>          tls enabled = yes
> 
>          tls keyfile = /etc/ssl/local/private/dc1.key.pem
> 
>          tls certfile = /etc/ssl/local/certs/dc1.cert.pem
> 
>          tls cafile = /etc/ssl/certs/company-ca.pem
> 
> 
> 
> #        log level = 10
> 
> #        debug timestamp = yes
> 
> 
> 
> [sysvol]
> 
>         path = /home/samba/sysvol
> 
>         read only = No
> 
>         acl_xattr:ignore system acls = yes
> 
> 
> 
> [netlogon]
> 
>         path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
> 
>         read only = No
> 
>         acl_xattr:ignore system acls = yes
> 
> 
> 
> 
> 
> Im only wondering why my Domain Administrator account gives these
> messages.
> 
> I can login with me ?extra?  domain admin account everything works fine.
> 
> Beside that, everything else sofar checked works fine.
> 
> 
> 
> So im bit puzzled here. What happend to the Administrator account, and why
> only on DC1?
> 
> 
> 
> Time : 14:00
> 
> Anyone? Any tips?
> 
> 
> 
> P.S. time 14:15
> 
> Now i did check for a last time, and suddenly everything is working again.
> 
> And i didnt touch the samba servers, only login with the
> ?domain\Administrator? again.
> 
> Very strange.
> 
> 
> 
> Or Rowland, tel me what i forgot :-))   ;-)
> 
> 
> 
> 
> 
> Greetz,
> 
> 
> 
> Louis
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list