[Samba] Unable to convert first SID ( user DOMAIN\Administrator )
Rowland Penny
rpenny at samba.org
Tue Dec 20 13:43:44 UTC 2016
On Tue, 20 Dec 2016 14:18:38 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai,
>
>
>
> ! this problem came and is gone again but its an intresting thing
> thats why im putting it on the samba list.
>
> I added time in the message to make more clear when what is done.
>
>
>
> Upgrade samba from 4.4.5-3 to 4.5.3 yesterday.
>
>
>
> Time : 10:15 in the morning.
>
> Environment:
>
> DC1 : debian Jessie samba 4.5.3
>
> DC2 : debian Jessie samba 4.5.3
>
> MEMBERs : in general samba 4.5.3 ( few 4.4.5-3 , 4.2.10, 3.6.6 )
>
>
>
> Today i rebooted my management pc (win7 64bit) , and logged in as
> DOMAIN\Administrator.
>
> This works fine, GPO is applied correctly untill I needed to edit my
> GPO.
>
>
>
> Starting GPO editoring, give mesage RPC server is not available.
>
>
>
> Now im unable to browse to \\dc1.domain.tld with explore but I can
> browse to \\dc2.domain.tld.
>
>
>
> DC1 is the DC with the FSMO roles.
>
> I cant edit GPO through both servers atm, sometimes im able to
> connect to dc2, not every attempt.
>
>
>
> I noticed the following in the logs. ( DC1 )
>
>
>
> [2016/12/20 11:14:04.328604,
> 0] ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>
> Unable to convert first SID
> (S-1-5-21-2934682428-1234567789-696969692-500) in user token to a
> UID. Conversion was returned as type 0, full token:
>
> [2016/12/20 11:14:04.328687,
> 0] ../libcli/security/security_token.c:63(security_token_debug)
>
> Security token SIDs (14):
>
> SID[ 0]: S-1-5-21-2934682428-1234567789-696969692-500
>
> SID[ 1]: S-1-5-21-2934682428-1234567789-696969692-513
>
> SID[ 2]: S-1-5-21-2934682428-1234567789-696969692-520
>
> SID[ 3]: S-1-5-21-2934682428-1234567789-696969692-572
>
> SID[ 4]: S-1-5-21-2934682428-1234567789-696969692-519
>
> SID[ 5]: S-1-5-21-2934682428-1234567789-696969692-518
>
> SID[ 6]: S-1-5-21-2934682428-1234567789-696969692-512
>
> SID[ 7]: S-1-5-21-2934682428-1234567789-696969692-1399
>
> SID[ 8]: S-1-1-0
>
> SID[ 9]: S-1-5-2
>
> SID[ 10]: S-1-5-11
>
> SID[ 11]: S-1-5-32-544
>
> SID[ 12]: S-1-5-32-545
>
> SID[ 13]: S-1-5-32-554
>
> Privileges (0x 1FFFFFF0):
>
> Privilege[ 0]: SeMachineAccountPrivilege
>
> Privilege[ 1]: SeTakeOwnershipPrivilege
>
> Privilege[ 2]: SeBackupPrivilege
>
> Privilege[ 3]: SeRestorePrivilege
>
> Privilege[ 4]: SeRemoteShutdownPrivilege
>
> Privilege[ 5]: SePrintOperatorPrivilege
>
> Privilege[ 6]: SeAddUsersPrivilege
>
> Privilege[ 7]: SeDiskOperatorPrivilege
>
> Privilege[ 8]: SeSecurityPrivilege
>
> Privilege[ 9]: SeSystemtimePrivilege
>
> Privilege[ 10]: SeShutdownPrivilege
>
> Privilege[ 11]: SeDebugPrivilege
>
> Privilege[ 12]: SeSystemEnvironmentPrivilege
>
> Privilege[ 13]: SeSystemProfilePrivilege
>
> Privilege[ 14]: SeProfileSingleProcessPrivilege
>
> Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>
> Privilege[ 16]: SeLoadDriverPrivilege
>
> Privilege[ 17]: SeCreatePagefilePrivilege
>
> Privilege[ 18]: SeIncreaseQuotaPrivilege
>
> Privilege[ 19]: SeChangeNotifyPrivilege
>
> Privilege[ 20]: SeUndockPrivilege
>
> Privilege[ 21]: SeManageVolumePrivilege
>
> Privilege[ 22]: SeImpersonatePrivilege
>
> Privilege[ 23]: SeCreateGlobalPrivilege
>
> Privilege[ 24]: SeEnableDelegationPrivilege
>
> Rights (0x 403):
>
> Right[ 0]: SeInteractiveLogonRight
>
> Right[ 1]: SeNetworkLogonRight
>
> Right[ 2]: SeRemoteInteractiveLogonRight
>
>
>
>
>
> Few tests.
>
> Time : 10:45 in the morning. ( yeah i have more todo.. )
>
> wbinfo --sid-aliases S-1-5-21-2934682428-1234567789-696969692-500
>
> reports nothing
>
>
>
> wbinfo --user-sids S-1-5-21-2934682428-1234567789-696969692-500
>
> S-1-5-21-2934682428-1234567789-696969692-500
>
> S-1-5-21-2934682428-1234567789-696969692-513
>
> S-1-5-21-2934682428-1234567789-696969692-520
>
> S-1-5-21-2934682428-1234567789-696969692-1399
>
> S-1-5-21-2934682428-1234567789-696969692-519
>
> S-1-5-21-2934682428-1234567789-696969692-512
>
> S-1-5-21-2934682428-1234567789-696969692-518
>
> S-1-5-21-2934682428-1234567789-696969692-572
>
> S-1-5-32-545
>
> S-1-5-32-544
>
>
>
> Time : 13:00 in the midday.
>
> wbinfo --user-sidinfo S-1-5-21-2934682428-1234567789-696969692-500
>
> NTDOM\administrator:*:0:10000::/home/users/administrator:/bin/bash
>
>
>
> wbinfo -s S-1-5-21-2934682428-1234567789-696969692-500
>
> NTDOM\Administrator 1
>
>
>
> wbinfo -S S-1-5-21-2934682428-1234567789-696969692-500
>
> 0
>
>
>
> And DC2 logs (* i cleared them all after the upgrade yesterday)
> 4.4.5 => 4.5.3
>
> The only log message and looks ok.
>
> log.smbd
>
> [2016/12/20 08:00:45.047802,
> 0] ../source3/smbd/smbd_cleanupd.c:172(smbd_cleanupd_process_exited)
>
> smbd_cleanupd_process_exited: got 0 cleanup events, expected at
> least 1
>
>
>
> Time : 13:15 in the midday.
>
> Both database replicatons tested are without errors.
>
> samba-tool ldapcmp --filter='whenChanged'
> ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld
>
> samba-tool drs showrepl
>
>
>
> Time : 13:20 in the midday.
>
> After i noticed the log messages i did ran:
>
> samba-tool dbcheck --cross-ncs --fix and that fixed 936 errors out of
> 910 object :-/ ?
>
>
>
> ! the problem still exists after the fix.
>
>
>
> smb.conf of both DC’s. are the same except the IP and hostnames.
>
>
>
> [global]
>
> workgroup = NTDOM
>
> realm = INTERNAL.REALM
>
>
>
> # By default the netbios name is the system hostname.
>
> netbios name = DC1
>
>
>
> server role = active directory domain controller
>
> server services = -dns
>
>
>
> interfaces = 192.168.0.1 127.0.0.1
>
> bind interfaces only = yes
>
> time server = yes
>
>
>
> ## Dont forget to set the idmap_ldb on ALL DC's if you use it
>
> idmap_ldb:use rfc2307 = yes
>
>
>
> ## Keep this off!!
>
> ## This is only used for modify-ing the AD Schema and only
> done on the DC with the FSMO Roles.
>
> sdb:schema update allowed = no
>
>
>
> winbind nss info = rfc2307
>
> winbind expand groups = 4
>
>
>
> template shell = /bin/bash
>
> template homedir = /home/users/%U
>
>
>
> # disable printing completely, no error messages in the logs.
>
> load printers = no
>
> printing = bsd
>
> printcap name = /dev/null
>
> disable spoolss = yes
>
>
>
> # disable usershares creating, when set empty, no error
> messages in the logs.
>
> usershare path =
>
>
>
> # Add and Update TLS Key
>
> tls enabled = yes
>
> tls keyfile = /etc/ssl/local/private/dc1.key.pem
>
> tls certfile = /etc/ssl/local/certs/dc1.cert.pem
>
> tls cafile = /etc/ssl/certs/company-ca.pem
>
>
>
> # log level = 10
>
> # debug timestamp = yes
>
>
>
> [sysvol]
>
> path = /home/samba/sysvol
>
> read only = No
>
> acl_xattr:ignore system acls = yes
>
>
>
> [netlogon]
>
> path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
>
> read only = No
>
> acl_xattr:ignore system acls = yes
>
>
>
>
>
> Im only wondering why my Domain Administrator account gives these
> messages.
>
> I can login with me “extra” domain admin account everything works
> fine.
>
> Beside that, everything else sofar checked works fine.
>
>
>
> So im bit puzzled here. What happend to the Administrator account,
> and why only on DC1?
>
>
>
> Time : 14:00
>
> Anyone? Any tips?
>
>
>
> P.S. time 14:15
>
> Now i did check for a last time, and suddenly everything is working
> again.
>
> And i didnt touch the samba servers, only login with the
> “domain\Administrator” again.
>
> Very strange.
>
>
>
> Or Rowland, tel me what i forgot :-)) ;-)
>
net cache flush ???
It looks like something got refreshed and so now everything is now
working correctly
Could be something similar to this bug:
https://bugzilla.samba.org/show_bug.cgi?id=12410
Rowland
More information about the samba
mailing list