[Samba] NT_STATUS_INVALID_SID in a SDC

Rowland penny rpenny at samba.org
Tue May 10 18:31:21 UTC 2016


On 10/05/16 18:22, Kasandra Padisha wrote:
>
> Hi All
>
> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have 
> backported Samba 4.3.18 and is working well.

Hi, where did you get 4.3.18 from ??? or do you mean 4.3.8, if so, try 
again with 4.3.9, this has some updates for regressions that 4.3.8 
introduced.

Oh and a 'PDC' is something else entirely, you have a 'DC' :-)

>
> I have installed a SDC (if I may use that name) 

No, you cannot :-D
It is just another DC :-)

Rowland
> on a different network, the same version of Samba but on a Debian 
> Jessie on AMD64. I followed every instruction in 
> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory. 
> So every test worked fine.
>
> But now when i try to login, to view a share or to join the domain I 
> get NT_STATUS_INVALID_SID or " The security id structure is invalid".
> Not only with the administrator but with any user.
>
>    root at parmenides2:~# smbclient -L localhost -UAdministrator
>    Enter Administrator's password:
>    session setup failed: NT_STATUS_INVALID_SID
>
> I am really out of arguments
>
>
> What I have already done:
>
> 1. The mirror is OK
>
> #> samba-tool drs showrepl
>
> Is OK
>
> #> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator 
> --filter=whenChanged
>
> I have ran this from both PDCs and get SUCCESS
>
>
> 2. I have read all similar messages
>
> I have found some similar cases but none with a solution. And I have 
> read ALL literally
>
>
> 3. My smb.conf
>
> I have installed my main controller following 
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller 
> and it was generated automatically. I added "idmap_ldb:use" and "log 
> level"
>
>
> # Global parameters
> [global]
>         workgroup = EXAMPLE-W10
>         realm = EXAMPLE.COM
>         netbios name = DC1
>         server role = active directory domain controller
>         dns forwarder = 192.168.10.7
>         idmap_ldb:use rfc2307 = yes
>         log level = 1
>
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
> On DC2 changes the netbios name and dns forwarder .. but everything 
> else is the same.
>
>
>
> 4.  ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20160505021322.0Z
> uSNCreated: 3223
> name: Administrator
> objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
> codePage: 0
> countryCode: 0
> pwdLastSet: 131068880020000000
> primaryGroupID: 513
> objectSid: S-1-5-21-508106755-2976483754-4106360514-500
> adminCount: 1
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> isCriticalSystemObject: TRUE
> lastLogonTimestamp: 131068882546671530
> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
> accountExpires: 0
> whenChanged: 20160510132605.0Z
> uSNChanged: 3721
> userAccountControl: 66048
> lastLogon: 131073689683266740
> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>
>
> 5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep 
> objectSid
>
> objectSid: S-1-5-21-508106755-2976483754-4106360514
>
>
> I appreciate any help
>
> Cheers
>
> Kasandra
>




More information about the samba mailing list