[Samba] NT_STATUS_INVALID_SID in a SDC

Kasandra Padisha kasandrapadisha at hotmail.com
Tue May 10 19:36:26 UTC 2016 

Hi

Thanks for you answer

1. Sorry It was a mistype:  The version is samba_4.3.8+dfsg-1~bpo80+1.  
I backported from stretch to jessie as I want to keep my Debian 
environment clean.
I do not fancy to compile it from source. I am a bit old fashion :-) :-) :-)

2. I use PDC and SDC as a legacy from previous versions. I Undestand why 
it is outdated but actually, even in Samba4, It is kind of true: DC2 
knows who is DC1 all the time and there is a big trouble when DC1 is 
broken: DC2 get kind of orphaned.

#> samba-tool fsmo show

SchemaMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

Nice topic ..but I does not help me.


2. Is there any other sugestions apart from Update ?  I have already a 
working installation on DC1 so I do not think upgrade may be a solution.


I appreciate a lead to follow in order to solve this little problem

Cheers


El 10/05/16 a las 13:31, Rowland penny escribió:
> On 10/05/16 18:22, Kasandra Padisha wrote:
>>
>> Hi All
>>
>> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have 
>> backported Samba 4.3.18 and is working well.
>
> Hi, where did you get 4.3.18 from ??? or do you mean 4.3.8, if so, try 
> again with 4.3.9, this has some updates for regressions that 4.3.8 
> introduced.
>
> Oh and a 'PDC' is something else entirely, you have a 'DC' :-)
>
>>
>> I have installed a SDC (if I may use that name) 
>
> No, you cannot :-D
> It is just another DC :-)
>
> Rowland
>> on a different network, the same version of Samba but on a Debian 
>> Jessie on AMD64. I followed every instruction in 
>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory. 
>> So every test worked fine.
>>
>> But now when i try to login, to view a share or to join the domain I 
>> get NT_STATUS_INVALID_SID or " The security id structure is invalid".
>> Not only with the administrator but with any user.
>>
>>    root at parmenides2:~# smbclient -L localhost -UAdministrator
>>    Enter Administrator's password:
>>    session setup failed: NT_STATUS_INVALID_SID
>>
>> I am really out of arguments
>>
>>
>> What I have already done:
>>
>> 1. The mirror is OK
>>
>> #> samba-tool drs showrepl
>>
>> Is OK
>>
>> #> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator 
>> --filter=whenChanged
>>
>> I have ran this from both PDCs and get SUCCESS
>>
>>
>> 2. I have read all similar messages
>>
>> I have found some similar cases but none with a solution. And I have 
>> read ALL literally
>>
>>
>> 3. My smb.conf
>>
>> I have installed my main controller following 
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller 
>> and it was generated automatically. I added "idmap_ldb:use" and "log 
>> level"
>>
>>
>> # Global parameters
>> [global]
>>         workgroup = EXAMPLE-W10
>>         realm = EXAMPLE.COM
>>         netbios name = DC1
>>         server role = active directory domain controller
>>         dns forwarder = 192.168.10.7
>>         idmap_ldb:use rfc2307 = yes
>>         log level = 1
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/example.com/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>>
>> On DC2 changes the netbios name and dns forwarder .. but everything 
>> else is the same.
>>
>>
>>
>> 4.  ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>
>> dn: CN=Administrator,CN=Users,DC=example,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Administrator
>> description: Built-in account for administering the computer/domain
>> instanceType: 4
>> whenCreated: 20160505021322.0Z
>> uSNCreated: 3223
>> name: Administrator
>> objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
>> codePage: 0
>> countryCode: 0
>> pwdLastSet: 131068880020000000
>> primaryGroupID: 513
>> objectSid: S-1-5-21-508106755-2976483754-4106360514-500
>> adminCount: 1
>> sAMAccountName: Administrator
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>> isCriticalSystemObject: TRUE
>> lastLogonTimestamp: 131068882546671530
>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
>> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
>> accountExpires: 0
>> whenChanged: 20160510132605.0Z
>> uSNChanged: 3721
>> userAccountControl: 66048
>> lastLogon: 131073689683266740
>> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>>
>>
>> 5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep 
>> objectSid
>>
>> objectSid: S-1-5-21-508106755-2976483754-4106360514
>>
>>
>> I appreciate any help
>>
>> Cheers
>>
>> Kasandra
>>
>
>

More information about the samba mailing list