[Samba] NT_STATUS_INVALID_SID in a SDC

Kasandra Padisha kasandrapadisha at hotmail.com
Wed May 11 14:03:59 UTC 2016 

Hi

More info:  The log.smbd shows the following lines when tryied to login 
as Administrator

----------------------------------------------------------------------------------------------------------------
[2016/05/11 08:09:36.411968,  2] 
../source3/param/loadparm.c:2686(lp_do_section)
   Processing section "[netlogon]"
[2016/05/11 08:09:36.412108,  2] 
../source3/param/loadparm.c:2686(lp_do_section)
   Processing section "[sysvol]"
[2016/05/11 08:09:36.412743,  2] 
../source3/lib/interface.c:341(add_interface)
   added interface eth0 ip=192.168.0.18 bcast=192.168.0.255 
netmask=255.255.255.0
[2016/05/11 08:09:36.418379,  2] 
../lib/util/modules.c:196(do_smb_load_module)
   Module 'samba4' loaded
[2016/05/11 08:09:36.444927,  0] 
../source4/auth/unix_token.c:93(security_token_to_unix_token)
   Unable to convert second SID 
(S-1-5-21-508106755-2976483754-4106360514-513) in user token to a GID.  
Conversion was returned as type 0, full token:
[2016/05/11 08:09:36.445462,  0] 
../libcli/security/security_token.c:63(security_token_debug)
   Security token SIDs (13):
     SID[  0]: S-1-5-21-508106755-2976483754-4106360514-500
     SID[  1]: S-1-5-21-508106755-2976483754-4106360514-513
     SID[  2]: S-1-5-21-508106755-2976483754-4106360514-512
     SID[  3]: S-1-5-21-508106755-2976483754-4106360514-572
     SID[  4]: S-1-5-21-508106755-2976483754-4106360514-520
     SID[  5]: S-1-5-21-508106755-2976483754-4106360514-519
     SID[  6]: S-1-5-21-508106755-2976483754-4106360514-518
     SID[  7]: S-1-1-0
     SID[  8]: S-1-5-2
     SID[  9]: S-1-5-11
     SID[ 10]: S-1-5-32-544
     SID[ 11]: S-1-5-32-545
     SID[ 12]: S-1-5-32-554
    Privileges (0x        1FFFFF00):
     Privilege[  0]: SeTakeOwnershipPrivilege
     Privilege[  1]: SeBackupPrivilege
     Privilege[  2]: SeRestorePrivilege
     Privilege[  3]: SeRemoteShutdownPrivilege
     Privilege[  4]: SeSecurityPrivilege
     Privilege[  5]: SeSystemtimePrivilege
     Privilege[  6]: SeShutdownPrivilege
     Privilege[  7]: SeDebugPrivilege
     Privilege[  8]: SeSystemEnvironmentPrivilege
     Privilege[  9]: SeSystemProfilePrivilege
     Privilege[ 10]: SeProfileSingleProcessPrivilege
     Privilege[ 11]: SeIncreaseBasePriorityPrivilege
     Privilege[ 12]: SeLoadDriverPrivilege
     Privilege[ 13]: SeCreatePagefilePrivilege
     Privilege[ 14]: SeIncreaseQuotaPrivilege
     Privilege[ 15]: SeChangeNotifyPrivilege
     Privilege[ 16]: SeUndockPrivilege
     Privilege[ 17]: SeManageVolumePrivilege
     Privilege[ 18]: SeImpersonatePrivilege
     Privilege[ 19]: SeCreateGlobalPrivilege
     Privilege[ 20]: SeEnableDelegationPrivilege
    Rights (0x             403):
     Right[  0]: SeInteractiveLogonRight
     Right[  1]: SeNetworkLogonRight
     Right[  2]: SeRemoteInteractiveLogonRight
[2016/05/11 08:09:36.450569,  1] 
../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
   Failed to generate session_info (user and group token) for session 
setup: NT_STATUS_INVALID_SID

----------------------------------------------------------------------------------------------------------------

Or when tryied to login as a common user
----------------------------------------------------------------------------------------------------------------
[2016/05/11 08:15:44.784439,  2] 
../source3/param/loadparm.c:2686(lp_do_section)
   Processing section "[netlogon]"
[2016/05/11 08:15:44.784710,  2] 
../source3/param/loadparm.c:2686(lp_do_section)
   Processing section "[sysvol]"
[2016/05/11 08:15:44.785399,  2] 
../source3/lib/interface.c:341(add_interface)
   added interface eth0 ip=192.168.0.18 bcast=192.168.0.255 
netmask=255.255.255.0
[2016/05/11 08:15:44.790623,  2] 
../lib/util/modules.c:196(do_smb_load_module)
   Module 'samba4' loaded
[2016/05/11 08:15:44.812343,  0] 
../source4/auth/unix_token.c:79(security_token_to_unix_token)
   Unable to convert first SID 
(S-1-5-21-508106755-2976483754-4106360514-1188) in user token to a UID.  
Conversion was returned as type 0, full token:
[2016/05/11 08:15:44.812690,  0] 
../libcli/security/security_token.c:63(security_token_debug)
   Security token SIDs (7):
     SID[  0]: S-1-5-21-508106755-2976483754-4106360514-1188
     SID[  1]: S-1-5-21-508106755-2976483754-4106360514-513
     SID[  2]: S-1-1-0
     SID[  3]: S-1-5-2
     SID[  4]: S-1-5-11
     SID[  5]: S-1-5-32-545
     SID[  6]: S-1-5-32-554
    Privileges (0x          800000):
     Privilege[  0]: SeChangeNotifyPrivilege
    Rights (0x             400):
     Right[  0]: SeRemoteInteractiveLogonRight
[2016/05/11 08:15:44.814382,  1] 
../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
   Failed to generate session_info (user and group token) for session 
setup: NT_STATUS_INVALID_SID
[2016/05/11 08:16:53.830440,  2] 
../source3/smbd/server.c:467(remove_child_pid)
   Could not find child 20805 -- ignoring

----------------------------------------------------------------------------------------------------------------

Something similar was solved on 4.2 
https://bugzilla.samba.org/show_bug.cgi?id=10720


Cheers

Kasandra


El 11/05/16 a las 07:12, Kasandra Padisha escribió:
>
> Hi
>
> Upgrading without  knowing whats the problem  I feel a bit like with 
> Windows or lots of comercial software: "The next version will solve 
> all your problems" and we all know that's never true.
>
> I appreciate any help.
>
> Cheers
>
>
> -------- Mensaje reenviado --------
> Asunto:     NT_STATUS_INVALID_SID in a SDC
> Fecha:     Tue, 10 May 2016 12:22:25 -0500
> De:     Kasandra Padisha <kasandrapadisha at hotmail.com>
> Para:     samba at lists.samba.org
>
>
>
> Hi All
>
> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have
> backported Samba 4.3.18 and is working well.
>
> I have installed a SDC (if I may use that name) on a different network,
> the same version of Samba but on a Debian Jessie on AMD64. I followed
> every instruction in
> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory. 
>
> So every test worked fine.
>
> But now when i try to login, to view a share or to join the domain I get
> NT_STATUS_INVALID_SID or " The security id structure is invalid".
> Not only with the administrator but with any user.
>
>    root at parmenides2:~# smbclient -L localhost -UAdministrator
>    Enter Administrator's password:
>    session setup failed: NT_STATUS_INVALID_SID
>
> I am really out of arguments
>
>
> What I have already done:
>
> 1. The mirror is OK
>
> #> samba-tool drs showrepl
>
> Is OK
>
> #> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
> --filter=whenChanged
>
> I have ran this from both PDCs and get SUCCESS
>
>
> 2. I have read all similar messages
>
> I have found some similar cases but none with a solution. And I have
> read ALL literally
>
>
> 3. My smb.conf
>
> I have installed my main controller following
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller 
>
> and it was generated automatically. I added "idmap_ldb:use" and "log 
> level"
>
>
> # Global parameters
> [global]
>         workgroup = EXAMPLE-W10
>         realm = EXAMPLE.COM
>         netbios name = DC1
>         server role = active directory domain controller
>         dns forwarder = 192.168.10.7
>         idmap_ldb:use rfc2307 = yes
>         log level = 1
>
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
> On DC2 changes the netbios name and dns forwarder .. but everything else
> is the same.
>
>
>
> 4.  ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20160505021322.0Z
> uSNCreated: 3223
> name: Administrator
> objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
> codePage: 0
> countryCode: 0
> pwdLastSet: 131068880020000000
> primaryGroupID: 513
> objectSid: S-1-5-21-508106755-2976483754-4106360514-500
> adminCount: 1
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> isCriticalSystemObject: TRUE
> lastLogonTimestamp: 131068882546671530
> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
> accountExpires: 0
> whenChanged: 20160510132605.0Z
> uSNChanged: 3721
> userAccountControl: 66048
> lastLogon: 131073689683266740
> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>
>
> 5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep 
> objectSid
>
> objectSid: S-1-5-21-508106755-2976483754-4106360514
>
>
> I appreciate any help
>
> Cheers
>
> Kasandra
>
>
>

More information about the samba mailing list