[Samba] NT_STATUS_INVALID_SID in a SDC
Kasandra Padisha
kasandrapadisha at hotmail.com
Wed May 11 14:03:59 UTC 2016
Hi
More info: The log.smbd shows the following lines when tryied to login
as Administrator
----------------------------------------------------------------------------------------------------------------
[2016/05/11 08:09:36.411968, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[netlogon]"
[2016/05/11 08:09:36.412108, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[sysvol]"
[2016/05/11 08:09:36.412743, 2]
../source3/lib/interface.c:341(add_interface)
added interface eth0 ip=192.168.0.18 bcast=192.168.0.255
netmask=255.255.255.0
[2016/05/11 08:09:36.418379, 2]
../lib/util/modules.c:196(do_smb_load_module)
Module 'samba4' loaded
[2016/05/11 08:09:36.444927, 0]
../source4/auth/unix_token.c:93(security_token_to_unix_token)
Unable to convert second SID
(S-1-5-21-508106755-2976483754-4106360514-513) in user token to a GID.
Conversion was returned as type 0, full token:
[2016/05/11 08:09:36.445462, 0]
../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (13):
SID[ 0]: S-1-5-21-508106755-2976483754-4106360514-500
SID[ 1]: S-1-5-21-508106755-2976483754-4106360514-513
SID[ 2]: S-1-5-21-508106755-2976483754-4106360514-512
SID[ 3]: S-1-5-21-508106755-2976483754-4106360514-572
SID[ 4]: S-1-5-21-508106755-2976483754-4106360514-520
SID[ 5]: S-1-5-21-508106755-2976483754-4106360514-519
SID[ 6]: S-1-5-21-508106755-2976483754-4106360514-518
SID[ 7]: S-1-1-0
SID[ 8]: S-1-5-2
SID[ 9]: S-1-5-11
SID[ 10]: S-1-5-32-544
SID[ 11]: S-1-5-32-545
SID[ 12]: S-1-5-32-554
Privileges (0x 1FFFFF00):
Privilege[ 0]: SeTakeOwnershipPrivilege
Privilege[ 1]: SeBackupPrivilege
Privilege[ 2]: SeRestorePrivilege
Privilege[ 3]: SeRemoteShutdownPrivilege
Privilege[ 4]: SeSecurityPrivilege
Privilege[ 5]: SeSystemtimePrivilege
Privilege[ 6]: SeShutdownPrivilege
Privilege[ 7]: SeDebugPrivilege
Privilege[ 8]: SeSystemEnvironmentPrivilege
Privilege[ 9]: SeSystemProfilePrivilege
Privilege[ 10]: SeProfileSingleProcessPrivilege
Privilege[ 11]: SeIncreaseBasePriorityPrivilege
Privilege[ 12]: SeLoadDriverPrivilege
Privilege[ 13]: SeCreatePagefilePrivilege
Privilege[ 14]: SeIncreaseQuotaPrivilege
Privilege[ 15]: SeChangeNotifyPrivilege
Privilege[ 16]: SeUndockPrivilege
Privilege[ 17]: SeManageVolumePrivilege
Privilege[ 18]: SeImpersonatePrivilege
Privilege[ 19]: SeCreateGlobalPrivilege
Privilege[ 20]: SeEnableDelegationPrivilege
Rights (0x 403):
Right[ 0]: SeInteractiveLogonRight
Right[ 1]: SeNetworkLogonRight
Right[ 2]: SeRemoteInteractiveLogonRight
[2016/05/11 08:09:36.450569, 1]
../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_INVALID_SID
----------------------------------------------------------------------------------------------------------------
Or when tryied to login as a common user
----------------------------------------------------------------------------------------------------------------
[2016/05/11 08:15:44.784439, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[netlogon]"
[2016/05/11 08:15:44.784710, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[sysvol]"
[2016/05/11 08:15:44.785399, 2]
../source3/lib/interface.c:341(add_interface)
added interface eth0 ip=192.168.0.18 bcast=192.168.0.255
netmask=255.255.255.0
[2016/05/11 08:15:44.790623, 2]
../lib/util/modules.c:196(do_smb_load_module)
Module 'samba4' loaded
[2016/05/11 08:15:44.812343, 0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
Unable to convert first SID
(S-1-5-21-508106755-2976483754-4106360514-1188) in user token to a UID.
Conversion was returned as type 0, full token:
[2016/05/11 08:15:44.812690, 0]
../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (7):
SID[ 0]: S-1-5-21-508106755-2976483754-4106360514-1188
SID[ 1]: S-1-5-21-508106755-2976483754-4106360514-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-32-545
SID[ 6]: S-1-5-32-554
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
[2016/05/11 08:15:44.814382, 1]
../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_INVALID_SID
[2016/05/11 08:16:53.830440, 2]
../source3/smbd/server.c:467(remove_child_pid)
Could not find child 20805 -- ignoring
----------------------------------------------------------------------------------------------------------------
Something similar was solved on 4.2
https://bugzilla.samba.org/show_bug.cgi?id=10720
Cheers
Kasandra
El 11/05/16 a las 07:12, Kasandra Padisha escribió:
>
> Hi
>
> Upgrading without knowing whats the problem I feel a bit like with
> Windows or lots of comercial software: "The next version will solve
> all your problems" and we all know that's never true.
>
> I appreciate any help.
>
> Cheers
>
>
> -------- Mensaje reenviado --------
> Asunto: NT_STATUS_INVALID_SID in a SDC
> Fecha: Tue, 10 May 2016 12:22:25 -0500
> De: Kasandra Padisha <kasandrapadisha at hotmail.com>
> Para: samba at lists.samba.org
>
>
>
> Hi All
>
> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have
> backported Samba 4.3.18 and is working well.
>
> I have installed a SDC (if I may use that name) on a different network,
> the same version of Samba but on a Debian Jessie on AMD64. I followed
> every instruction in
> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory.
>
> So every test worked fine.
>
> But now when i try to login, to view a share or to join the domain I get
> NT_STATUS_INVALID_SID or " The security id structure is invalid".
> Not only with the administrator but with any user.
>
> root at parmenides2:~# smbclient -L localhost -UAdministrator
> Enter Administrator's password:
> session setup failed: NT_STATUS_INVALID_SID
>
> I am really out of arguments
>
>
> What I have already done:
>
> 1. The mirror is OK
>
> #> samba-tool drs showrepl
>
> Is OK
>
> #> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
> --filter=whenChanged
>
> I have ran this from both PDCs and get SUCCESS
>
>
> 2. I have read all similar messages
>
> I have found some similar cases but none with a solution. And I have
> read ALL literally
>
>
> 3. My smb.conf
>
> I have installed my main controller following
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> and it was generated automatically. I added "idmap_ldb:use" and "log
> level"
>
>
> # Global parameters
> [global]
> workgroup = EXAMPLE-W10
> realm = EXAMPLE.COM
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 192.168.10.7
> idmap_ldb:use rfc2307 = yes
> log level = 1
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> On DC2 changes the netbios name and dns forwarder .. but everything else
> is the same.
>
>
>
> 4. ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20160505021322.0Z
> uSNCreated: 3223
> name: Administrator
> objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
> codePage: 0
> countryCode: 0
> pwdLastSet: 131068880020000000
> primaryGroupID: 513
> objectSid: S-1-5-21-508106755-2976483754-4106360514-500
> adminCount: 1
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> isCriticalSystemObject: TRUE
> lastLogonTimestamp: 131068882546671530
> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
> accountExpires: 0
> whenChanged: 20160510132605.0Z
> uSNChanged: 3721
> userAccountControl: 66048
> lastLogon: 131073689683266740
> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>
>
> 5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep
> objectSid
>
> objectSid: S-1-5-21-508106755-2976483754-4106360514
>
>
> I appreciate any help
>
> Cheers
>
> Kasandra
>
>
>
More information about the samba
mailing list