[Samba] NT_STATUS_INVALID_SID in a SDC
Kasandra Padisha
kasandrapadisha at hotmail.com
Wed May 11 14:45:30 UTC 2016
Nevermind ... I just demote the SDC .. remove samba. Reinstalled,
rejoined the domain, and now is working ..
:-( I felt again as with windows .. .. Just reinstall ..
Thanks to all
El 11/05/16 a las 09:03, Kasandra Padisha escribió:
>
> Hi
>
> More info: The log.smbd shows the following lines when tryied to
> login as Administrator
>
> ----------------------------------------------------------------------------------------------------------------
>
> [2016/05/11 08:09:36.411968, 2]
> ../source3/param/loadparm.c:2686(lp_do_section)
> Processing section "[netlogon]"
> [2016/05/11 08:09:36.412108, 2]
> ../source3/param/loadparm.c:2686(lp_do_section)
> Processing section "[sysvol]"
> [2016/05/11 08:09:36.412743, 2]
> ../source3/lib/interface.c:341(add_interface)
> added interface eth0 ip=192.168.0.18 bcast=192.168.0.255
> netmask=255.255.255.0
> [2016/05/11 08:09:36.418379, 2]
> ../lib/util/modules.c:196(do_smb_load_module)
> Module 'samba4' loaded
> [2016/05/11 08:09:36.444927, 0]
> ../source4/auth/unix_token.c:93(security_token_to_unix_token)
> Unable to convert second SID
> (S-1-5-21-508106755-2976483754-4106360514-513) in user token to a
> GID. Conversion was returned as type 0, full token:
> [2016/05/11 08:09:36.445462, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (13):
> SID[ 0]: S-1-5-21-508106755-2976483754-4106360514-500
> SID[ 1]: S-1-5-21-508106755-2976483754-4106360514-513
> SID[ 2]: S-1-5-21-508106755-2976483754-4106360514-512
> SID[ 3]: S-1-5-21-508106755-2976483754-4106360514-572
> SID[ 4]: S-1-5-21-508106755-2976483754-4106360514-520
> SID[ 5]: S-1-5-21-508106755-2976483754-4106360514-519
> SID[ 6]: S-1-5-21-508106755-2976483754-4106360514-518
> SID[ 7]: S-1-1-0
> SID[ 8]: S-1-5-2
> SID[ 9]: S-1-5-11
> SID[ 10]: S-1-5-32-544
> SID[ 11]: S-1-5-32-545
> SID[ 12]: S-1-5-32-554
> Privileges (0x 1FFFFF00):
> Privilege[ 0]: SeTakeOwnershipPrivilege
> Privilege[ 1]: SeBackupPrivilege
> Privilege[ 2]: SeRestorePrivilege
> Privilege[ 3]: SeRemoteShutdownPrivilege
> Privilege[ 4]: SeSecurityPrivilege
> Privilege[ 5]: SeSystemtimePrivilege
> Privilege[ 6]: SeShutdownPrivilege
> Privilege[ 7]: SeDebugPrivilege
> Privilege[ 8]: SeSystemEnvironmentPrivilege
> Privilege[ 9]: SeSystemProfilePrivilege
> Privilege[ 10]: SeProfileSingleProcessPrivilege
> Privilege[ 11]: SeIncreaseBasePriorityPrivilege
> Privilege[ 12]: SeLoadDriverPrivilege
> Privilege[ 13]: SeCreatePagefilePrivilege
> Privilege[ 14]: SeIncreaseQuotaPrivilege
> Privilege[ 15]: SeChangeNotifyPrivilege
> Privilege[ 16]: SeUndockPrivilege
> Privilege[ 17]: SeManageVolumePrivilege
> Privilege[ 18]: SeImpersonatePrivilege
> Privilege[ 19]: SeCreateGlobalPrivilege
> Privilege[ 20]: SeEnableDelegationPrivilege
> Rights (0x 403):
> Right[ 0]: SeInteractiveLogonRight
> Right[ 1]: SeNetworkLogonRight
> Right[ 2]: SeRemoteInteractiveLogonRight
> [2016/05/11 08:09:36.450569, 1]
> ../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
> Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_INVALID_SID
>
> ----------------------------------------------------------------------------------------------------------------
>
>
> Or when tryied to login as a common user
> ----------------------------------------------------------------------------------------------------------------
>
> [2016/05/11 08:15:44.784439, 2]
> ../source3/param/loadparm.c:2686(lp_do_section)
> Processing section "[netlogon]"
> [2016/05/11 08:15:44.784710, 2]
> ../source3/param/loadparm.c:2686(lp_do_section)
> Processing section "[sysvol]"
> [2016/05/11 08:15:44.785399, 2]
> ../source3/lib/interface.c:341(add_interface)
> added interface eth0 ip=192.168.0.18 bcast=192.168.0.255
> netmask=255.255.255.0
> [2016/05/11 08:15:44.790623, 2]
> ../lib/util/modules.c:196(do_smb_load_module)
> Module 'samba4' loaded
> [2016/05/11 08:15:44.812343, 0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
> Unable to convert first SID
> (S-1-5-21-508106755-2976483754-4106360514-1188) in user token to a
> UID. Conversion was returned as type 0, full token:
> [2016/05/11 08:15:44.812690, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (7):
> SID[ 0]: S-1-5-21-508106755-2976483754-4106360514-1188
> SID[ 1]: S-1-5-21-508106755-2976483754-4106360514-513
> SID[ 2]: S-1-1-0
> SID[ 3]: S-1-5-2
> SID[ 4]: S-1-5-11
> SID[ 5]: S-1-5-32-545
> SID[ 6]: S-1-5-32-554
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
> [2016/05/11 08:15:44.814382, 1]
> ../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
> Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_INVALID_SID
> [2016/05/11 08:16:53.830440, 2]
> ../source3/smbd/server.c:467(remove_child_pid)
> Could not find child 20805 -- ignoring
>
> ----------------------------------------------------------------------------------------------------------------
>
>
> Something similar was solved on 4.2
> https://bugzilla.samba.org/show_bug.cgi?id=10720
>
>
> Cheers
>
> Kasandra
>
>
> El 11/05/16 a las 07:12, Kasandra Padisha escribió:
>>
>> Hi
>>
>> Upgrading without knowing whats the problem I feel a bit like with
>> Windows or lots of comercial software: "The next version will solve
>> all your problems" and we all know that's never true.
>>
>> I appreciate any help.
>>
>> Cheers
>>
>>
>> -------- Mensaje reenviado --------
>> Asunto: NT_STATUS_INVALID_SID in a SDC
>> Fecha: Tue, 10 May 2016 12:22:25 -0500
>> De: Kasandra Padisha <kasandrapadisha at hotmail.com>
>> Para: samba at lists.samba.org
>>
>>
>>
>> Hi All
>>
>> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have
>> backported Samba 4.3.18 and is working well.
>>
>> I have installed a SDC (if I may use that name) on a different network,
>> the same version of Samba but on a Debian Jessie on AMD64. I followed
>> every instruction in
>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory.
>>
>> So every test worked fine.
>>
>> But now when i try to login, to view a share or to join the domain I get
>> NT_STATUS_INVALID_SID or " The security id structure is invalid".
>> Not only with the administrator but with any user.
>>
>> root at parmenides2:~# smbclient -L localhost -UAdministrator
>> Enter Administrator's password:
>> session setup failed: NT_STATUS_INVALID_SID
>>
>> I am really out of arguments
>>
>>
>> What I have already done:
>>
>> 1. The mirror is OK
>>
>> #> samba-tool drs showrepl
>>
>> Is OK
>>
>> #> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
>> --filter=whenChanged
>>
>> I have ran this from both PDCs and get SUCCESS
>>
>>
>> 2. I have read all similar messages
>>
>> I have found some similar cases but none with a solution. And I have
>> read ALL literally
>>
>>
>> 3. My smb.conf
>>
>> I have installed my main controller following
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>
>> and it was generated automatically. I added "idmap_ldb:use" and "log
>> level"
>>
>>
>> # Global parameters
>> [global]
>> workgroup = EXAMPLE-W10
>> realm = EXAMPLE.COM
>> netbios name = DC1
>> server role = active directory domain controller
>> dns forwarder = 192.168.10.7
>> idmap_ldb:use rfc2307 = yes
>> log level = 1
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/example.com/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
>> On DC2 changes the netbios name and dns forwarder .. but everything else
>> is the same.
>>
>>
>>
>> 4. ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>
>> dn: CN=Administrator,CN=Users,DC=example,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Administrator
>> description: Built-in account for administering the computer/domain
>> instanceType: 4
>> whenCreated: 20160505021322.0Z
>> uSNCreated: 3223
>> name: Administrator
>> objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
>> codePage: 0
>> countryCode: 0
>> pwdLastSet: 131068880020000000
>> primaryGroupID: 513
>> objectSid: S-1-5-21-508106755-2976483754-4106360514-500
>> adminCount: 1
>> sAMAccountName: Administrator
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>> isCriticalSystemObject: TRUE
>> lastLogonTimestamp: 131068882546671530
>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
>> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
>> accountExpires: 0
>> whenChanged: 20160510132605.0Z
>> uSNChanged: 3721
>> userAccountControl: 66048
>> lastLogon: 131073689683266740
>> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>>
>>
>> 5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep
>> objectSid
>>
>> objectSid: S-1-5-21-508106755-2976483754-4106360514
>>
>>
>> I appreciate any help
>>
>> Cheers
>>
>> Kasandra
>>
>>
>>
>
>
More information about the samba
mailing list