[Samba] The security id structure is invalid

Rowland Penny rpenny at samba.org
Tue Oct 4 18:40:59 UTC 2016 

On Tue, 4 Oct 2016 14:00:02 -0400
Ron GarcĂ­a-Vidal via samba <samba at lists.samba.org> wrote:

> I recently upgraded Samba on my DC from a working 4.3 installation to 
> 4.5.0. Once done, I followed the instructions here:
> 
> https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes
> 
> and ran:
> 
> samba-tool dbcheck --cross-ncs --fix --yes
> 
> After that, I can no longer access the shares on this machine. I get
> the "Security ID structure is invalid" error above. In addition, the
> RSAT can't speak to the DC, and other linux boxes (running sssd) are
> saying "Authentication server cannot be found"
> 
> I am able to access the server using an ldap browser and am trying to 
> piece my way to fixing this, but am coming up empty handed. This is
> my home server and only has three users, so I could technically wipe
> and rebuild the server, but since I have many clients who use Samba,
> I would like to figure out how to fix this in case it comes up again.
> 
> The syslog is giving the following errors:
> 
> ct  4 13:56:15 harleyquinn smbd[17702]:   Unable to convert SID 
> (S-1-5-11) at index 5 in user token to a GID.  Conversion was
> returned as type 0, full token:
> Oct  4 13:56:15 harleyquinn smbd[17702]: [2016/10/04
> 13:56:15.283772,
> 0] ../libcli/security/security_token.c:63(security_token_debug) Oct
> 4 13:56:15 harleyquinn smbd[17702]:   Security token SIDs (8): Oct  4
> 13:56:15 harleyquinn smbd[17702]:     SID[  0]:
> S-1-5-21-1319907214-2951884047-2640289736-1105 Oct  4 13:56:15
> harleyquinn smbd[17702]:     SID[  1]:
> S-1-5-21-1319907214-2951884047-2640289736-1107 Oct  4 13:56:15
> harleyquinn smbd[17702]:     SID[  2]:
> S-1-5-21-1319907214-2951884047-2640289736-513 Oct  4 13:56:15
> harleyquinn smbd[17702]:     SID[  3]: S-1-1-0 Oct  4 13:56:15
> harleyquinn smbd[17702]:     SID[  4]: S-1-5-2 Oct  4 13:56:15
> harleyquinn smbd[17702]:     SID[  5]: S-1-5-11 Oct  4 13:56:15
> harleyquinn smbd[17702]:     SID[  6]: S-1-5-32-545 Oct  4 13:56:15
> harleyquinn smbd[17702]:     SID[  7]: S-1-5-32-554 Oct  4 13:56:15
> harleyquinn smbd[17702]:    Privileges (0x          800000): Oct  4
> 13:56:15 harleyquinn smbd[17702]:     Privilege[  0]:
> SeChangeNotifyPrivilege Oct  4 13:56:15 harleyquinn smbd[17702]:
> Rights (0x 400): Oct  4 13:56:15 harleyquinn smbd[17702]:
> Right[  0]: SeRemoteInteractiveLogonRight
> Oct  4 13:56:15 harleyquinn smbd[17703]: [2016/10/04
> 13:56:15.367502,
> 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token)
> Oct  4 13:56:15 harleyquinn smbd[17703]:   Unable to convert SID
> (S-1-5-11) at index 5 in user token to a GID.  Conversion was
> returned as type 0, full token: Oct  4 13:56:15 harleyquinn
> smbd[17703]: [2016/10/04 13:56:15.367835,
> 0] ../libcli/security/security_token.c:63(security_token_debug) Oct
> 4 13:56:15 harleyquinn smbd[17703]:   Security token SIDs (8): Oct  4
> 13:56:15 harleyquinn smbd[17703]:     SID[  0]:
> S-1-5-21-1319907214-2951884047-2640289736-1105 Oct  4 13:56:15
> harleyquinn smbd[17703]:     SID[  1]:
> S-1-5-21-1319907214-2951884047-2640289736-1107 Oct  4 13:56:15
> harleyquinn smbd[17703]:     SID[  2]:
> S-1-5-21-1319907214-2951884047-2640289736-513 Oct  4 13:56:15
> harleyquinn smbd[17703]:     SID[  3]: S-1-1-0 Oct  4 13:56:15
> harleyquinn smbd[17703]:     SID[  4]: S-1-5-2 Oct  4 13:56:15
> harleyquinn smbd[17703]:     SID[  5]: S-1-5-11 Oct  4 13:56:15
> harleyquinn smbd[17703]:     SID[  6]: S-1-5-32-545 Oct  4 13:56:15
> harleyquinn smbd[17703]:     SID[  7]: S-1-5-32-554 Oct  4 13:56:15
> harleyquinn smbd[17703]:    Privileges (0x          800000): Oct  4
> 13:56:15 harleyquinn smbd[17703]:     Privilege[  0]:
> SeChangeNotifyPrivilege Oct  4 13:56:15 harleyquinn smbd[17703]:
> Rights (0x 400): Oct  4 13:56:15 harleyquinn smbd[17703]:
> Right[  0]: SeRemoteInteractiveLogonRight
> 
> These are repeated for various SIDs.
> 
> Also, the samba-tool dbcheck is unable to fix the following:
> 
> ERROR: incorrect GUID component for member in object CN=Domain 
> Admins,CN=Users,DC=dc1,DC=evilgenius,DC=net - 
> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP 
> User,CN=Users,DC=dc1,DC=mydomain,DC=net
> 
> Change DN to 
> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP 
> User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
> ERROR: Failed to fix incorrect GUID on attribute member : (53, 
> 'Attribute member already deleted for target GUID 
> a8e1e07a-cab8-4222-a024-97d59084268b')
> 
> I'm not even sure where to start fixing this and am not finding
> anything similar via google.
> 
> -Ron
> 
> 
> 

It looks like you have a dangling link for a member of Domain Admins
that has been deleted.

Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117'
and if it doesn't exist, see if you can identify the user in the Domain
Admins object and delete that.
Back everything up first.

Rowland

More information about the samba mailing list