[Samba] The security id structure is invalid

Ron García-Vidal ron at riomargroup.com
Tue Oct 4 21:01:49 UTC 2016


On 10/4/16 2:40 PM, Rowland Penny via samba wrote:
> On Tue, 4 Oct 2016 14:00:02 -0400
> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
>
>> ERROR: incorrect GUID component for member in object CN=Domain
>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>
>> Change DN to
>> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
>> ERROR: Failed to fix incorrect GUID on attribute member : (53,
>> 'Attribute member already deleted for target GUID
>> a8e1e07a-cab8-4222-a024-97d59084268b')
>>
>> I'm not even sure where to start fixing this and am not finding
>> anything similar via google.
>>
>> -Ron
>>
>>
>>
> It looks like you have a dangling link for a member of Domain Admins
> that has been deleted.
>
> Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117'
> and if it doesn't exist, see if you can identify the user in the Domain
> Admins object and delete that.
> Back everything up first.
>
>
The DN indicated is a user called LDAP User that I created to interact 
with the LDAP. And that user's SID is the one ending in 1117. The thing 
is, that user isn't in "members" of the Domain Admins. The only users in 
that group are Administrator and my user account. I tried adding LDAP 
User to the Domain Admins group and removing it, the problem still persists.

To add to this, when I run the samba-tool dbcheck without the --fix 
option, I get two additional entries:

ERROR: incorrect GUID component for member in object CN=Domain 
Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - 
<GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP 
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing incorrect GUID
ERROR: incorrect DN SID component for member in object CN=Schema 
Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - 
<GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<RMD_ADDTIME=130335204740000000>;<RMD_CHANGETIME=130335284920000000>;<RMD_FLAGS=1>;<RMD_INVOCID=bf3306c6-bbc7-40c7-b63f-9b2c6f6ffe2a>;<RMD_LOCAL_USN=6243>;<RMD_ORIGINATING_USN=6243>;<RMD_VERSION=3>;CN=LDAP 
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing SID component mismatch
ERROR: incorrect DN SID component for member in object CN=Domain 
Users,CN=Users,DC=dc1,DC=mydomain,DC=net - 
<GUID=7a02c46a50021940a2a812cc03497f7f>;<RMD_ADDTIME=130335204750000000>;<RMD_CHANGETIME=130335204750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6230>;<RMD_ORIGINATING_USN=6230>;<RMD_VERSION=1>;CN=LDAP 
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing SID component mismatch

In all three cases, the CN is LDAP User, but 1) LDAP User is not in any 
of these three groups and 2) the GUID component listed is different 
(what does the GUID refer to. I'm not seeing it in LDAP. I am seeing an 
objectGUID, is that the same thing?)

-Ron



More information about the samba mailing list