[Samba] The security id structure is invalid
Ron García-Vidal
ron at riomargroup.com
Tue Oct 4 21:01:49 UTC 2016
On 10/4/16 2:40 PM, Rowland Penny via samba wrote:
> On Tue, 4 Oct 2016 14:00:02 -0400
> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
>
>> ERROR: incorrect GUID component for member in object CN=Domain
>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>
>> Change DN to
>> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
>> ERROR: Failed to fix incorrect GUID on attribute member : (53,
>> 'Attribute member already deleted for target GUID
>> a8e1e07a-cab8-4222-a024-97d59084268b')
>>
>> I'm not even sure where to start fixing this and am not finding
>> anything similar via google.
>>
>> -Ron
>>
>>
>>
> It looks like you have a dangling link for a member of Domain Admins
> that has been deleted.
>
> Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117'
> and if it doesn't exist, see if you can identify the user in the Domain
> Admins object and delete that.
> Back everything up first.
>
>
The DN indicated is a user called LDAP User that I created to interact
with the LDAP. And that user's SID is the one ending in 1117. The thing
is, that user isn't in "members" of the Domain Admins. The only users in
that group are Administrator and my user account. I tried adding LDAP
User to the Domain Admins group and removing it, the problem still persists.
To add to this, when I run the samba-tool dbcheck without the --fix
option, I get two additional entries:
ERROR: incorrect GUID component for member in object CN=Domain
Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
<GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing incorrect GUID
ERROR: incorrect DN SID component for member in object CN=Schema
Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
<GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<RMD_ADDTIME=130335204740000000>;<RMD_CHANGETIME=130335284920000000>;<RMD_FLAGS=1>;<RMD_INVOCID=bf3306c6-bbc7-40c7-b63f-9b2c6f6ffe2a>;<RMD_LOCAL_USN=6243>;<RMD_ORIGINATING_USN=6243>;<RMD_VERSION=3>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing SID component mismatch
ERROR: incorrect DN SID component for member in object CN=Domain
Users,CN=Users,DC=dc1,DC=mydomain,DC=net -
<GUID=7a02c46a50021940a2a812cc03497f7f>;<RMD_ADDTIME=130335204750000000>;<RMD_CHANGETIME=130335204750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6230>;<RMD_ORIGINATING_USN=6230>;<RMD_VERSION=1>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing SID component mismatch
In all three cases, the CN is LDAP User, but 1) LDAP User is not in any
of these three groups and 2) the GUID component listed is different
(what does the GUID refer to. I'm not seeing it in LDAP. I am seeing an
objectGUID, is that the same thing?)
-Ron
More information about the samba
mailing list