[Samba] The security id structure is invalid

Ron García-Vidal ron at riomargroup.com
Wed Oct 5 14:37:51 UTC 2016 

Here is some more information that could be helpful. This is the entry 
for LDAP User in ldbedit:

# record 253
dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: LDAP User
sn: User
givenName: LDAP
instanceType: 4
whenCreated: 20140106220805.0Z
displayName: LDAP User
uSNCreated: 6218
name: LDAP User
objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: LDAPUser
sAMAccountType: 805306368
userPrincipalName: LDAPUser at dc1.mydomain.net
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
pwdLastSet: 130335199430000000
lockoutTime: 0
userAccountControl: 66048
msDS-SupportedEncryptionTypes: 0
primaryGroupID: 514
whenChanged: 20140107003451.0Z
uSNChanged: 6241
distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net

Here is the entry for Domain Admins:

# record 70
dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
instanceType: 4
whenCreated: 20131130221548.0Z
uSNCreated: 3549
name: Domain Admins
objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
adminCount: 1
sAMAccountName: Domain Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: 
CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Denied RODC Password Replication 
Group,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net
whenChanged: 20161004204939.0Z
uSNChanged: 49368
distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net

I'm not really understanding where the dbcheck errors are coming from. 
Please let me know if further log info would be helpful.

-Ron

On 10/4/16 5:01 PM, Ron García-Vidal via samba wrote:
>
> On 10/4/16 2:40 PM, Rowland Penny via samba wrote:
>> On Tue, 4 Oct 2016 14:00:02 -0400
>> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
>>
>>> ERROR: incorrect GUID component for member in object CN=Domain
>>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
>>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP 
>>>
>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>>
>>> Change DN to
>>> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP 
>>>
>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
>>> ERROR: Failed to fix incorrect GUID on attribute member : (53,
>>> 'Attribute member already deleted for target GUID
>>> a8e1e07a-cab8-4222-a024-97d59084268b')
>>>
>>> I'm not even sure where to start fixing this and am not finding
>>> anything similar via google.
>>>
>>> -Ron
>>>
>>>
>>>
>> It looks like you have a dangling link for a member of Domain Admins
>> that has been deleted.
>>
>> Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117'
>> and if it doesn't exist, see if you can identify the user in the Domain
>> Admins object and delete that.
>> Back everything up first.
>>
>>
> The DN indicated is a user called LDAP User that I created to interact 
> with the LDAP. And that user's SID is the one ending in 1117. The 
> thing is, that user isn't in "members" of the Domain Admins. The only 
> users in that group are Administrator and my user account. I tried 
> adding LDAP User to the Domain Admins group and removing it, the 
> problem still persists.
>
> To add to this, when I run the samba-tool dbcheck without the --fix 
> option, I get two additional entries:
>
> ERROR: incorrect GUID component for member in object CN=Domain 
> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - 
> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP 
> User,CN=Users,DC=dc1,DC=mydomain,DC=net
> Not fixing incorrect GUID
> ERROR: incorrect DN SID component for member in object CN=Schema 
> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - 
> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<RMD_ADDTIME=130335204740000000>;<RMD_CHANGETIME=130335284920000000>;<RMD_FLAGS=1>;<RMD_INVOCID=bf3306c6-bbc7-40c7-b63f-9b2c6f6ffe2a>;<RMD_LOCAL_USN=6243>;<RMD_ORIGINATING_USN=6243>;<RMD_VERSION=3>;CN=LDAP 
> User,CN=Users,DC=dc1,DC=mydomain,DC=net
> Not fixing SID component mismatch
> ERROR: incorrect DN SID component for member in object CN=Domain 
> Users,CN=Users,DC=dc1,DC=mydomain,DC=net - 
> <GUID=7a02c46a50021940a2a812cc03497f7f>;<RMD_ADDTIME=130335204750000000>;<RMD_CHANGETIME=130335204750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6230>;<RMD_ORIGINATING_USN=6230>;<RMD_VERSION=1>;CN=LDAP 
> User,CN=Users,DC=dc1,DC=mydomain,DC=net
> Not fixing SID component mismatch
>
> In all three cases, the CN is LDAP User, but 1) LDAP User is not in 
> any of these three groups and 2) the GUID component listed is 
> different (what does the GUID refer to. I'm not seeing it in LDAP. I 
> am seeing an objectGUID, is that the same thing?)
>
> -Ron
>

More information about the samba mailing list