[Samba] The security id structure is invalid

Rowland Penny rpenny at samba.org
Thu Oct 6 17:02:40 UTC 2016


On Thu, 6 Oct 2016 12:35:54 -0400
Ron García-Vidal via samba <samba at lists.samba.org> wrote:

> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote:
> > On 10/5/16 11:17 AM, Rowland Penny via samba wrote:
> >> On Wed, 5 Oct 2016 10:37:51 -0400
> >> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
> >>
> >>> Here is some more information that could be helpful. This is the
> >>> entry for LDAP User in ldbedit:
> >>>
> >>> # record 253
> >>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
> >>> objectClass: top
> >>> objectClass: person
> >>> objectClass: organizationalPerson
> >>> objectClass: user
> >>> cn: LDAP User
> >>> sn: User
> >>> givenName: LDAP
> >>> instanceType: 4
> >>> whenCreated: 20140106220805.0Z
> >>> displayName: LDAP User
> >>> uSNCreated: 6218
> >>> name: LDAP User
> >>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f
> >>> badPwdCount: 0
> >>> codePage: 0
> >>> countryCode: 0
> >>> badPasswordTime: 0
> >>> lastLogoff: 0
> >>> lastLogon: 0
> >>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117
> >>> accountExpires: 9223372036854775807
> >>> logonCount: 0
> >>> sAMAccountName: LDAPUser
> >>> sAMAccountType: 805306368
> >>> userPrincipalName: LDAPUser at dc1.mydomain.net
> >>> objectCategory:
> >>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
> >>> pwdLastSet: 130335199430000000
> >>> lockoutTime: 0
> >>> userAccountControl: 66048
> >>> msDS-SupportedEncryptionTypes: 0
> >>> primaryGroupID: 514
> >>> whenChanged: 20140107003451.0Z
> >>> uSNChanged: 6241
> >>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
> >>>
> >> I don't know if this is part of your problem, but why is the
> >> primaryGroupID of LDAPUser 'Domain Guests' ??
> >> Try changing it to 513 (Domain Users)
> >>
> > I get the following error from both ldbedit and from ldapadmin:
> >
> > failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - 
> > error in module samldb: Unwilling to perform during LDB_MODIFY
> >
> In trying to sort through this myself, I seems to be missing
> something. Can anyone shed light on why samba-tool dbcheck gives me
> this message?
> 
> ERROR: incorrect GUID component for member in object CN=Domain 
> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - 
> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP 
> User,CN=Users,DC=dc1,DC=mydomain,DC=net
> 
> The GUID that it's giving doesn't show up anywhere when I ldbedit my 
> sam.db. I'm trying to figure out how I can manually correct the GUID 
> component that it's screaming about, but I can't find anything in the 
> sam.db that mentions GUID other than objectGUID. Any hints?
> 
> -Ron
> 

If you examine the 'Domain Admins' object in AD, you should find lines
like these:

objectGUID: 0dc3c303-b37f-4830-a1c2-d8cb7434f5d5
member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com

The first is the GUID and every object in AD has one, so try searching
for your GUID in this format:

7ae0e1a8-b8ca-2242-a024-97d59084268b

If you find it, the object it is in should have a 'memberof' attribute
that contains the Domain Admins DN.

'member' and 'memberof' are linked, deleting the 'member' attribute
should delete the 'memberof' attribute, but I do not know if the
reverse works in the same way.

Rowland
  



More information about the samba mailing list