[Samba] The security id structure is invalid

Ron García-Vidal ron at riomargroup.com
Thu Oct 6 17:46:11 UTC 2016 

On 10/6/16 1:02 PM, Rowland Penny via samba wrote:
> On Thu, 6 Oct 2016 12:35:54 -0400
> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
>
>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote:
>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote:
>>>> On Wed, 5 Oct 2016 10:37:51 -0400
>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Here is some more information that could be helpful. This is the
>>>>> entry for LDAP User in ldbedit:
>>>>>
>>>>> # record 253
>>>>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: LDAP User
>>>>> sn: User
>>>>> givenName: LDAP
>>>>> instanceType: 4
>>>>> whenCreated: 20140106220805.0Z
>>>>> displayName: LDAP User
>>>>> uSNCreated: 6218
>>>>> name: LDAP User
>>>>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117
>>>>> accountExpires: 9223372036854775807
>>>>> logonCount: 0
>>>>> sAMAccountName: LDAPUser
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: LDAPUser at dc1.mydomain.net
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
>>>>> pwdLastSet: 130335199430000000
>>>>> lockoutTime: 0
>>>>> userAccountControl: 66048
>>>>> msDS-SupportedEncryptionTypes: 0
>>>>> primaryGroupID: 514
>>>>> whenChanged: 20140107003451.0Z
>>>>> uSNChanged: 6241
>>>>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>>>>
>>>> I don't know if this is part of your problem, but why is the
>>>> primaryGroupID of LDAPUser 'Domain Guests' ??
>>>> Try changing it to 513 (Domain Users)
>>>>
>>> I get the following error from both ldbedit and from ldapadmin:
>>>
>>> failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net -
>>> error in module samldb: Unwilling to perform during LDB_MODIFY
>>>
>> In trying to sort through this myself, I seems to be missing
>> something. Can anyone shed light on why samba-tool dbcheck gives me
>> this message?
>>
>> ERROR: incorrect GUID component for member in object CN=Domain
>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>
>> The GUID that it's giving doesn't show up anywhere when I ldbedit my
>> sam.db. I'm trying to figure out how I can manually correct the GUID
>> component that it's screaming about, but I can't find anything in the
>> sam.db that mentions GUID other than objectGUID. Any hints?
>>
>> -Ron
>>
> If you examine the 'Domain Admins' object in AD, you should find lines
> like these:
>
> objectGUID: 0dc3c303-b37f-4830-a1c2-d8cb7434f5d5
> member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
>
> The first is the GUID and every object in AD has one, so try searching
> for your GUID in this format:
>
> 7ae0e1a8-b8ca-2242-a024-97d59084268b
>
> If you find it, the object it is in should have a 'memberof' attribute
> that contains the Domain Admins DN.
>
> 'member' and 'memberof' are linked, deleting the 'member' attribute
> should delete the 'memberof' attribute, but I do not know if the
> reverse works in the same way.
Thanks for this clarification. I have even searched for the string 7ae0, 
because I thought the GUID would be hyphenated, and that string does not 
exit in the ldb. Above I pasted the ldb entry for "LDAP User" and here's 
the relevant lines from the "Domain Admins" group:

dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
cn: Domain Admins
objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
objectCategory: 
CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Denied RODC Password Replication 
Group,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net

So that's why the error I'm getting from the dbcheck isn't making sense.

Also, I'm assuming that this is the source of my "Security id structure 
is invalid" error, but I don't actually know that. Am I barking up the 
right tree?

-Ron

More information about the samba mailing list