[Samba] The security id structure is invalid
Ron García-Vidal
ron at riomargroup.com
Thu Oct 6 17:54:27 UTC 2016
On 10/6/16 12:50 PM, lingpanda101--- via samba wrote:
> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote:
>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote:
>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote:
>>>> On Wed, 5 Oct 2016 10:37:51 -0400
>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Here is some more information that could be helpful. This is the
>>>>> entry for LDAP User in ldbedit:
>>>>>
>>>>> # record 253
>>>>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: LDAP User
>>>>> sn: User
>>>>> givenName: LDAP
>>>>> instanceType: 4
>>>>> whenCreated: 20140106220805.0Z
>>>>> displayName: LDAP User
>>>>> uSNCreated: 6218
>>>>> name: LDAP User
>>>>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117
>>>>> accountExpires: 9223372036854775807
>>>>> logonCount: 0
>>>>> sAMAccountName: LDAPUser
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: LDAPUser at dc1.mydomain.net
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
>>>>> pwdLastSet: 130335199430000000
>>>>> lockoutTime: 0
>>>>> userAccountControl: 66048
>>>>> msDS-SupportedEncryptionTypes: 0
>>>>> primaryGroupID: 514
>>>>> whenChanged: 20140107003451.0Z
>>>>> uSNChanged: 6241
>>>>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>>>>
>>>> I don't know if this is part of your problem, but why is the
>>>> primaryGroupID of LDAPUser 'Domain Guests' ??
>>>> Try changing it to 513 (Domain Users)
>>>>
>>> I get the following error from both ldbedit and from ldapadmin:
>>>
>>> failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net -
>>> error in module samldb: Unwilling to perform during LDB_MODIFY
>>>
>> In trying to sort through this myself, I seems to be missing
>> something. Can anyone shed light on why samba-tool dbcheck gives me
>> this message?
>>
>> ERROR: incorrect GUID component for member in object CN=Domain
>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>
>> The GUID that it's giving doesn't show up anywhere when I ldbedit my
>> sam.db. I'm trying to figure out how I can manually correct the GUID
>> component that it's screaming about, but I can't find anything in the
>> sam.db that mentions GUID other than objectGUID. Any hints?
>>
>> -Ron
>>
>
> Ron I haven't read through this whole thread but is user 'LDAP User' a
> deleted object? if so it's harmless. A fix at some point will come to
> remove these from 'dbcheck'. I had similar issues. See my thread
>
> http://samba.2283325.n4.nabble.com/replPropertyMetaData-amp-KCC-issues-after-updating-to-Samba-4-5-0-td4707962.html#a4708208
>
>
Thanks for pointing me there. LDAP User is not a deleted object. Above
is the actual sam.db entry for LDAP User. From your thread, I'm
gathering that the error I'm getting shouldn't be fatal regardless, so
I'm wondering if I'm tracking down the wrong path to fix the "Security
ID structure is invalid" error.
-Ron
More information about the samba
mailing list