[Samba] The security id structure is invalid

Rowland Penny rpenny at samba.org
Thu Oct 6 18:02:49 UTC 2016 

On Thu, 6 Oct 2016 13:46:11 -0400
Ron García-Vidal via samba <samba at lists.samba.org> wrote:

> On 10/6/16 1:02 PM, Rowland Penny via samba wrote:
> > On Thu, 6 Oct 2016 12:35:54 -0400
> > Ron García-Vidal via samba <samba at lists.samba.org> wrote:
> >
> >> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote:
> >>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote:
> >>>> On Wed, 5 Oct 2016 10:37:51 -0400
> >>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
> >>>>
> >>>>> Here is some more information that could be helpful. This is the
> >>>>> entry for LDAP User in ldbedit:
> >>>>>
> >>>>> # record 253
> >>>>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
> >>>>> objectClass: top
> >>>>> objectClass: person
> >>>>> objectClass: organizationalPerson
> >>>>> objectClass: user
> >>>>> cn: LDAP User
> >>>>> sn: User
> >>>>> givenName: LDAP
> >>>>> instanceType: 4
> >>>>> whenCreated: 20140106220805.0Z
> >>>>> displayName: LDAP User
> >>>>> uSNCreated: 6218
> >>>>> name: LDAP User
> >>>>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f
> >>>>> badPwdCount: 0
> >>>>> codePage: 0
> >>>>> countryCode: 0
> >>>>> badPasswordTime: 0
> >>>>> lastLogoff: 0
> >>>>> lastLogon: 0
> >>>>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117
> >>>>> accountExpires: 9223372036854775807
> >>>>> logonCount: 0
> >>>>> sAMAccountName: LDAPUser
> >>>>> sAMAccountType: 805306368
> >>>>> userPrincipalName: LDAPUser at dc1.mydomain.net
> >>>>> objectCategory:
> >>>>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
> >>>>> pwdLastSet: 130335199430000000
> >>>>> lockoutTime: 0
> >>>>> userAccountControl: 66048
> >>>>> msDS-SupportedEncryptionTypes: 0
> >>>>> primaryGroupID: 514
> >>>>> whenChanged: 20140107003451.0Z
> >>>>> uSNChanged: 6241
> >>>>> distinguishedName: CN=LDAP
> >>>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
> >>>>>
> >>>> I don't know if this is part of your problem, but why is the
> >>>> primaryGroupID of LDAPUser 'Domain Guests' ??
> >>>> Try changing it to 513 (Domain Users)
> >>>>
> >>> I get the following error from both ldbedit and from ldapadmin:
> >>>
> >>> failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net -
> >>> error in module samldb: Unwilling to perform during LDB_MODIFY
> >>>
> >> In trying to sort through this myself, I seems to be missing
> >> something. Can anyone shed light on why samba-tool dbcheck gives me
> >> this message?
> >>
> >> ERROR: incorrect GUID component for member in object CN=Domain
> >> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
> >> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
> >> User,CN=Users,DC=dc1,DC=mydomain,DC=net
> >>
> >> The GUID that it's giving doesn't show up anywhere when I ldbedit
> >> my sam.db. I'm trying to figure out how I can manually correct the
> >> GUID component that it's screaming about, but I can't find
> >> anything in the sam.db that mentions GUID other than objectGUID.
> >> Any hints?
> >>
> >> -Ron
> >>
> > If you examine the 'Domain Admins' object in AD, you should find
> > lines like these:
> >
> > objectGUID: 0dc3c303-b37f-4830-a1c2-d8cb7434f5d5
> > member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
> >
> > The first is the GUID and every object in AD has one, so try
> > searching for your GUID in this format:
> >
> > 7ae0e1a8-b8ca-2242-a024-97d59084268b
> >
> > If you find it, the object it is in should have a 'memberof'
> > attribute that contains the Domain Admins DN.
> >
> > 'member' and 'memberof' are linked, deleting the 'member' attribute
> > should delete the 'memberof' attribute, but I do not know if the
> > reverse works in the same way.
> Thanks for this clarification. I have even searched for the string
> 7ae0, because I thought the GUID would be hyphenated, and that string
> does not exit in the ldb. Above I pasted the ldb entry for "LDAP
> User" and here's the relevant lines from the "Domain Admins" group:
> 
> dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
> cn: Domain Admins
> objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
> objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
> objectCategory: 
> CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
> memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
> memberOf: CN=Denied RODC Password Replication 
> Group,CN=Users,DC=dc1,DC=mydomain,DC=net
> member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
> member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net
> 
> So that's why the error I'm getting from the dbcheck isn't making
> sense.
> 
> Also, I'm assuming that this is the source of my "Security id
> structure is invalid" error, but I don't actually know that. Am I
> barking up the right tree?
> 
> -Ron
> 

Does 'myuser' exist and if so, does it have a 'memberof' attribute
containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ?

Rowland

More information about the samba mailing list