[Samba] The security id structure is invalid

Ron García-Vidal ron at riomargroup.com
Fri Oct 7 13:25:15 UTC 2016 

On 10/7/16 8:51 AM, Ron García-Vidal via samba wrote:
> On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote:
>> On 10/6/16 12:50 PM, lingpanda101--- via samba wrote:
>>> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote:
>>>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote:
>>>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote:
>>>>>> On Wed, 5 Oct 2016 10:37:51 -0400
>>>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote:
>>>>>> In trying to sort through this myself, I seems to be missing 
>>>>>> something. Can anyone shed light on why samba-tool dbcheck gives 
>>>>>> me this message?
>>>>
>>>> ERROR: incorrect GUID component for member in object CN=Domain 
>>>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - 
>>>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP 
>>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>>>
>>>> The GUID that it's giving doesn't show up anywhere when I ldbedit 
>>>> my sam.db. I'm trying to figure out how I can manually correct the 
>>>> GUID component that it's screaming about, but I can't find anything 
>>>> in the sam.db that mentions GUID other than objectGUID. Any hints?
>
> Resorting to a simple grep, I have found the entry that's causing the 
> issue in the file 
> /usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb
>
> How does this file relate to the sam.db file? Is it safe to edit this 
> file directly to remove the offending GUID?

Looks like I have been barking up the wrong tree on this. I copied the 
ldb mentioned above to a backup and manually removed the entries that 
the testdb was complaining about. Testdb now comes back clean, but the 
Invalid security ID structure error continues. The logs are showing 
multiple instances of:
Unable to convert SID (S-1-5-11) at index 5 in user token to a GID. 
Conversion was returned as type 0, full token:

I have a 74k log file that records me starting up the smbd and trying to 
access a share. Is adding this as an attachment the best way to send it?

-Ron

More information about the samba mailing list