[Samba] The security id structure is invalid
Ron García-Vidal
ron at riomargroup.com
Fri Oct 7 18:58:24 UTC 2016
On 10/7/16 10:39 AM, Ron García-Vidal via samba wrote:
> I've restored the original DBs as it seems the dbcheck error I was
> focusing on was a red herring. I'm now trying to look at the "Unable
> to convert SID" messages, as these are the only other errors I've
> seen. A reminder that this started after I ran "samba-tool dbcheck
> --cross-ncs --fix --yes" after upgrading to 4.5 as per this article:
> https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes
>
>
> I'm hoping to find a way to manually fix the db or hoping for a repair
> tool. I'm not sure what to make of these errors.
Picking up on my new thread, I've been investigating the log errors I'm
seeing, here is one example:
Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856473, 0]
../source4/auth/unix_token.c:79(se
curity_token_to_unix_token)
Oct 7 09:16:27 sambaserver smbd[7612]: Unable to convert first SID
(S-1-5-21-1319907214-2951884047-26402
89736-1111) in user token to a UID. Conversion was returned as type 0,
full token:
Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856685, 0]
../libcli/security/security_token.
c:63(security_token_debug)
Oct 7 09:16:27 sambaserver smbd[7612]: Security token SIDs (7):
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1111
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-515
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 2]: S-1-1-0
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 3]: S-1-5-2
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 4]: S-1-5-11
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 5]: S-1-5-32-554
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 6]: S-1-5-32-545
Oct 7 09:16:27 sambaserver smbd[7612]: Privileges (0x 800000):
Oct 7 09:16:27 sambaserver smbd[7612]: Privilege[ 0]:
SeChangeNotifyPrivilege
Oct 7 09:16:27 sambaserver smbd[7612]: Rights (0x 400):
Oct 7 09:16:27 sambaserver smbd[7612]: Right[ 0]:
SeRemoteInteractiveLogonRight
Here is what the SID looks like in the idmap.ldb:
dn: CN=S-1-5-21-1319907214-2951884047-2640289736-1111
cn: S-1-5-21-1319907214-2951884047-2640289736-1111
objectClass: sidMap
objectSid: S-1-5-21-1319907214-2951884047-2640289736-1111
type: ID_TYPE_BOTH
xidNumber: 3000033
distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-1111
This SID doesn't show up in the sam.ldb. Is this something that I
manually have to hunt down the mismatched or is there a way to repair
the idmap.ldb?
More information about the samba
mailing list