[Samba] The security id structure is invalid

Ron García-Vidal ron at riomargroup.com
Fri Oct 7 18:58:24 UTC 2016 

On 10/7/16 10:39 AM, Ron García-Vidal via samba wrote:
> I've restored the original DBs as it seems the dbcheck error I was 
> focusing on was a red herring. I'm now trying to look at the "Unable 
> to convert SID" messages, as these are the only other errors I've 
> seen. A reminder that this started after I ran "samba-tool dbcheck 
> --cross-ncs --fix --yes" after upgrading to 4.5 as per this article:
> https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes 
>
>
> I'm hoping to find a way to manually fix the db or hoping for a repair 
> tool. I'm not sure what to make of these errors.
Picking up on my new thread, I've been investigating the log errors I'm 
seeing, here is one example:

Oct  7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856473,  0] 
../source4/auth/unix_token.c:79(se
curity_token_to_unix_token)
Oct  7 09:16:27 sambaserver smbd[7612]:   Unable to convert first SID 
(S-1-5-21-1319907214-2951884047-26402
89736-1111) in user token to a UID.  Conversion was returned as type 0, 
full token:
Oct  7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856685,  0] 
../libcli/security/security_token.
c:63(security_token_debug)
Oct  7 09:16:27 sambaserver smbd[7612]:   Security token SIDs (7):
Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  0]: 
S-1-5-21-1319907214-2951884047-2640289736-1111
Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  1]: 
S-1-5-21-1319907214-2951884047-2640289736-515
Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  2]: S-1-1-0
Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  3]: S-1-5-2
Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  4]: S-1-5-11
Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  5]: S-1-5-32-554
Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  6]: S-1-5-32-545
Oct  7 09:16:27 sambaserver smbd[7612]:    Privileges (0x 800000):
Oct  7 09:16:27 sambaserver smbd[7612]:     Privilege[  0]: 
SeChangeNotifyPrivilege
Oct  7 09:16:27 sambaserver smbd[7612]:    Rights (0x 400):
Oct  7 09:16:27 sambaserver smbd[7612]:     Right[  0]: 
SeRemoteInteractiveLogonRight

Here is what the SID looks like in the idmap.ldb:
dn: CN=S-1-5-21-1319907214-2951884047-2640289736-1111
cn: S-1-5-21-1319907214-2951884047-2640289736-1111
objectClass: sidMap
objectSid: S-1-5-21-1319907214-2951884047-2640289736-1111
type: ID_TYPE_BOTH
xidNumber: 3000033
distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-1111

This SID doesn't show up in the sam.ldb. Is this something that I 
manually have to hunt down the mismatched or is there a way to repair 
the idmap.ldb?

More information about the samba mailing list