[Samba] The security id structure is invalid

Rowland Penny rpenny at samba.org
Fri Oct 7 19:30:43 UTC 2016 

On Fri, 7 Oct 2016 14:58:24 -0400
Ron García-Vidal via samba <samba at lists.samba.org> wrote:

> On 10/7/16 10:39 AM, Ron García-Vidal via samba wrote:
> > I've restored the original DBs as it seems the dbcheck error I was 
> > focusing on was a red herring. I'm now trying to look at the
> > "Unable to convert SID" messages, as these are the only other
> > errors I've seen. A reminder that this started after I ran
> > "samba-tool dbcheck --cross-ncs --fix --yes" after upgrading to 4.5
> > as per this article:
> > https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes 
> >
> >
> > I'm hoping to find a way to manually fix the db or hoping for a
> > repair tool. I'm not sure what to make of these errors.
> Picking up on my new thread, I've been investigating the log errors
> I'm seeing, here is one example:
> 
> Oct  7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856473,
> 0] ../source4/auth/unix_token.c:79(se
> curity_token_to_unix_token)
> Oct  7 09:16:27 sambaserver smbd[7612]:   Unable to convert first SID 
> (S-1-5-21-1319907214-2951884047-26402
> 89736-1111) in user token to a UID.  Conversion was returned as type
> 0, full token:
> Oct  7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856685,
> 0] ../libcli/security/security_token.
> c:63(security_token_debug)
> Oct  7 09:16:27 sambaserver smbd[7612]:   Security token SIDs (7):
> Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  0]: 
> S-1-5-21-1319907214-2951884047-2640289736-1111
> Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  1]: 
> S-1-5-21-1319907214-2951884047-2640289736-515
> Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  2]: S-1-1-0
> Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  3]: S-1-5-2
> Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  4]: S-1-5-11
> Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  5]: S-1-5-32-554
> Oct  7 09:16:27 sambaserver smbd[7612]:     SID[  6]: S-1-5-32-545
> Oct  7 09:16:27 sambaserver smbd[7612]:    Privileges (0x 800000):
> Oct  7 09:16:27 sambaserver smbd[7612]:     Privilege[  0]: 
> SeChangeNotifyPrivilege
> Oct  7 09:16:27 sambaserver smbd[7612]:    Rights (0x 400):
> Oct  7 09:16:27 sambaserver smbd[7612]:     Right[  0]: 
> SeRemoteInteractiveLogonRight
> 
> Here is what the SID looks like in the idmap.ldb:
> dn: CN=S-1-5-21-1319907214-2951884047-2640289736-1111
> cn: S-1-5-21-1319907214-2951884047-2640289736-1111
> objectClass: sidMap
> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1111
> type: ID_TYPE_BOTH
> xidNumber: 3000033
> distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-1111
> 
> This SID doesn't show up in the sam.ldb. Is this something that I 
> manually have to hunt down the mismatched or is there a way to repair 
> the idmap.ldb?
> 

idmap.ldb is very easy to repair, just open it in ldbedit, find the sid
and delete the entire object, close and save.

If the user/group does exist in sam.ldb, it will be recreated in
idmap.ldb, but with a different ID number.

Rowland

More information about the samba mailing list