[Samba] The security id structure is invalid

Ron GarcĂ­a-Vidal ron at riomargroup.com
Fri Oct 7 19:58:06 UTC 2016 

On 10/7/16 3:30 PM, Rowland Penny via samba wrote:
> idmap.ldb is very easy to repair, just open it in ldbedit, find the sid
> and delete the entire object, close and save.
>
> If the user/group does exist in sam.ldb, it will be recreated in
> idmap.ldb, but with a different ID number.
>
Ok, I fixed the issue with the SID ending in 1111, but this one remains 
(and the "Security ID structure is invalid" message continues):

Oct  7 15:39:05 sambaserver smbd[8087]:   Unable to convert SID 
(S-1-5-21-1319907214-2951884047-2640289736-
512) at index 2 in user token to a GID.  Conversion was returned as type 
0, full token:
Oct  7 15:39:05 sambaserver smbd[8087]: [2016/10/07 15:39:05.688406,  0] 
../libcli/security/security_token.
c:63(security_token_debug)
Oct  7 15:39:05 sambaserver smbd[8087]:   Security token SIDs (14):
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  0]: 
S-1-5-21-1319907214-2951884047-2640289736-1104
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  1]: 
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  2]: 
S-1-5-21-1319907214-2951884047-2640289736-512
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  3]: 
S-1-5-21-1319907214-2951884047-2640289736-572
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  4]: 
S-1-5-21-1319907214-2951884047-2640289736-520
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  5]: 
S-1-5-21-1319907214-2951884047-2640289736-513
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  6]: S-1-1-0
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  7]: S-1-5-2
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  8]: S-1-5-11
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  9]: S-1-5-32-544
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 10]: S-1-5-32-550
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 11]: S-1-5-32-551
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 12]: S-1-5-32-545
Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 13]: S-1-5-32-554
Oct  7 15:39:05 sambaserver smbd[8087]:    Privileges (0x 1FFFFF80):
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  0]: 
SeTakeOwnershipPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  1]: 
SeBackupPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  2]: 
SeRestorePrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  3]: 
SeRemoteShutdownPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  4]: 
SeDiskOperatorPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  5]: 
SeSecurityPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  6]: 
SeSystemtimePrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  7]: 
SeShutdownPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  8]: SeDebugPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  9]: 
SeSystemEnvironmentPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 10]: 
SeSystemProfilePrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 11]: 
SeProfileSingleProcessPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 12]: 
SeIncreaseBasePriorityPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 13]: 
SeLoadDriverPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 14]: 
SeCreatePagefilePrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 15]: 
SeIncreaseQuotaPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 16]: 
SeChangeNotifyPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 17]: 
SeUndockPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 18]: 
SeManageVolumePrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 19]: 
SeImpersonatePrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 20]: 
SeCreateGlobalPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 21]: 
SeEnableDelegationPrivilege
Oct  7 15:39:05 sambaserver smbd[8087]:    Rights (0x 403):
Oct  7 15:39:05 sambaserver smbd[8087]:     Right[  0]: 
SeInteractiveLogonRight
Oct  7 15:39:05 sambaserver smbd[8087]:     Right[  1]: SeNetworkLogonRight
Oct  7 15:39:05 sambaserver smbd[8087]:     Right[  2]: 
SeRemoteInteractiveLogonRight

The SID ending is 512 is the Domain Admins group. Here's what it looks 
like in sam.ldb:

dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
instanceType: 4
whenCreated: 20131130221548.0Z
uSNCreated: 3549
name: Domain Admins
objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
adminCount: 1
sAMAccountName: Domain Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: 
CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Denied RODC Password Replication 
Group,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net
whenChanged: 20161004204939.0Z
uSNChanged: 49368
distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net

And here's what it looks like in idmap.ldb:

dn: CN=S-1-5-21-1319907214-2951884047-2640289736-512
cn: S-1-5-21-1319907214-2951884047-2640289736-512
objectClass: sidMap
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-512

More information about the samba mailing list