[Samba] The security id structure is invalid
Ron GarcĂa-Vidal
ron at riomargroup.com
Fri Oct 7 19:58:06 UTC 2016
On 10/7/16 3:30 PM, Rowland Penny via samba wrote:
> idmap.ldb is very easy to repair, just open it in ldbedit, find the sid
> and delete the entire object, close and save.
>
> If the user/group does exist in sam.ldb, it will be recreated in
> idmap.ldb, but with a different ID number.
>
Ok, I fixed the issue with the SID ending in 1111, but this one remains
(and the "Security ID structure is invalid" message continues):
Oct 7 15:39:05 sambaserver smbd[8087]: Unable to convert SID
(S-1-5-21-1319907214-2951884047-2640289736-
512) at index 2 in user token to a GID. Conversion was returned as type
0, full token:
Oct 7 15:39:05 sambaserver smbd[8087]: [2016/10/07 15:39:05.688406, 0]
../libcli/security/security_token.
c:63(security_token_debug)
Oct 7 15:39:05 sambaserver smbd[8087]: Security token SIDs (14):
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1104
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 2]:
S-1-5-21-1319907214-2951884047-2640289736-512
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 3]:
S-1-5-21-1319907214-2951884047-2640289736-572
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 4]:
S-1-5-21-1319907214-2951884047-2640289736-520
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 5]:
S-1-5-21-1319907214-2951884047-2640289736-513
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 6]: S-1-1-0
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 7]: S-1-5-2
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 8]: S-1-5-11
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 9]: S-1-5-32-544
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 10]: S-1-5-32-550
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 11]: S-1-5-32-551
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 12]: S-1-5-32-545
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 13]: S-1-5-32-554
Oct 7 15:39:05 sambaserver smbd[8087]: Privileges (0x 1FFFFF80):
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 0]:
SeTakeOwnershipPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 1]:
SeBackupPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 2]:
SeRestorePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 3]:
SeRemoteShutdownPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 4]:
SeDiskOperatorPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 5]:
SeSecurityPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 6]:
SeSystemtimePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 7]:
SeShutdownPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 8]: SeDebugPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 9]:
SeSystemEnvironmentPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 10]:
SeSystemProfilePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 11]:
SeProfileSingleProcessPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 12]:
SeIncreaseBasePriorityPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 13]:
SeLoadDriverPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 14]:
SeCreatePagefilePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 15]:
SeIncreaseQuotaPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 16]:
SeChangeNotifyPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 17]:
SeUndockPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 18]:
SeManageVolumePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 19]:
SeImpersonatePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 20]:
SeCreateGlobalPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 21]:
SeEnableDelegationPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Rights (0x 403):
Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 0]:
SeInteractiveLogonRight
Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 1]: SeNetworkLogonRight
Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 2]:
SeRemoteInteractiveLogonRight
The SID ending is 512 is the Domain Admins group. Here's what it looks
like in sam.ldb:
dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
instanceType: 4
whenCreated: 20131130221548.0Z
uSNCreated: 3549
name: Domain Admins
objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
adminCount: 1
sAMAccountName: Domain Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Denied RODC Password Replication
Group,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net
whenChanged: 20161004204939.0Z
uSNChanged: 49368
distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
And here's what it looks like in idmap.ldb:
dn: CN=S-1-5-21-1319907214-2951884047-2640289736-512
cn: S-1-5-21-1319907214-2951884047-2640289736-512
objectClass: sidMap
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-512
More information about the samba
mailing list