[Samba] The security id structure is invalid

Rowland Penny rpenny at samba.org
Sat Oct 8 07:55:46 UTC 2016


On Fri, 7 Oct 2016 15:58:06 -0400
Ron GarcĂ­a-Vidal via samba <samba at lists.samba.org> wrote:

> On 10/7/16 3:30 PM, Rowland Penny via samba wrote:
> > idmap.ldb is very easy to repair, just open it in ldbedit, find the
> > sid and delete the entire object, close and save.
> >
> > If the user/group does exist in sam.ldb, it will be recreated in
> > idmap.ldb, but with a different ID number.
> >
> Ok, I fixed the issue with the SID ending in 1111, but this one
> remains (and the "Security ID structure is invalid" message
> continues):
> 
> Oct  7 15:39:05 sambaserver smbd[8087]:   Unable to convert SID 
> (S-1-5-21-1319907214-2951884047-2640289736-
> 512) at index 2 in user token to a GID.  Conversion was returned as
> type 0, full token:
> Oct  7 15:39:05 sambaserver smbd[8087]: [2016/10/07 15:39:05.688406,
> 0] ../libcli/security/security_token.
> c:63(security_token_debug)
> Oct  7 15:39:05 sambaserver smbd[8087]:   Security token SIDs (14):
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  0]: 
> S-1-5-21-1319907214-2951884047-2640289736-1104
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  1]: 
> S-1-5-21-1319907214-2951884047-2640289736-1107
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  2]: 
> S-1-5-21-1319907214-2951884047-2640289736-512
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  3]: 
> S-1-5-21-1319907214-2951884047-2640289736-572
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  4]: 
> S-1-5-21-1319907214-2951884047-2640289736-520
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  5]: 
> S-1-5-21-1319907214-2951884047-2640289736-513
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  6]: S-1-1-0
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  7]: S-1-5-2
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  8]: S-1-5-11
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[  9]: S-1-5-32-544
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 10]: S-1-5-32-550
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 11]: S-1-5-32-551
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 12]: S-1-5-32-545
> Oct  7 15:39:05 sambaserver smbd[8087]:     SID[ 13]: S-1-5-32-554
> Oct  7 15:39:05 sambaserver smbd[8087]:    Privileges (0x 1FFFFF80):
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  0]: 
> SeTakeOwnershipPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  1]: 
> SeBackupPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  2]: 
> SeRestorePrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  3]: 
> SeRemoteShutdownPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  4]: 
> SeDiskOperatorPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  5]: 
> SeSecurityPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  6]: 
> SeSystemtimePrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  7]: 
> SeShutdownPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[  8]:
> SeDebugPrivilege Oct  7 15:39:05 sambaserver smbd[8087]:
> Privilege[  9]: SeSystemEnvironmentPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 10]: 
> SeSystemProfilePrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 11]: 
> SeProfileSingleProcessPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 12]: 
> SeIncreaseBasePriorityPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 13]: 
> SeLoadDriverPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 14]: 
> SeCreatePagefilePrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 15]: 
> SeIncreaseQuotaPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 16]: 
> SeChangeNotifyPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 17]: 
> SeUndockPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 18]: 
> SeManageVolumePrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 19]: 
> SeImpersonatePrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 20]: 
> SeCreateGlobalPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:     Privilege[ 21]: 
> SeEnableDelegationPrivilege
> Oct  7 15:39:05 sambaserver smbd[8087]:    Rights (0x 403):
> Oct  7 15:39:05 sambaserver smbd[8087]:     Right[  0]: 
> SeInteractiveLogonRight
> Oct  7 15:39:05 sambaserver smbd[8087]:     Right[  1]:
> SeNetworkLogonRight Oct  7 15:39:05 sambaserver smbd[8087]:
> Right[  2]: SeRemoteInteractiveLogonRight
> 
> The SID ending is 512 is the Domain Admins group. Here's what it
> looks like in sam.ldb:
> 
> dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
> objectClass: top
> objectClass: group
> cn: Domain Admins
> description: Designated administrators of the domain
> instanceType: 4
> whenCreated: 20131130221548.0Z
> uSNCreated: 3549
> name: Domain Admins
> objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
> objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
> adminCount: 1
> sAMAccountName: Domain Admins
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: 
> CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
> memberOf: CN=Denied RODC Password Replication 
> Group,CN=Users,DC=dc1,DC=mydomain,DC=net
> member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
> member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net
> whenChanged: 20161004204939.0Z
> uSNChanged: 49368
> distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
> 
> And here's what it looks like in idmap.ldb:
> 
> dn: CN=S-1-5-21-1319907214-2951884047-2640289736-512
> cn: S-1-5-21-1319907214-2951884047-2640289736-512
> objectClass: sidMap
> objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
> type: ID_TYPE_BOTH
> xidNumber: 3000008
> distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-512
> 
> 
> 

Try running this on the DC:

wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512

Rowland



More information about the samba mailing list