[Samba] NT_STATUS_INVALID_SID

Ryan Ashley ryana at reachtechfp.com
Wed Oct 26 20:43:45 UTC 2016 

I have a brand-new install of Debian 8 without systemd and a
freshly-built Samba 4 install with issues. I created this as a
standalone AD DC, setup group policies, etc and then took it to the
client location. Now nothing works. I keep getting "RPC server
unavailable" on Windows machines and trying to list shares on the DC
itself results in NT_STATUS_INVALID_SID. I am lost as there are not many
results for this in Google, so I am here.

Configuration:
./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
--enable-fhs

Beyond that, nothing else was done differently.

My smb.conf:
# Global parameters
[global]
        netbios name = DC01
        realm = MEDARTS.LAN
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MEDARTS
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999
        idmap config MEDARTS:backend = ad
        idmap config MEDARTS:schema_mode = rfc2307
        idmap config MEDARTS:range = 10000-99999
        winbind nss info = rfc2307

[netlogon]
        path = /var/lib/samba/sysvol/medarts.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Note that the SIDs are out of my specified range below:
ldbsearch -H /var/lib/samba/private/idmap.ldb
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid: S-1-1-0
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-1-0

# record 2
dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
cn: S-1-5-21-1106274642-2786564146-798650368-501
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-501
type: ID_TYPE_BOTH
xidNumber: 3000011
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501

# record 3
dn: CN=CONFIG
cn: CONFIG
lowerBound: 3000000
upperBound: 4000000
xidNumber: 3000019
distinguishedName: CN=CONFIG

# record 4
dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
cn: S-1-5-21-1106274642-2786564146-798650368-500
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500

# record 5
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11

# record 6
dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
cn: S-1-5-21-1106274642-2786564146-798650368-572
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-572
type: ID_TYPE_BOTH
xidNumber: 3000005
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572

# record 7
dn: CN=S-1-5-9
cn: S-1-5-9
objectClass: sidMap
objectSid: S-1-5-9
type: ID_TYPE_BOTH
xidNumber: 3000010
distinguishedName: CN=S-1-5-9

# record 8
dn: CN=S-1-5-7
cn: S-1-5-7
objectClass: sidMap
objectSid: S-1-5-7
type: ID_TYPE_UID
xidNumber: 65534
distinguishedName: CN=S-1-5-7

# record 9
dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
cn: S-1-5-21-1106274642-2786564146-798650368-1104
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
type: ID_TYPE_BOTH
xidNumber: 3000017
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104

# record 10
dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
cn: S-1-5-21-1106274642-2786564146-798650368-520
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-520
type: ID_TYPE_BOTH
xidNumber: 3000004
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520

# record 11
dn: CN=S-1-5-32-554
cn: S-1-5-32-554
objectClass: sidMap
objectSid: S-1-5-32-554
type: ID_TYPE_BOTH
xidNumber: 3000016
distinguishedName: CN=S-1-5-32-554

# record 12
dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
cn: S-1-5-21-1106274642-2786564146-798650368-519
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-519
type: ID_TYPE_BOTH
xidNumber: 3000006
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519

# record 13
dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
cn: S-1-5-21-1106274642-2786564146-798650368-514
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-514
type: ID_TYPE_BOTH
xidNumber: 3000012
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514

# record 14
dn: CN=S-1-5-32-545
cn: S-1-5-32-545
objectClass: sidMap
objectSid: S-1-5-32-545
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-5-32-545

# record 15
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

# record 16
dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
cn: S-1-5-21-1106274642-2786564146-798650368-518
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-518
type: ID_TYPE_BOTH
xidNumber: 3000007
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518

# record 17
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549

# record 18
dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
cn: S-1-5-21-1106274642-2786564146-798650368-513
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513

# record 19
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18

# record 20
dn: CN=S-1-5-2
cn: S-1-5-2
objectClass: sidMap
objectSid: S-1-5-2
type: ID_TYPE_BOTH
xidNumber: 3000014
distinguishedName: CN=S-1-5-2

# record 21
dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
cn: S-1-5-21-1106274642-2786564146-798650368-512
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-512
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512

# record 22
dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
cn: S-1-5-21-1106274642-2786564146-798650368-515
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-515
type: ID_TYPE_BOTH
xidNumber: 3000018
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515

# record 23
dn: CN=S-1-5-32-546
cn: S-1-5-32-546
objectClass: sidMap
objectSid: S-1-5-32-546
type: ID_TYPE_BOTH
xidNumber: 3000015
distinguishedName: CN=S-1-5-32-546

# returned 23 records
# 23 entries
# 0 referrals

My max allowed was 99999 but I see SIDs over 300k! This is what I
believe my issue is. This is Samba v4.5, stable. Thanks in advance for
any help.
-- 
Lead IT/IS Specialist
Reach Technology FP, Inc

More information about the samba mailing list