[Samba] NT_STATUS_INVALID_SID

Ryan Ashley ryana at reachtechfp.com
Wed Oct 26 21:27:37 UTC 2016 

I guess I should note that it seems like the high SIDs will resolve,
except for 300000. Below is an example.

root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
total 16
drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
total 16
drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
{6AC1786C-016F-11D2-945F-00C04FB984F9}

Also, the issue I am having with RPC:

root at dc01:~# smbclient -L \\localhost -U reachfp
Enter reachfp's password:
session setup failed: NT_STATUS_INVALID_SID

I am calling it a day. I can remote in but I need this up quickly, if
possible. This is for a client who lost her entire business in Hurricane
Matthew. There was mud on the ceiling tiles of the building. Flooding
was BAD here. She is trying to get going and we need her domain up. If
this is a major issue I can blow a day creating a new domain if need-be.
Thank you for your time and help.

PS: "reachfp" is the domain administrator account. We rename it for all
of our clients. We set it back if we ever part ways with a client, but
that hasn't happened in my seven years with this company.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
> I have a brand-new install of Debian 8 without systemd and a
> freshly-built Samba 4 install with issues. I created this as a
> standalone AD DC, setup group policies, etc and then took it to the
> client location. Now nothing works. I keep getting "RPC server
> unavailable" on Windows machines and trying to list shares on the DC
> itself results in NT_STATUS_INVALID_SID. I am lost as there are not many
> results for this in Google, so I am here.
> 
> Configuration:
> ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
> --enable-fhs
> 
> Beyond that, nothing else was done differently.
> 
> My smb.conf:
> # Global parameters
> [global]
>         netbios name = DC01
>         realm = MEDARTS.LAN
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = MEDARTS
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>         idmap config MEDARTS:backend = ad
>         idmap config MEDARTS:schema_mode = rfc2307
>         idmap config MEDARTS:range = 10000-99999
>         winbind nss info = rfc2307
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/medarts.lan/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> Note that the SIDs are out of my specified range below:
> ldbsearch -H /var/lib/samba/private/idmap.ldb
> # record 1
> dn: CN=S-1-1-0
> cn: S-1-1-0
> objectClass: sidMap
> objectSid: S-1-1-0
> type: ID_TYPE_BOTH
> xidNumber: 3000013
> distinguishedName: CN=S-1-1-0
> 
> # record 2
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
> cn: S-1-5-21-1106274642-2786564146-798650368-501
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-501
> type: ID_TYPE_BOTH
> xidNumber: 3000011
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
> 
> # record 3
> dn: CN=CONFIG
> cn: CONFIG
> lowerBound: 3000000
> upperBound: 4000000
> xidNumber: 3000019
> distinguishedName: CN=CONFIG
> 
> # record 4
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
> cn: S-1-5-21-1106274642-2786564146-798650368-500
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
> 
> # record 5
> dn: CN=S-1-5-11
> cn: S-1-5-11
> objectClass: sidMap
> objectSid: S-1-5-11
> type: ID_TYPE_BOTH
> xidNumber: 3000003
> distinguishedName: CN=S-1-5-11
> 
> # record 6
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
> cn: S-1-5-21-1106274642-2786564146-798650368-572
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-572
> type: ID_TYPE_BOTH
> xidNumber: 3000005
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
> 
> # record 7
> dn: CN=S-1-5-9
> cn: S-1-5-9
> objectClass: sidMap
> objectSid: S-1-5-9
> type: ID_TYPE_BOTH
> xidNumber: 3000010
> distinguishedName: CN=S-1-5-9
> 
> # record 8
> dn: CN=S-1-5-7
> cn: S-1-5-7
> objectClass: sidMap
> objectSid: S-1-5-7
> type: ID_TYPE_UID
> xidNumber: 65534
> distinguishedName: CN=S-1-5-7
> 
> # record 9
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> cn: S-1-5-21-1106274642-2786564146-798650368-1104
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
> type: ID_TYPE_BOTH
> xidNumber: 3000017
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> 
> # record 10
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
> cn: S-1-5-21-1106274642-2786564146-798650368-520
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-520
> type: ID_TYPE_BOTH
> xidNumber: 3000004
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
> 
> # record 11
> dn: CN=S-1-5-32-554
> cn: S-1-5-32-554
> objectClass: sidMap
> objectSid: S-1-5-32-554
> type: ID_TYPE_BOTH
> xidNumber: 3000016
> distinguishedName: CN=S-1-5-32-554
> 
> # record 12
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
> cn: S-1-5-21-1106274642-2786564146-798650368-519
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-519
> type: ID_TYPE_BOTH
> xidNumber: 3000006
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
> 
> # record 13
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
> cn: S-1-5-21-1106274642-2786564146-798650368-514
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-514
> type: ID_TYPE_BOTH
> xidNumber: 3000012
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
> 
> # record 14
> dn: CN=S-1-5-32-545
> cn: S-1-5-32-545
> objectClass: sidMap
> objectSid: S-1-5-32-545
> type: ID_TYPE_BOTH
> xidNumber: 3000009
> distinguishedName: CN=S-1-5-32-545
> 
> # record 15
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
> 
> # record 16
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
> cn: S-1-5-21-1106274642-2786564146-798650368-518
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-518
> type: ID_TYPE_BOTH
> xidNumber: 3000007
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
> 
> # record 17
> dn: CN=S-1-5-32-549
> cn: S-1-5-32-549
> objectClass: sidMap
> objectSid: S-1-5-32-549
> type: ID_TYPE_BOTH
> xidNumber: 3000001
> distinguishedName: CN=S-1-5-32-549
> 
> # record 18
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
> cn: S-1-5-21-1106274642-2786564146-798650368-513
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
> 
> # record 19
> dn: CN=S-1-5-18
> cn: S-1-5-18
> objectClass: sidMap
> objectSid: S-1-5-18
> type: ID_TYPE_BOTH
> xidNumber: 3000002
> distinguishedName: CN=S-1-5-18
> 
> # record 20
> dn: CN=S-1-5-2
> cn: S-1-5-2
> objectClass: sidMap
> objectSid: S-1-5-2
> type: ID_TYPE_BOTH
> xidNumber: 3000014
> distinguishedName: CN=S-1-5-2
> 
> # record 21
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
> cn: S-1-5-21-1106274642-2786564146-798650368-512
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-512
> type: ID_TYPE_BOTH
> xidNumber: 3000008
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
> 
> # record 22
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
> cn: S-1-5-21-1106274642-2786564146-798650368-515
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-515
> type: ID_TYPE_BOTH
> xidNumber: 3000018
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
> 
> # record 23
> dn: CN=S-1-5-32-546
> cn: S-1-5-32-546
> objectClass: sidMap
> objectSid: S-1-5-32-546
> type: ID_TYPE_BOTH
> xidNumber: 3000015
> distinguishedName: CN=S-1-5-32-546
> 
> # returned 23 records
> # 23 entries
> # 0 referrals
> 
> My max allowed was 99999 but I see SIDs over 300k! This is what I
> believe my issue is. This is Samba v4.5, stable. Thanks in advance for
> any help.
>

More information about the samba mailing list