[Samba] NT_STATUS_INVALID_SID

Arthur Ramsey arthur_ramsey at mediture.com
Wed Oct 26 22:05:35 UTC 2016


Take a look at this thread: 
https://lists.samba.org/archive/samba/2016-October/204104.html. Try the 
patch and let me know.

Thanks,
Arthur

On 10/26/2016 4:27 PM, Ryan Ashley via samba wrote:
> I guess I should note that it seems like the high SIDs will resolve,
> except for 300000. Below is an example.
>
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
> total 16
> drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
> drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
> total 16
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
>
> Also, the issue I am having with RPC:
>
> root at dc01:~# smbclient -L \\localhost -U reachfp
> Enter reachfp's password:
> session setup failed: NT_STATUS_INVALID_SID
>
> I am calling it a day. I can remote in but I need this up quickly, if
> possible. This is for a client who lost her entire business in Hurricane
> Matthew. There was mud on the ceiling tiles of the building. Flooding
> was BAD here. She is trying to get going and we need her domain up. If
> this is a major issue I can blow a day creating a new domain if need-be.
> Thank you for your time and help.
>
> PS: "reachfp" is the domain administrator account. We rename it for all
> of our clients. We set it back if we ever part ways with a client, but
> that hasn't happened in my seven years with this company.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
>> I have a brand-new install of Debian 8 without systemd and a
>> freshly-built Samba 4 install with issues. I created this as a
>> standalone AD DC, setup group policies, etc and then took it to the
>> client location. Now nothing works. I keep getting "RPC server
>> unavailable" on Windows machines and trying to list shares on the DC
>> itself results in NT_STATUS_INVALID_SID. I am lost as there are not many
>> results for this in Google, so I am here.
>>
>> Configuration:
>> ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
>> --enable-fhs
>>
>> Beyond that, nothing else was done differently.
>>
>> My smb.conf:
>> # Global parameters
>> [global]
>>          netbios name = DC01
>>          realm = MEDARTS.LAN
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          workgroup = MEDARTS
>>          server role = active directory domain controller
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config *:backend = tdb
>>          idmap config *:range = 2000-9999
>>          idmap config MEDARTS:backend = ad
>>          idmap config MEDARTS:schema_mode = rfc2307
>>          idmap config MEDARTS:range = 10000-99999
>>          winbind nss info = rfc2307
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/medarts.lan/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> Note that the SIDs are out of my specified range below:
>> ldbsearch -H /var/lib/samba/private/idmap.ldb
>> # record 1
>> dn: CN=S-1-1-0
>> cn: S-1-1-0
>> objectClass: sidMap
>> objectSid: S-1-1-0
>> type: ID_TYPE_BOTH
>> xidNumber: 3000013
>> distinguishedName: CN=S-1-1-0
>>
>> # record 2
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
>> cn: S-1-5-21-1106274642-2786564146-798650368-501
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-501
>> type: ID_TYPE_BOTH
>> xidNumber: 3000011
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
>>
>> # record 3
>> dn: CN=CONFIG
>> cn: CONFIG
>> lowerBound: 3000000
>> upperBound: 4000000
>> xidNumber: 3000019
>> distinguishedName: CN=CONFIG
>>
>> # record 4
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
>> cn: S-1-5-21-1106274642-2786564146-798650368-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
>>
>> # record 5
>> dn: CN=S-1-5-11
>> cn: S-1-5-11
>> objectClass: sidMap
>> objectSid: S-1-5-11
>> type: ID_TYPE_BOTH
>> xidNumber: 3000003
>> distinguishedName: CN=S-1-5-11
>>
>> # record 6
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
>> cn: S-1-5-21-1106274642-2786564146-798650368-572
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-572
>> type: ID_TYPE_BOTH
>> xidNumber: 3000005
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
>>
>> # record 7
>> dn: CN=S-1-5-9
>> cn: S-1-5-9
>> objectClass: sidMap
>> objectSid: S-1-5-9
>> type: ID_TYPE_BOTH
>> xidNumber: 3000010
>> distinguishedName: CN=S-1-5-9
>>
>> # record 8
>> dn: CN=S-1-5-7
>> cn: S-1-5-7
>> objectClass: sidMap
>> objectSid: S-1-5-7
>> type: ID_TYPE_UID
>> xidNumber: 65534
>> distinguishedName: CN=S-1-5-7
>>
>> # record 9
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>> cn: S-1-5-21-1106274642-2786564146-798650368-1104
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
>> type: ID_TYPE_BOTH
>> xidNumber: 3000017
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>>
>> # record 10
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
>> cn: S-1-5-21-1106274642-2786564146-798650368-520
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-520
>> type: ID_TYPE_BOTH
>> xidNumber: 3000004
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
>>
>> # record 11
>> dn: CN=S-1-5-32-554
>> cn: S-1-5-32-554
>> objectClass: sidMap
>> objectSid: S-1-5-32-554
>> type: ID_TYPE_BOTH
>> xidNumber: 3000016
>> distinguishedName: CN=S-1-5-32-554
>>
>> # record 12
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
>> cn: S-1-5-21-1106274642-2786564146-798650368-519
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-519
>> type: ID_TYPE_BOTH
>> xidNumber: 3000006
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
>>
>> # record 13
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
>> cn: S-1-5-21-1106274642-2786564146-798650368-514
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-514
>> type: ID_TYPE_BOTH
>> xidNumber: 3000012
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
>>
>> # record 14
>> dn: CN=S-1-5-32-545
>> cn: S-1-5-32-545
>> objectClass: sidMap
>> objectSid: S-1-5-32-545
>> type: ID_TYPE_BOTH
>> xidNumber: 3000009
>> distinguishedName: CN=S-1-5-32-545
>>
>> # record 15
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> # record 16
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
>> cn: S-1-5-21-1106274642-2786564146-798650368-518
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-518
>> type: ID_TYPE_BOTH
>> xidNumber: 3000007
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
>>
>> # record 17
>> dn: CN=S-1-5-32-549
>> cn: S-1-5-32-549
>> objectClass: sidMap
>> objectSid: S-1-5-32-549
>> type: ID_TYPE_BOTH
>> xidNumber: 3000001
>> distinguishedName: CN=S-1-5-32-549
>>
>> # record 18
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
>> cn: S-1-5-21-1106274642-2786564146-798650368-513
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-513
>> type: ID_TYPE_GID
>> xidNumber: 100
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
>>
>> # record 19
>> dn: CN=S-1-5-18
>> cn: S-1-5-18
>> objectClass: sidMap
>> objectSid: S-1-5-18
>> type: ID_TYPE_BOTH
>> xidNumber: 3000002
>> distinguishedName: CN=S-1-5-18
>>
>> # record 20
>> dn: CN=S-1-5-2
>> cn: S-1-5-2
>> objectClass: sidMap
>> objectSid: S-1-5-2
>> type: ID_TYPE_BOTH
>> xidNumber: 3000014
>> distinguishedName: CN=S-1-5-2
>>
>> # record 21
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
>> cn: S-1-5-21-1106274642-2786564146-798650368-512
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-512
>> type: ID_TYPE_BOTH
>> xidNumber: 3000008
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
>>
>> # record 22
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
>> cn: S-1-5-21-1106274642-2786564146-798650368-515
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-515
>> type: ID_TYPE_BOTH
>> xidNumber: 3000018
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
>>
>> # record 23
>> dn: CN=S-1-5-32-546
>> cn: S-1-5-32-546
>> objectClass: sidMap
>> objectSid: S-1-5-32-546
>> type: ID_TYPE_BOTH
>> xidNumber: 3000015
>> distinguishedName: CN=S-1-5-32-546
>>
>> # returned 23 records
>> # 23 entries
>> # 0 referrals
>>
>> My max allowed was 99999 but I see SIDs over 300k! This is what I
>> believe my issue is. This is Samba v4.5, stable. Thanks in advance for
>> any help.
>>


This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.




More information about the samba mailing list