[Samba] NT_STATUS_INVALID_SID

Rowland Penny rpenny at samba.org
Thu Oct 27 07:39:51 UTC 2016 

On Wed, 26 Oct 2016 17:27:37 -0400
Ryan Ashley via samba <samba at lists.samba.org> wrote:

> I guess I should note that it seems like the high SIDs will resolve,
> except for 300000. Below is an example.
> 
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
> total 16
> drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
> drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
> total 16
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
> 
> Also, the issue I am having with RPC:
> 
> root at dc01:~# smbclient -L \\localhost -U reachfp
> Enter reachfp's password:
> session setup failed: NT_STATUS_INVALID_SID
> 
> I am calling it a day. I can remote in but I need this up quickly, if
> possible. This is for a client who lost her entire business in
> Hurricane Matthew. There was mud on the ceiling tiles of the
> building. Flooding was BAD here. She is trying to get going and we
> need her domain up. If this is a major issue I can blow a day
> creating a new domain if need-be. Thank you for your time and help.
> 
> PS: "reachfp" is the domain administrator account. We rename it for
> all of our clients. We set it back if we ever part ways with a
> client, but that hasn't happened in my seven years with this company.
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
> > I have a brand-new install of Debian 8 without systemd and a
> > freshly-built Samba 4 install with issues. I created this as a
> > standalone AD DC, setup group policies, etc and then took it to the
> > client location. Now nothing works. I keep getting "RPC server
> > unavailable" on Windows machines and trying to list shares on the DC
> > itself results in NT_STATUS_INVALID_SID. I am lost as there are not
> > many results for this in Google, so I am here.
> > 
> > Configuration:
> > ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
> > --enable-fhs
> > 
> > Beyond that, nothing else was done differently.
> > 
> > My smb.conf:
> > # Global parameters
> > [global]
> >         netbios name = DC01
> >         realm = MEDARTS.LAN
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = MEDARTS
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         idmap config *:backend = tdb
> >         idmap config *:range = 2000-9999
> >         idmap config MEDARTS:backend = ad
> >         idmap config MEDARTS:schema_mode = rfc2307
> >         idmap config MEDARTS:range = 10000-99999
> >         winbind nss info = rfc2307
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/medarts.lan/scripts
> >         read only = No
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > Note that the SIDs are out of my specified range below:
> > ldbsearch -H /var/lib/samba/private/idmap.ldb
> > # record 1
> > dn: CN=S-1-1-0
> > cn: S-1-1-0
> > objectClass: sidMap
> > objectSid: S-1-1-0
> > type: ID_TYPE_BOTH
> > xidNumber: 3000013
> > distinguishedName: CN=S-1-1-0
> > 
> > # record 2
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
> > cn: S-1-5-21-1106274642-2786564146-798650368-501
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-501
> > type: ID_TYPE_BOTH
> > xidNumber: 3000011
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
> > 
> > # record 3
> > dn: CN=CONFIG
> > cn: CONFIG
> > lowerBound: 3000000
> > upperBound: 4000000
> > xidNumber: 3000019
> > distinguishedName: CN=CONFIG
> > 
> > # record 4
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
> > cn: S-1-5-21-1106274642-2786564146-798650368-500
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-500
> > type: ID_TYPE_UID
> > xidNumber: 0
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
> > 
> > # record 5
> > dn: CN=S-1-5-11
> > cn: S-1-5-11
> > objectClass: sidMap
> > objectSid: S-1-5-11
> > type: ID_TYPE_BOTH
> > xidNumber: 3000003
> > distinguishedName: CN=S-1-5-11
> > 
> > # record 6
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
> > cn: S-1-5-21-1106274642-2786564146-798650368-572
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-572
> > type: ID_TYPE_BOTH
> > xidNumber: 3000005
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
> > 
> > # record 7
> > dn: CN=S-1-5-9
> > cn: S-1-5-9
> > objectClass: sidMap
> > objectSid: S-1-5-9
> > type: ID_TYPE_BOTH
> > xidNumber: 3000010
> > distinguishedName: CN=S-1-5-9
> > 
> > # record 8
> > dn: CN=S-1-5-7
> > cn: S-1-5-7
> > objectClass: sidMap
> > objectSid: S-1-5-7
> > type: ID_TYPE_UID
> > xidNumber: 65534
> > distinguishedName: CN=S-1-5-7
> > 
> > # record 9
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> > cn: S-1-5-21-1106274642-2786564146-798650368-1104
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
> > type: ID_TYPE_BOTH
> > xidNumber: 3000017
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> > 
> > # record 10
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
> > cn: S-1-5-21-1106274642-2786564146-798650368-520
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-520
> > type: ID_TYPE_BOTH
> > xidNumber: 3000004
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
> > 
> > # record 11
> > dn: CN=S-1-5-32-554
> > cn: S-1-5-32-554
> > objectClass: sidMap
> > objectSid: S-1-5-32-554
> > type: ID_TYPE_BOTH
> > xidNumber: 3000016
> > distinguishedName: CN=S-1-5-32-554
> > 
> > # record 12
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
> > cn: S-1-5-21-1106274642-2786564146-798650368-519
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-519
> > type: ID_TYPE_BOTH
> > xidNumber: 3000006
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
> > 
> > # record 13
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
> > cn: S-1-5-21-1106274642-2786564146-798650368-514
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-514
> > type: ID_TYPE_BOTH
> > xidNumber: 3000012
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
> > 
> > # record 14
> > dn: CN=S-1-5-32-545
> > cn: S-1-5-32-545
> > objectClass: sidMap
> > objectSid: S-1-5-32-545
> > type: ID_TYPE_BOTH
> > xidNumber: 3000009
> > distinguishedName: CN=S-1-5-32-545
> > 
> > # record 15
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_BOTH
> > xidNumber: 3000000
> > distinguishedName: CN=S-1-5-32-544
> > 
> > # record 16
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
> > cn: S-1-5-21-1106274642-2786564146-798650368-518
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-518
> > type: ID_TYPE_BOTH
> > xidNumber: 3000007
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
> > 
> > # record 17
> > dn: CN=S-1-5-32-549
> > cn: S-1-5-32-549
> > objectClass: sidMap
> > objectSid: S-1-5-32-549
> > type: ID_TYPE_BOTH
> > xidNumber: 3000001
> > distinguishedName: CN=S-1-5-32-549
> > 
> > # record 18
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
> > cn: S-1-5-21-1106274642-2786564146-798650368-513
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-513
> > type: ID_TYPE_GID
> > xidNumber: 100
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
> > 
> > # record 19
> > dn: CN=S-1-5-18
> > cn: S-1-5-18
> > objectClass: sidMap
> > objectSid: S-1-5-18
> > type: ID_TYPE_BOTH
> > xidNumber: 3000002
> > distinguishedName: CN=S-1-5-18
> > 
> > # record 20
> > dn: CN=S-1-5-2
> > cn: S-1-5-2
> > objectClass: sidMap
> > objectSid: S-1-5-2
> > type: ID_TYPE_BOTH
> > xidNumber: 3000014
> > distinguishedName: CN=S-1-5-2
> > 
> > # record 21
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
> > cn: S-1-5-21-1106274642-2786564146-798650368-512
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-512
> > type: ID_TYPE_BOTH
> > xidNumber: 3000008
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
> > 
> > # record 22
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
> > cn: S-1-5-21-1106274642-2786564146-798650368-515
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-515
> > type: ID_TYPE_BOTH
> > xidNumber: 3000018
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
> > 
> > # record 23
> > dn: CN=S-1-5-32-546
> > cn: S-1-5-32-546
> > objectClass: sidMap
> > objectSid: S-1-5-32-546
> > type: ID_TYPE_BOTH
> > xidNumber: 3000015
> > distinguishedName: CN=S-1-5-32-546
> > 
> > # returned 23 records
> > # 23 entries
> > # 0 referrals
> > 
> > My max allowed was 99999 but I see SIDs over 300k! This is what I
> > believe my issue is. This is Samba v4.5, stable. Thanks in advance
> > for any help.
> > 
> 

Lets get the SIDs (actually RIDs) not being what you have set them to
be, out of the way. They will not be set that way on a DC, the idmap
lines you have added are ignored on a DC and they are only meant to be
used on a domain member. If you want to use different IDs on a DC, you
will have to add uidNumber attributes to the users and a gidNumber to
the Domain Users group.

You say you 'created this as a standalone AD DC' , what do you mean by
this? did you provision with '--server-role=standalone' ?

Rowland

More information about the samba mailing list