[Samba] NT_STATUS_INVALID_SID

Vinicius Bones Silva vbs at e-trust.com.br
Thu Oct 27 12:51:08 UTC 2016 

Wait, now I'm confused. Idmap lines do not need to be set up on the DCs? Then how does 
windows figure's out the ids in the Unix Attributes tab?  I thought you needed both 
rfc2307 and idmap on the DC and the members.



Em 27/10/2016 05:39, Rowland Penny via samba escreveu:
> On Wed, 26 Oct 2016 17:27:37 -0400
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>
>> I guess I should note that it seems like the high SIDs will resolve,
>> except for 300000. Below is an example.
>>
>> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
>> total 16
>> drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
>> drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
>> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
>> total 16
>> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
>> {31B2F340-016D-11D2-945F-00C04FB984F9}
>> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
>> {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>
>> Also, the issue I am having with RPC:
>>
>> root at dc01:~# smbclient -L \\localhost -U reachfp
>> Enter reachfp's password:
>> session setup failed: NT_STATUS_INVALID_SID
>>
>> I am calling it a day. I can remote in but I need this up quickly, if
>> possible. This is for a client who lost her entire business in
>> Hurricane Matthew. There was mud on the ceiling tiles of the
>> building. Flooding was BAD here. She is trying to get going and we
>> need her domain up. If this is a major issue I can blow a day
>> creating a new domain if need-be. Thank you for your time and help.
>>
>> PS: "reachfp" is the domain administrator account. We rename it for
>> all of our clients. We set it back if we ever part ways with a
>> client, but that hasn't happened in my seven years with this company.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
>>> I have a brand-new install of Debian 8 without systemd and a
>>> freshly-built Samba 4 install with issues. I created this as a
>>> standalone AD DC, setup group policies, etc and then took it to the
>>> client location. Now nothing works. I keep getting "RPC server
>>> unavailable" on Windows machines and trying to list shares on the DC
>>> itself results in NT_STATUS_INVALID_SID. I am lost as there are not
>>> many results for this in Google, so I am here.
>>>
>>> Configuration:
>>> ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
>>> --enable-fhs
>>>
>>> Beyond that, nothing else was done differently.
>>>
>>> My smb.conf:
>>> # Global parameters
>>> [global]
>>>          netbios name = DC01
>>>          realm = MEDARTS.LAN
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>          workgroup = MEDARTS
>>>          server role = active directory domain controller
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config *:backend = tdb
>>>          idmap config *:range = 2000-9999
>>>          idmap config MEDARTS:backend = ad
>>>          idmap config MEDARTS:schema_mode = rfc2307
>>>          idmap config MEDARTS:range = 10000-99999
>>>          winbind nss info = rfc2307
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/medarts.lan/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>>
>>> Note that the SIDs are out of my specified range below:
>>> ldbsearch -H /var/lib/samba/private/idmap.ldb
>>> # record 1
>>> dn: CN=S-1-1-0
>>> cn: S-1-1-0
>>> objectClass: sidMap
>>> objectSid: S-1-1-0
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000013
>>> distinguishedName: CN=S-1-1-0
>>>
>>> # record 2
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
>>> cn: S-1-5-21-1106274642-2786564146-798650368-501
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-501
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000011
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
>>>
>>> # record 3
>>> dn: CN=CONFIG
>>> cn: CONFIG
>>> lowerBound: 3000000
>>> upperBound: 4000000
>>> xidNumber: 3000019
>>> distinguishedName: CN=CONFIG
>>>
>>> # record 4
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
>>> cn: S-1-5-21-1106274642-2786564146-798650368-500
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-500
>>> type: ID_TYPE_UID
>>> xidNumber: 0
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
>>>
>>> # record 5
>>> dn: CN=S-1-5-11
>>> cn: S-1-5-11
>>> objectClass: sidMap
>>> objectSid: S-1-5-11
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000003
>>> distinguishedName: CN=S-1-5-11
>>>
>>> # record 6
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
>>> cn: S-1-5-21-1106274642-2786564146-798650368-572
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-572
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000005
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
>>>
>>> # record 7
>>> dn: CN=S-1-5-9
>>> cn: S-1-5-9
>>> objectClass: sidMap
>>> objectSid: S-1-5-9
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000010
>>> distinguishedName: CN=S-1-5-9
>>>
>>> # record 8
>>> dn: CN=S-1-5-7
>>> cn: S-1-5-7
>>> objectClass: sidMap
>>> objectSid: S-1-5-7
>>> type: ID_TYPE_UID
>>> xidNumber: 65534
>>> distinguishedName: CN=S-1-5-7
>>>
>>> # record 9
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>>> cn: S-1-5-21-1106274642-2786564146-798650368-1104
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000017
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>>>
>>> # record 10
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
>>> cn: S-1-5-21-1106274642-2786564146-798650368-520
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-520
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000004
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
>>>
>>> # record 11
>>> dn: CN=S-1-5-32-554
>>> cn: S-1-5-32-554
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-554
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000016
>>> distinguishedName: CN=S-1-5-32-554
>>>
>>> # record 12
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
>>> cn: S-1-5-21-1106274642-2786564146-798650368-519
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-519
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000006
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
>>>
>>> # record 13
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
>>> cn: S-1-5-21-1106274642-2786564146-798650368-514
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-514
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000012
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
>>>
>>> # record 14
>>> dn: CN=S-1-5-32-545
>>> cn: S-1-5-32-545
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-545
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000009
>>> distinguishedName: CN=S-1-5-32-545
>>>
>>> # record 15
>>> dn: CN=S-1-5-32-544
>>> cn: S-1-5-32-544
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-544
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000000
>>> distinguishedName: CN=S-1-5-32-544
>>>
>>> # record 16
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
>>> cn: S-1-5-21-1106274642-2786564146-798650368-518
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-518
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000007
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
>>>
>>> # record 17
>>> dn: CN=S-1-5-32-549
>>> cn: S-1-5-32-549
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-549
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000001
>>> distinguishedName: CN=S-1-5-32-549
>>>
>>> # record 18
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
>>> cn: S-1-5-21-1106274642-2786564146-798650368-513
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-513
>>> type: ID_TYPE_GID
>>> xidNumber: 100
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
>>>
>>> # record 19
>>> dn: CN=S-1-5-18
>>> cn: S-1-5-18
>>> objectClass: sidMap
>>> objectSid: S-1-5-18
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000002
>>> distinguishedName: CN=S-1-5-18
>>>
>>> # record 20
>>> dn: CN=S-1-5-2
>>> cn: S-1-5-2
>>> objectClass: sidMap
>>> objectSid: S-1-5-2
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000014
>>> distinguishedName: CN=S-1-5-2
>>>
>>> # record 21
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
>>> cn: S-1-5-21-1106274642-2786564146-798650368-512
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-512
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000008
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
>>>
>>> # record 22
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
>>> cn: S-1-5-21-1106274642-2786564146-798650368-515
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-515
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000018
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
>>>
>>> # record 23
>>> dn: CN=S-1-5-32-546
>>> cn: S-1-5-32-546
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-546
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000015
>>> distinguishedName: CN=S-1-5-32-546
>>>
>>> # returned 23 records
>>> # 23 entries
>>> # 0 referrals
>>>
>>> My max allowed was 99999 but I see SIDs over 300k! This is what I
>>> believe my issue is. This is Samba v4.5, stable. Thanks in advance
>>> for any help.
>>>
> Lets get the SIDs (actually RIDs) not being what you have set them to
> be, out of the way. They will not be set that way on a DC, the idmap
> lines you have added are ignored on a DC and they are only meant to be
> used on a domain member. If you want to use different IDs on a DC, you
> will have to add uidNumber attributes to the users and a gidNumber to
> the Domain Users group.
>
> You say you 'created this as a standalone AD DC' , what do you mean by
> this? did you provision with '--server-role=standalone' ?
>
> Rowland
>

-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta 
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com 
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a 
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou 
informações contidas nesta mensagem não necessariamente refletem a posição oficial da 
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada 
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the 
intended recipients only. If you are not an intended recipient then you should not 
disseminate, copy, or take any action based on its contents. If you have received this 
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not 
necessarily reflect the position of E-TRUST. If this message is digitally signed, its 
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at 
www.e-trust.com.br.

More information about the samba mailing list