[Samba] NT_STATUS_INVALID_SID

Ryan Ashley ryana at reachtechfp.com
Thu Oct 27 20:57:30 UTC 2016 

I just found this in a log. It is the smbd log, to be exact.

[2016/10/27 16:54:11.689360,  0]
../source4/auth/unix_token.c:107(security_token_to_unix_token)
  Unable to convert SID (S-1-5-11) at index 9 in user token to a GID.
Conversion was returned as type 0, full token:
[2016/10/27 16:54:11.689734,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (13):
    SID[  0]: S-1-5-21-1106274642-2786564146-798650368-500
    SID[  1]: S-1-5-21-1106274642-2786564146-798650368-513
    SID[  2]: S-1-5-21-1106274642-2786564146-798650368-520
    SID[  3]: S-1-5-21-1106274642-2786564146-798650368-572
    SID[  4]: S-1-5-21-1106274642-2786564146-798650368-519
    SID[  5]: S-1-5-21-1106274642-2786564146-798650368-518
    SID[  6]: S-1-5-21-1106274642-2786564146-798650368-512
    SID[  7]: S-1-1-0
    SID[  8]: S-1-5-2
    SID[  9]: S-1-5-11
    SID[ 10]: S-1-5-32-544
    SID[ 11]: S-1-5-32-545
    SID[ 12]: S-1-5-32-554
   Privileges (0x        1FFFFF00):
    Privilege[  0]: SeTakeOwnershipPrivilege
    Privilege[  1]: SeBackupPrivilege
    Privilege[  2]: SeRestorePrivilege
    Privilege[  3]: SeRemoteShutdownPrivilege
    Privilege[  4]: SeSecurityPrivilege
    Privilege[  5]: SeSystemtimePrivilege
    Privilege[  6]: SeShutdownPrivilege
    Privilege[  7]: SeDebugPrivilege
    Privilege[  8]: SeSystemEnvironmentPrivilege
    Privilege[  9]: SeSystemProfilePrivilege
    Privilege[ 10]: SeProfileSingleProcessPrivilege
    Privilege[ 11]: SeIncreaseBasePriorityPrivilege
    Privilege[ 12]: SeLoadDriverPrivilege
    Privilege[ 13]: SeCreatePagefilePrivilege
    Privilege[ 14]: SeIncreaseQuotaPrivilege
    Privilege[ 15]: SeChangeNotifyPrivilege
    Privilege[ 16]: SeUndockPrivilege
    Privilege[ 17]: SeManageVolumePrivilege
    Privilege[ 18]: SeImpersonatePrivilege
    Privilege[ 19]: SeCreateGlobalPrivilege
    Privilege[ 20]: SeEnableDelegationPrivilege
   Rights (0x             403):
    Right[  0]: SeInteractiveLogonRight
    Right[  1]: SeNetworkLogonRight
    Right[  2]: SeRemoteInteractiveLogonRight

Isn't this the builtin group?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/27/2016 04:21 PM, Rowland Penny via samba wrote:
> On Thu, 27 Oct 2016 15:52:09 -0400
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> Slightly off-topic, but I thought setting those set the limits for
>> going into the NIS attributes tab in Windows. I understood the Samba
>> wiki to explain that using those lines is how you set the upper and
>> lower limits that Windows sees and uses. Is this incorrect?
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 10/27/2016 03:42 PM, Rowland Penny via samba wrote:
>>> On Thu, 27 Oct 2016 17:23:43 -0200
>>> Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi Rowland,
>>>>
>>>>      Just to let you know, we removed all the idmap entries we had
>>>> on the smb.conf of our two DCs and the ids reported by getent
>>>> passwd at the DCs were in the 3.000.000 range, as you said. We had
>>>> to add back 'idmap_ldb:use rfc2307 = yes' to get the user listing
>>>> with the original numbers on the DCs.
>>>>
>>>> Here's what we commented out on the configurationfiles.
>>>>
>>>>          # Default idmap config used for BUILTIN and local
>>>> accounts/groups #idmap config *:backend = ad
>>>>          #idmap config *:range = 2000-9999
>>>>
>>>>          # idmap config for domain E-TRUST
>>>>          #idmap config E-TRUST:backend = ad
>>>>          #idmap config E-TRUST:schema_mode = rfc2307
>>>>          #idmap config E-TRUST:range = 10000-40000
>>>>          #idmap cache time = 1
>>>>          #idmap negative cache time = 1
>>>>          #winbind cache time = 1
>>>>          idmap_ldb:use rfc2307 = yes
>>>>
>>>
>>> Yes those are the lines you should only have on a domain member (aka
>>> fileserver, printserver). The only idmap line you should have on a
>>> DC is the 'idmap_ldb:use rfc2307 = yes' line, without this line,
>>> rfc2307 will not be used and unfortunately it is not added
>>> automatically to any DCs that are joined to the domain.
>>>
>>> Rowland
>>>  
>>>
>>
> 
> OK, when you first provision Samba as an AD DC, it uses 'xidNumber'
> attributes stored in 'idmap.ldb', these numbers are in the '3000000'
> range. These numbers are allocated on a first come basis (this is why
> you get different IDs on subsequent DCs)
> 
> The only way to get different ID numbers on a DC, use uidNumber &
> gidNumber attributes, but you don't need to add anything to smb.conf.
> 
> On a domain member it is different, there are several 'idmap' winbind
> backends you can use, but the two main ones are 'ad' and 'rid'.
> 
> If you haven't added any uidNumber & gidNumber attributes to AD, then
> you should use the 'rid' backend, this calculates the users (or group)
> ID from its RID (the only real constant in all of this) and as long as
> you use the same range on all Unix domain members, you will get
> the same ID on them.
> 
> If you have added uidNumber & gidNumber attributes to AD, then you
> should use the 'ad' backend, again, if you use the same range on all
> the domain members, you will get the same ID's everywhere including
> the DC's.
> 
> The ranges (whether you use 'rid' or 'ad') must not overlap and if
> you use 'ad', you must give 'Domain Users' a gidNumber.
> 
> If you use the 'rid' backend, the ID's will be set from the range you
> set in smb.conf, whereas, if you use the 'ad' backend, you set the
> range from the numbers you set in AD.
> 
> Rowland  
>

More information about the samba mailing list