[Samba] NT_STATUS_INVALID_SID

Vinicius Bones Silva vbs at e-trust.com.br
Thu Oct 27 21:14:55 UTC 2016 

Yes,

     You'll see that message to some (or all) of the well known sids 
https://support.microsoft.com/en-us/kb/243330 . On my logs, the first to show up is the 
Everyone sid (S-1-1-0) . You also might find  (on member server logs) references to the 
135 port of the DC, usually, connection refused messages. Going back to 4.4.4 seem to 
prevent it. I'm hoping to test Arthur's patch against 4.5.1, as well.

Vinicius.

Em 27/10/2016 18:57, Ryan Ashley via samba escreveu:
> I just found this in a log. It is the smbd log, to be exact.
>
> [2016/10/27 16:54:11.689360,  0]
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>    Unable to convert SID (S-1-5-11) at index 9 in user token to a GID.
> Conversion was returned as type 0, full token:
> [2016/10/27 16:54:11.689734,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (13):
>      SID[  0]: S-1-5-21-1106274642-2786564146-798650368-500
>      SID[  1]: S-1-5-21-1106274642-2786564146-798650368-513
>      SID[  2]: S-1-5-21-1106274642-2786564146-798650368-520
>      SID[  3]: S-1-5-21-1106274642-2786564146-798650368-572
>      SID[  4]: S-1-5-21-1106274642-2786564146-798650368-519
>      SID[  5]: S-1-5-21-1106274642-2786564146-798650368-518
>      SID[  6]: S-1-5-21-1106274642-2786564146-798650368-512
>      SID[  7]: S-1-1-0
>      SID[  8]: S-1-5-2
>      SID[  9]: S-1-5-11
>      SID[ 10]: S-1-5-32-544
>      SID[ 11]: S-1-5-32-545
>      SID[ 12]: S-1-5-32-554
>     Privileges (0x        1FFFFF00):
>      Privilege[  0]: SeTakeOwnershipPrivilege
>      Privilege[  1]: SeBackupPrivilege
>      Privilege[  2]: SeRestorePrivilege
>      Privilege[  3]: SeRemoteShutdownPrivilege
>      Privilege[  4]: SeSecurityPrivilege
>      Privilege[  5]: SeSystemtimePrivilege
>      Privilege[  6]: SeShutdownPrivilege
>      Privilege[  7]: SeDebugPrivilege
>      Privilege[  8]: SeSystemEnvironmentPrivilege
>      Privilege[  9]: SeSystemProfilePrivilege
>      Privilege[ 10]: SeProfileSingleProcessPrivilege
>      Privilege[ 11]: SeIncreaseBasePriorityPrivilege
>      Privilege[ 12]: SeLoadDriverPrivilege
>      Privilege[ 13]: SeCreatePagefilePrivilege
>      Privilege[ 14]: SeIncreaseQuotaPrivilege
>      Privilege[ 15]: SeChangeNotifyPrivilege
>      Privilege[ 16]: SeUndockPrivilege
>      Privilege[ 17]: SeManageVolumePrivilege
>      Privilege[ 18]: SeImpersonatePrivilege
>      Privilege[ 19]: SeCreateGlobalPrivilege
>      Privilege[ 20]: SeEnableDelegationPrivilege
>     Rights (0x             403):
>      Right[  0]: SeInteractiveLogonRight
>      Right[  1]: SeNetworkLogonRight
>      Right[  2]: SeRemoteInteractiveLogonRight
>
> Isn't this the builtin group?
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 10/27/2016 04:21 PM, Rowland Penny via samba wrote:
>> On Thu, 27 Oct 2016 15:52:09 -0400
>> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>>
>>> Slightly off-topic, but I thought setting those set the limits for
>>> going into the NIS attributes tab in Windows. I understood the Samba
>>> wiki to explain that using those lines is how you set the upper and
>>> lower limits that Windows sees and uses. Is this incorrect?
>>>
>>> Lead IT/IS Specialist
>>> Reach Technology FP, Inc
>>>
>>> On 10/27/2016 03:42 PM, Rowland Penny via samba wrote:
>>>> On Thu, 27 Oct 2016 17:23:43 -0200
>>>> Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Hi Rowland,
>>>>>
>>>>>       Just to let you know, we removed all the idmap entries we had
>>>>> on the smb.conf of our two DCs and the ids reported by getent
>>>>> passwd at the DCs were in the 3.000.000 range, as you said. We had
>>>>> to add back 'idmap_ldb:use rfc2307 = yes' to get the user listing
>>>>> with the original numbers on the DCs.
>>>>>
>>>>> Here's what we commented out on the configurationfiles.
>>>>>
>>>>>           # Default idmap config used for BUILTIN and local
>>>>> accounts/groups #idmap config *:backend = ad
>>>>>           #idmap config *:range = 2000-9999
>>>>>
>>>>>           # idmap config for domain E-TRUST
>>>>>           #idmap config E-TRUST:backend = ad
>>>>>           #idmap config E-TRUST:schema_mode = rfc2307
>>>>>           #idmap config E-TRUST:range = 10000-40000
>>>>>           #idmap cache time = 1
>>>>>           #idmap negative cache time = 1
>>>>>           #winbind cache time = 1
>>>>>           idmap_ldb:use rfc2307 = yes
>>>>>
>>>> Yes those are the lines you should only have on a domain member (aka
>>>> fileserver, printserver). The only idmap line you should have on a
>>>> DC is the 'idmap_ldb:use rfc2307 = yes' line, without this line,
>>>> rfc2307 will not be used and unfortunately it is not added
>>>> automatically to any DCs that are joined to the domain.
>>>>
>>>> Rowland
>>>>   
>>>>
>> OK, when you first provision Samba as an AD DC, it uses 'xidNumber'
>> attributes stored in 'idmap.ldb', these numbers are in the '3000000'
>> range. These numbers are allocated on a first come basis (this is why
>> you get different IDs on subsequent DCs)
>>
>> The only way to get different ID numbers on a DC, use uidNumber &
>> gidNumber attributes, but you don't need to add anything to smb.conf.
>>
>> On a domain member it is different, there are several 'idmap' winbind
>> backends you can use, but the two main ones are 'ad' and 'rid'.
>>
>> If you haven't added any uidNumber & gidNumber attributes to AD, then
>> you should use the 'rid' backend, this calculates the users (or group)
>> ID from its RID (the only real constant in all of this) and as long as
>> you use the same range on all Unix domain members, you will get
>> the same ID on them.
>>
>> If you have added uidNumber & gidNumber attributes to AD, then you
>> should use the 'ad' backend, again, if you use the same range on all
>> the domain members, you will get the same ID's everywhere including
>> the DC's.
>>
>> The ranges (whether you use 'rid' or 'ad') must not overlap and if
>> you use 'ad', you must give 'Domain Users' a gidNumber.
>>
>> If you use the 'rid' backend, the ID's will be set from the range you
>> set in smb.conf, whereas, if you use the 'ad' backend, you set the
>> range from the numbers you set in AD.
>>
>> Rowland
>>

-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta 
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com 
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a 
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou 
informações contidas nesta mensagem não necessariamente refletem a posição oficial da 
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada 
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the 
intended recipients only. If you are not an intended recipient then you should not 
disseminate, copy, or take any action based on its contents. If you have received this 
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not 
necessarily reflect the position of E-TRUST. If this message is digitally signed, its 
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at 
www.e-trust.com.br.

More information about the samba mailing list