[Samba] NT_STATUS_INVALID_SID
Andrew Bartlett
abartlet at samba.org
Fri Oct 28 18:11:50 UTC 2016
On Thu, 2016-10-27 at 16:57 -0400, Ryan Ashley via samba wrote:
> I just found this in a log. It is the smbd log, to be exact.
>
> [2016/10/27 16:54:11.689360, 0]
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
> Unable to convert SID (S-1-5-11) at index 9 in user token to a GID.
> Conversion was returned as type 0, full token:
> [2016/10/27 16:54:11.689734, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (13):
> SID[ 0]: S-1-5-21-1106274642-2786564146-798650368-500
> SID[ 1]: S-1-5-21-1106274642-2786564146-798650368-513
> SID[ 2]: S-1-5-21-1106274642-2786564146-798650368-520
> SID[ 3]: S-1-5-21-1106274642-2786564146-798650368-572
> SID[ 4]: S-1-5-21-1106274642-2786564146-798650368-519
> SID[ 5]: S-1-5-21-1106274642-2786564146-798650368-518
> SID[ 6]: S-1-5-21-1106274642-2786564146-798650368-512
> SID[ 7]: S-1-1-0
> SID[ 8]: S-1-5-2
> SID[ 9]: S-1-5-11
> SID[ 10]: S-1-5-32-544
> SID[ 11]: S-1-5-32-545
> SID[ 12]: S-1-5-32-554
> Privileges (0x 1FFFFF00):
> Privilege[ 0]: SeTakeOwnershipPrivilege
> Privilege[ 1]: SeBackupPrivilege
> Privilege[ 2]: SeRestorePrivilege
> Privilege[ 3]: SeRemoteShutdownPrivilege
> Privilege[ 4]: SeSecurityPrivilege
> Privilege[ 5]: SeSystemtimePrivilege
> Privilege[ 6]: SeShutdownPrivilege
> Privilege[ 7]: SeDebugPrivilege
> Privilege[ 8]: SeSystemEnvironmentPrivilege
> Privilege[ 9]: SeSystemProfilePrivilege
> Privilege[ 10]: SeProfileSingleProcessPrivilege
> Privilege[ 11]: SeIncreaseBasePriorityPrivilege
> Privilege[ 12]: SeLoadDriverPrivilege
> Privilege[ 13]: SeCreatePagefilePrivilege
> Privilege[ 14]: SeIncreaseQuotaPrivilege
> Privilege[ 15]: SeChangeNotifyPrivilege
> Privilege[ 16]: SeUndockPrivilege
> Privilege[ 17]: SeManageVolumePrivilege
> Privilege[ 18]: SeImpersonatePrivilege
> Privilege[ 19]: SeCreateGlobalPrivilege
> Privilege[ 20]: SeEnableDelegationPrivilege
> Rights (0x 403):
> Right[ 0]: SeInteractiveLogonRight
> Right[ 1]: SeNetworkLogonRight
> Right[ 2]: SeRemoteInteractiveLogonRight
>
> Isn't this the builtin group?
Do you have more logs?
I see you have had a long discussion here, but without looking into the
debug logs it really is unlikely we will understand what is actually
going on.
A bug has been filed for what is superficially your issue:
https://bugzilla.samba.org/show_bug.cgi?id=12393
But again, only level 0 logs were attached, and we need
more. (Probably not level 100, at least on on public bugzilla, but 2
or 4 would be nice).
However, I think you have a different issue under the same error code.
Looking over the recent winbindd changes, I would revert these patches:
https://attachments.samba.org/attachment.cgi?id=12373
As the AD DC does not honour IDMAP ranges, the 'central check' may well
fail. It is worth a shot in any case.
I'm sorry this has been so frustrating.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list