[Samba] NT_STATUS_INVALID_SID

Andrew Bartlett abartlet at samba.org
Fri Oct 28 18:11:50 UTC 2016 

On Thu, 2016-10-27 at 16:57 -0400, Ryan Ashley via samba wrote:
> I just found this in a log. It is the smbd log, to be exact.
> 
> [2016/10/27 16:54:11.689360,  0]
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>   Unable to convert SID (S-1-5-11) at index 9 in user token to a GID.
> Conversion was returned as type 0, full token:
> [2016/10/27 16:54:11.689734,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (13):
>     SID[  0]: S-1-5-21-1106274642-2786564146-798650368-500
>     SID[  1]: S-1-5-21-1106274642-2786564146-798650368-513
>     SID[  2]: S-1-5-21-1106274642-2786564146-798650368-520
>     SID[  3]: S-1-5-21-1106274642-2786564146-798650368-572
>     SID[  4]: S-1-5-21-1106274642-2786564146-798650368-519
>     SID[  5]: S-1-5-21-1106274642-2786564146-798650368-518
>     SID[  6]: S-1-5-21-1106274642-2786564146-798650368-512
>     SID[  7]: S-1-1-0
>     SID[  8]: S-1-5-2
>     SID[  9]: S-1-5-11
>     SID[ 10]: S-1-5-32-544
>     SID[ 11]: S-1-5-32-545
>     SID[ 12]: S-1-5-32-554
>    Privileges (0x        1FFFFF00):
>     Privilege[  0]: SeTakeOwnershipPrivilege
>     Privilege[  1]: SeBackupPrivilege
>     Privilege[  2]: SeRestorePrivilege
>     Privilege[  3]: SeRemoteShutdownPrivilege
>     Privilege[  4]: SeSecurityPrivilege
>     Privilege[  5]: SeSystemtimePrivilege
>     Privilege[  6]: SeShutdownPrivilege
>     Privilege[  7]: SeDebugPrivilege
>     Privilege[  8]: SeSystemEnvironmentPrivilege
>     Privilege[  9]: SeSystemProfilePrivilege
>     Privilege[ 10]: SeProfileSingleProcessPrivilege
>     Privilege[ 11]: SeIncreaseBasePriorityPrivilege
>     Privilege[ 12]: SeLoadDriverPrivilege
>     Privilege[ 13]: SeCreatePagefilePrivilege
>     Privilege[ 14]: SeIncreaseQuotaPrivilege
>     Privilege[ 15]: SeChangeNotifyPrivilege
>     Privilege[ 16]: SeUndockPrivilege
>     Privilege[ 17]: SeManageVolumePrivilege
>     Privilege[ 18]: SeImpersonatePrivilege
>     Privilege[ 19]: SeCreateGlobalPrivilege
>     Privilege[ 20]: SeEnableDelegationPrivilege
>    Rights (0x             403):
>     Right[  0]: SeInteractiveLogonRight
>     Right[  1]: SeNetworkLogonRight
>     Right[  2]: SeRemoteInteractiveLogonRight
> 
> Isn't this the builtin group?

Do you have more logs?

I see you have had a long discussion here, but without looking into the
debug logs it really is unlikely we will understand what is actually
going on.

A bug has been filed for what is superficially your issue:
https://bugzilla.samba.org/show_bug.cgi?id=12393

But again, only level 0 logs were attached, and we need
more.  (Probably not level 100, at least on on public bugzilla, but 2
or 4 would be nice). 

However, I think you have a different issue under the same error code.

Looking over the recent winbindd changes, I would revert these patches:

https://attachments.samba.org/attachment.cgi?id=12373

As the AD DC does not honour IDMAP ranges, the 'central check' may well
fail.  It is worth a shot in any case.

I'm sorry this has been so frustrating.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list