[Samba] Corrupted idmap...

Ryan Ashley ryana at reachtechfp.com
Wed Jan 11 17:14:32 UTC 2017 

Rowland, no domain user can authenticate on any system and running
sysvolreset followed by sysvolcheck results in a crash. If the sysvol
permissions are correct, sysvolcheck does not crash. If I attempt to
join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
Researching these symptoms turns up a thread about a corrupt idmap.ldb
where a group SID and user SID may be the same or something like that.

They've been down for two days now. They do not have a backup DC. They
did, but it was truck by lightning (it got the battery backup and all)
and they chose not to replace it, against my recommendation. Either way,
no backup DC to recover with.

Finally, which logs would you like to see? My winbindd-idmap log has
nothing but segfaults logged. What log should I check? The only thing
which stood out was the smbd log, which I pasted part of below.

[2017/01/10 13:00:45.581992,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-7) in user token to a UID.
Conversion was returned as type 0, full token:
[2017/01/10 13:00:45.659202,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (3):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
   Privileges (0x               0):
   Rights (0x               0):
[2017/01/10 13:00:46.378251,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID
(S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
 Conversion was returned as type 0, full token:
[2017/01/10 13:00:46.425549,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (7):
    SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
    SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-554
    SID[  6]: S-1-5-32-545
   Privileges (0x          800000):
    Privilege[  0]: SeChangeNotifyPrivilege
   Rights (0x             400):
    Right[  0]: SeRemoteInteractiveLogonRight
[2017/01/10 13:00:47.052039,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID
(S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
 Conversion was returned as type 0, full token:
[2017/01/10 13:00:47.133721,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (7):
    SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
    SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-554
    SID[  6]: S-1-5-32-545
   Privileges (0x          800000):
    Privilege[  0]: SeChangeNotifyPrivilege
   Rights (0x             400):
    Right[  0]: SeRemoteInteractiveLogonRight
[2017/01/10 13:00:47.698611,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-7) in user token to a UID.
Conversion was returned as type 0, full token:
[2017/01/10 13:00:47.775770,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (3):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
   Privileges (0x               0):
   Rights (0x               0):
[2017/01/10 13:00:48.394629,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID
(S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
 Conversion was returned as type 0, full token:
[2017/01/10 13:00:48.409271,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (7):
    SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
    SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-554
    SID[  6]: S-1-5-32-545
   Privileges (0x          800000):
   Rights (0x             400):
root at dc01:~# samba -b
Samba version: 4.5.0
Build environment:
   Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
GNU/Linux
Paths:
   BINDIR: /usr/bin
   SBINDIR: /usr/sbin
   CONFIGFILE: /etc/samba/smb.conf
   NCALRPCDIR: /var/run/samba/ncalrpc
   LOGFILEBASE: /var/log/samba
   LMHOSTSFILE: /etc/samba/lmhosts
   DATADIR: /usr/share
   MODULESDIR: /usr/lib/samba
   LOCKDIR: /var/lock/samba
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/cache/samba
   PIDDIR: /var/run/samba
   PRIVATE_DIR: /var/lib/samba/private
   CODEPAGEDIR: /usr/share/samba/codepages
   SETUPDIR: /usr/share/samba/setup
   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
root at dc01:~#

That looks like my issue, but I am not sure.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>> I started getting NT_STATUS_INVALID at a client location recently and
>> now everything has stopped working. Upon a day of searching and testing,
>> I realized that my idmap.ldb is likely corrupt. How can I recover from
>> this, shy of creating a new domain from scratch? The NAS devices no
>> longer authenticate users so files are inaccessible, computers cannot
>> access the sysvol, and sysvolreset/sysvolcheck both fail. Thanks in
>> advance for any help in this matter.
>>
> 
> If you have a secondary DC that has a good idmap.ldb, transfer the FSMO
> roles and remove the corrupt DC. Second option is to restore from
> backups. Otherwise you can try and manually recover by posting your
> error logs from Samba and your smb.conf.
>

More information about the samba mailing list