[Samba] Corrupted idmap...

Rowland Penny rpenny at samba.org
Wed Jan 11 17:33:57 UTC 2017 

On Wed, 11 Jan 2017 12:14:32 -0500
Ryan Ashley via samba <samba at lists.samba.org> wrote:

> Rowland, no domain user can authenticate on any system and running
> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
> permissions are correct, sysvolcheck does not crash. If I attempt to
> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
> Researching these symptoms turns up a thread about a corrupt idmap.ldb
> where a group SID and user SID may be the same or something like that.
> 
> They've been down for two days now. They do not have a backup DC. They
> did, but it was truck by lightning (it got the battery backup and all)
> and they chose not to replace it, against my recommendation. Either
> way, no backup DC to recover with.
> 
> Finally, which logs would you like to see? My winbindd-idmap log has
> nothing but segfaults logged. What log should I check? The only thing
> which stood out was the smbd log, which I pasted part of below.
> 
> [2017/01/10 13:00:45.581992,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:45.659202,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (3):
>     SID[  0]: S-1-5-7
>     SID[  1]: S-1-1-0
>     SID[  2]: S-1-5-2
>    Privileges (0x               0):
>    Rights (0x               0):
> [2017/01/10 13:00:46.378251,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
> UID. Conversion was returned as type 0, full token:
> [2017/01/10 13:00:46.425549,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (7):
>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-5-32-554
>     SID[  6]: S-1-5-32-545
>    Privileges (0x          800000):
>     Privilege[  0]: SeChangeNotifyPrivilege
>    Rights (0x             400):
>     Right[  0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.052039,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
> UID. Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.133721,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (7):
>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-5-32-554
>     SID[  6]: S-1-5-32-545
>    Privileges (0x          800000):
>     Privilege[  0]: SeChangeNotifyPrivilege
>    Rights (0x             400):
>     Right[  0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.698611,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.775770,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (3):
>     SID[  0]: S-1-5-7
>     SID[  1]: S-1-1-0
>     SID[  2]: S-1-5-2
>    Privileges (0x               0):
>    Rights (0x               0):
> [2017/01/10 13:00:48.394629,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
> UID. Conversion was returned as type 0, full token:
> [2017/01/10 13:00:48.409271,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (7):
>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-5-32-554
>     SID[  6]: S-1-5-32-545
>    Privileges (0x          800000):
>    Rights (0x             400):
> root at dc01:~# samba -b
> Samba version: 4.5.0
> Build environment:
>    Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
> GNU/Linux
> Paths:
>    BINDIR: /usr/bin
>    SBINDIR: /usr/sbin
>    CONFIGFILE: /etc/samba/smb.conf
>    NCALRPCDIR: /var/run/samba/ncalrpc
>    LOGFILEBASE: /var/log/samba
>    LMHOSTSFILE: /etc/samba/lmhosts
>    DATADIR: /usr/share
>    MODULESDIR: /usr/lib/samba
>    LOCKDIR: /var/lock/samba
>    STATEDIR: /var/lib/samba
>    CACHEDIR: /var/cache/samba
>    PIDDIR: /var/run/samba
>    PRIVATE_DIR: /var/lib/samba/private
>    CODEPAGEDIR: /usr/share/samba/codepages
>    SETUPDIR: /usr/share/samba/setup
>    WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>    WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> root at dc01:~#
> 
> That looks like my issue, but I am not sure.
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
> > On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
> >> I started getting NT_STATUS_INVALID at a client location recently
> >> and now everything has stopped working. Upon a day of searching
> >> and testing, I realized that my idmap.ldb is likely corrupt. How
> >> can I recover from this, shy of creating a new domain from
> >> scratch? The NAS devices no longer authenticate users so files are
> >> inaccessible, computers cannot access the sysvol, and
> >> sysvolreset/sysvolcheck both fail. Thanks in advance for any help
> >> in this matter.
> >>
> > 
> > If you have a secondary DC that has a good idmap.ldb, transfer the
> > FSMO roles and remove the corrupt DC. Second option is to restore
> > from backups. Otherwise you can try and manually recover by posting
> > your error logs from Samba and your smb.conf.
> > 
> 

You could try examining idmap.ldb:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 

It should contain records like these:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
cn: S-1-5-21-1768301897-3342589593-1064908849-502
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
type: ID_TYPE_BOTH
xidNumber: 3000045
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
cn: S-1-5-21-1768301897-3342589593-1064908849-500
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
cn: S-1-5-21-1768301897-3342589593-1064908849-2101
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-2101
type: ID_TYPE_BOTH
xidNumber: 3000046
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-2101

Check for duplicate 'xidNumbers'
Also, as you say the other DC died (or is that fried ?), check the FSMO
roles and ensure there is no mention of the dead DC in sam.ldb (you may
have to use '--cross-ncs' & -show-binary' with ldbsearch or ldbedit)

Rowland

More information about the samba mailing list