[Samba] Corrupted idmap...
lingpanda101
lingpanda101 at gmail.com
Wed Jan 11 17:35:15 UTC 2017
On 1/11/2017 12:14 PM, Ryan Ashley via samba wrote:
> Rowland, no domain user can authenticate on any system and running
> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
> permissions are correct, sysvolcheck does not crash. If I attempt to
> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
> Researching these symptoms turns up a thread about a corrupt idmap.ldb
> where a group SID and user SID may be the same or something like that.
>
> They've been down for two days now. They do not have a backup DC. They
> did, but it was truck by lightning (it got the battery backup and all)
> and they chose not to replace it, against my recommendation. Either way,
> no backup DC to recover with.
>
> Finally, which logs would you like to see? My winbindd-idmap log has
> nothing but segfaults logged. What log should I check? The only thing
> which stood out was the smbd log, which I pasted part of below.
>
> [2017/01/10 13:00:45.581992, 0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
> Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:45.659202, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (3):
> SID[ 0]: S-1-5-7
> SID[ 1]: S-1-1-0
> SID[ 2]: S-1-5-2
> Privileges (0x 0):
> Rights (0x 0):
> [2017/01/10 13:00:46.378251, 0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
> Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:46.425549, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (7):
> SID[ 0]: S-1-5-21-2812428577-3463248684-2415680475-1105
> SID[ 1]: S-1-5-21-2812428577-3463248684-2415680475-515
> SID[ 2]: S-1-1-0
> SID[ 3]: S-1-5-2
> SID[ 4]: S-1-5-11
> SID[ 5]: S-1-5-32-554
> SID[ 6]: S-1-5-32-545
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.052039, 0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
> Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.133721, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (7):
> SID[ 0]: S-1-5-21-2812428577-3463248684-2415680475-1105
> SID[ 1]: S-1-5-21-2812428577-3463248684-2415680475-515
> SID[ 2]: S-1-1-0
> SID[ 3]: S-1-5-2
> SID[ 4]: S-1-5-11
> SID[ 5]: S-1-5-32-554
> SID[ 6]: S-1-5-32-545
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.698611, 0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
> Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.775770, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (3):
> SID[ 0]: S-1-5-7
> SID[ 1]: S-1-1-0
> SID[ 2]: S-1-5-2
> Privileges (0x 0):
> Rights (0x 0):
> [2017/01/10 13:00:48.394629, 0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
> Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:48.409271, 0]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (7):
> SID[ 0]: S-1-5-21-2812428577-3463248684-2415680475-1105
> SID[ 1]: S-1-5-21-2812428577-3463248684-2415680475-515
> SID[ 2]: S-1-1-0
> SID[ 3]: S-1-5-2
> SID[ 4]: S-1-5-11
> SID[ 5]: S-1-5-32-554
> SID[ 6]: S-1-5-32-545
> Privileges (0x 800000):
> Rights (0x 400):
> root at dc01:~# samba -b
> Samba version: 4.5.0
> Build environment:
> Build host: Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
> GNU/Linux
> Paths:
> BINDIR: /usr/bin
> SBINDIR: /usr/sbin
> CONFIGFILE: /etc/samba/smb.conf
> NCALRPCDIR: /var/run/samba/ncalrpc
> LOGFILEBASE: /var/log/samba
> LMHOSTSFILE: /etc/samba/lmhosts
> DATADIR: /usr/share
> MODULESDIR: /usr/lib/samba
> LOCKDIR: /var/lock/samba
> STATEDIR: /var/lib/samba
> CACHEDIR: /var/cache/samba
> PIDDIR: /var/run/samba
> PRIVATE_DIR: /var/lib/samba/private
> CODEPAGEDIR: /usr/share/samba/codepages
> SETUPDIR: /usr/share/samba/setup
> WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
> WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
> NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> root at dc01:~#
>
> That looks like my issue, but I am not sure.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
>> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>>> I started getting NT_STATUS_INVALID at a client location recently and
>>> now everything has stopped working. Upon a day of searching and testing,
>>> I realized that my idmap.ldb is likely corrupt. How can I recover from
>>> this, shy of creating a new domain from scratch? The NAS devices no
>>> longer authenticate users so files are inaccessible, computers cannot
>>> access the sysvol, and sysvolreset/sysvolcheck both fail. Thanks in
>>> advance for any help in this matter.
>>>
>> If you have a secondary DC that has a good idmap.ldb, transfer the FSMO
>> roles and remove the corrupt DC. Second option is to restore from
>> backups. Otherwise you can try and manually recover by posting your
>> error logs from Samba and your smb.conf.
>>
I'm reminded of this bug
https://bugzilla.samba.org/show_bug.cgi?id=12410 with regards to your
issue. You didn't post your smb.conf, so can't say for sure.
--
- James
More information about the samba
mailing list