[Samba] Corrupted idmap...

Ryan Ashley ryana at reachtechfp.com
Thu Jan 12 15:23:01 UTC 2017 

Rowland, the secondary DC died, this is the primary, and yes it was
fried. Smelled like somebody was cooking smores made of electrical wires
and circuit boards in that room!

Is there a way to have ldbedit output that data so I can grep xidNumber?
There is a lot in there and keeping up with all of those numbers is a pain.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/11/2017 12:33 PM, Rowland Penny via samba wrote:
> On Wed, 11 Jan 2017 12:14:32 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> Rowland, no domain user can authenticate on any system and running
>> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
>> permissions are correct, sysvolcheck does not crash. If I attempt to
>> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
>> Researching these symptoms turns up a thread about a corrupt idmap.ldb
>> where a group SID and user SID may be the same or something like that.
>>
>> They've been down for two days now. They do not have a backup DC. They
>> did, but it was truck by lightning (it got the battery backup and all)
>> and they chose not to replace it, against my recommendation. Either
>> way, no backup DC to recover with.
>>
>> Finally, which logs would you like to see? My winbindd-idmap log has
>> nothing but segfaults logged. What log should I check? The only thing
>> which stood out was the smbd log, which I pasted part of below.
>>
>> [2017/01/10 13:00:45.581992,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:45.659202,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:46.378251,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:46.425549,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.052039,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.133721,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.698611,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.775770,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:48.394629,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:48.409271,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>    Rights (0x             400):
>> root at dc01:~# samba -b
>> Samba version: 4.5.0
>> Build environment:
>>    Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
>> GNU/Linux
>> Paths:
>>    BINDIR: /usr/bin
>>    SBINDIR: /usr/sbin
>>    CONFIGFILE: /etc/samba/smb.conf
>>    NCALRPCDIR: /var/run/samba/ncalrpc
>>    LOGFILEBASE: /var/log/samba
>>    LMHOSTSFILE: /etc/samba/lmhosts
>>    DATADIR: /usr/share
>>    MODULESDIR: /usr/lib/samba
>>    LOCKDIR: /var/lock/samba
>>    STATEDIR: /var/lib/samba
>>    CACHEDIR: /var/cache/samba
>>    PIDDIR: /var/run/samba
>>    PRIVATE_DIR: /var/lib/samba/private
>>    CODEPAGEDIR: /usr/share/samba/codepages
>>    SETUPDIR: /usr/share/samba/setup
>>    WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>> root at dc01:~#
>>
>> That looks like my issue, but I am not sure.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
>>> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>>>> I started getting NT_STATUS_INVALID at a client location recently
>>>> and now everything has stopped working. Upon a day of searching
>>>> and testing, I realized that my idmap.ldb is likely corrupt. How
>>>> can I recover from this, shy of creating a new domain from
>>>> scratch? The NAS devices no longer authenticate users so files are
>>>> inaccessible, computers cannot access the sysvol, and
>>>> sysvolreset/sysvolcheck both fail. Thanks in advance for any help
>>>> in this matter.
>>>>
>>>
>>> If you have a secondary DC that has a good idmap.ldb, transfer the
>>> FSMO roles and remove the corrupt DC. Second option is to restore
>>> from backups. Otherwise you can try and manually recover by posting
>>> your error logs from Samba and your smb.conf.
>>>
>>
> 
> You could try examining idmap.ldb:
> 
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 
> 
> It should contain records like these:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> type: ID_TYPE_BOTH
> xidNumber: 3000045
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> cn: S-1-5-21-1768301897-3342589593-1064908849-500
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> cn: S-1-5-21-1768301897-3342589593-1064908849-2101
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-2101
> type: ID_TYPE_BOTH
> xidNumber: 3000046
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> 
> Check for duplicate 'xidNumbers'
> Also, as you say the other DC died (or is that fried ?), check the FSMO
> roles and ensure there is no mention of the dead DC in sam.ldb (you may
> have to use '--cross-ncs' & -show-binary' with ldbsearch or ldbedit)
> 
> Rowland
>

More information about the samba mailing list