[Samba] Corrupted idmap...

Ryan Ashley ryana at reachtechfp.com
Thu Jan 12 15:32:59 UTC 2017


I forgot about ldbsearch. Here is a dump of xid numbers.

root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber
xidNumber: 3000028
xidNumber: 3000013
xidNumber: 3000033
xidNumber: 3000003
xidNumber: 3000032
xidNumber: 3000023
xidNumber: 3000019
xidNumber: 3000010
xidNumber: 65534
xidNumber: 3000031
xidNumber: 3000022
xidNumber: 3000026
xidNumber: 3000017
xidNumber: 3000027
xidNumber: 3000016
xidNumber: 3000030
xidNumber: 3000021
xidNumber: 3000004
xidNumber: 100
xidNumber: 3000008
xidNumber: 3000011
xidNumber: 0
xidNumber: 3000009
xidNumber: 3000025
xidNumber: 3000000
xidNumber: 3000001
xidNumber: 3000002
xidNumber: 3000014
xidNumber: 3000029
xidNumber: 3000020
xidNumber: 3000005
xidNumber: 3000006
xidNumber: 3000007
xidNumber: 3000018
xidNumber: 3000012
xidNumber: 3000024
xidNumber: 3000015

Is an xid number supposed to go all the way down to 0?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/11/2017 12:33 PM, Rowland Penny via samba wrote:
> On Wed, 11 Jan 2017 12:14:32 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> Rowland, no domain user can authenticate on any system and running
>> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
>> permissions are correct, sysvolcheck does not crash. If I attempt to
>> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
>> Researching these symptoms turns up a thread about a corrupt idmap.ldb
>> where a group SID and user SID may be the same or something like that.
>>
>> They've been down for two days now. They do not have a backup DC. They
>> did, but it was truck by lightning (it got the battery backup and all)
>> and they chose not to replace it, against my recommendation. Either
>> way, no backup DC to recover with.
>>
>> Finally, which logs would you like to see? My winbindd-idmap log has
>> nothing but segfaults logged. What log should I check? The only thing
>> which stood out was the smbd log, which I pasted part of below.
>>
>> [2017/01/10 13:00:45.581992,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:45.659202,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:46.378251,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:46.425549,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.052039,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.133721,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.698611,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.775770,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:48.394629,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:48.409271,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>    Rights (0x             400):
>> root at dc01:~# samba -b
>> Samba version: 4.5.0
>> Build environment:
>>    Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
>> GNU/Linux
>> Paths:
>>    BINDIR: /usr/bin
>>    SBINDIR: /usr/sbin
>>    CONFIGFILE: /etc/samba/smb.conf
>>    NCALRPCDIR: /var/run/samba/ncalrpc
>>    LOGFILEBASE: /var/log/samba
>>    LMHOSTSFILE: /etc/samba/lmhosts
>>    DATADIR: /usr/share
>>    MODULESDIR: /usr/lib/samba
>>    LOCKDIR: /var/lock/samba
>>    STATEDIR: /var/lib/samba
>>    CACHEDIR: /var/cache/samba
>>    PIDDIR: /var/run/samba
>>    PRIVATE_DIR: /var/lib/samba/private
>>    CODEPAGEDIR: /usr/share/samba/codepages
>>    SETUPDIR: /usr/share/samba/setup
>>    WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>> root at dc01:~#
>>
>> That looks like my issue, but I am not sure.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
>>> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>>>> I started getting NT_STATUS_INVALID at a client location recently
>>>> and now everything has stopped working. Upon a day of searching
>>>> and testing, I realized that my idmap.ldb is likely corrupt. How
>>>> can I recover from this, shy of creating a new domain from
>>>> scratch? The NAS devices no longer authenticate users so files are
>>>> inaccessible, computers cannot access the sysvol, and
>>>> sysvolreset/sysvolcheck both fail. Thanks in advance for any help
>>>> in this matter.
>>>>
>>>
>>> If you have a secondary DC that has a good idmap.ldb, transfer the
>>> FSMO roles and remove the corrupt DC. Second option is to restore
>>> from backups. Otherwise you can try and manually recover by posting
>>> your error logs from Samba and your smb.conf.
>>>
>>
> 
> You could try examining idmap.ldb:
> 
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 
> 
> It should contain records like these:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> type: ID_TYPE_BOTH
> xidNumber: 3000045
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> cn: S-1-5-21-1768301897-3342589593-1064908849-500
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> cn: S-1-5-21-1768301897-3342589593-1064908849-2101
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-2101
> type: ID_TYPE_BOTH
> xidNumber: 3000046
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> 
> Check for duplicate 'xidNumbers'
> Also, as you say the other DC died (or is that fried ?), check the FSMO
> roles and ensure there is no mention of the dead DC in sam.ldb (you may
> have to use '--cross-ncs' & -show-binary' with ldbsearch or ldbedit)
> 
> Rowland
> 



More information about the samba mailing list