[Samba] Issues with RPC, SID resolving; cannot use RSAT

Andreas Gaiser ags-list at wegewerk.com
Tue Apr 3 14:49:55 UTC 2018 

seems removing idmap settings from smb.conf on both DCs having them has

fixed it. smbclient and ADUC work as expected, now.

Thank you!

> I'm running a setup with 3 DCs, all Samba 4.5.12, Debian Stretch (is
> patched for CVE-2018-1057, "samba_CVE-2018-1057_helper" been used).
>
> Probably unrelated to the upgrade and patch for CVE-2018-1057, there's
> a new problem coming up.
>
> RSAT fails to start/connect, complaining about RPC-Server
> unavailablility. On the DCs I've tried with smbclient and get the
> following:
>
> root at vts5:/etc/samba# smbclient -L localhost -U Administrator
> Enter Administrator's password:
> session setup failed: NT_STATUS_INVALID_SID
>
> This is also consistent with log entries like this:
>
> [2018/04/03 11:37:48.411748,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID
> (S-1-5-21-1449862128-1716478392-3139764938-1176) in user token to a UID.
>  Conversion was returned as type 0, full token:
> [2018/04/03 11:37:48.411820,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (7):
>     SID[  0]: S-1-5-21-1449862128-1716478392-3139764938-1176
>     SID[  1]: S-1-5-21-1449862128-1716478392-3139764938-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-5-32-554
>     SID[  6]: S-1-5-32-545
>
> It is not like only one specific SID is affected. I find this for many
> different ones, including S-1-1-0.
>
> net cache list is showing me funny stuff like this:
>
> Key: IDMAP/GID2SID/3000017       Timeout: 11:23:09       Value: -  (expired)
> Key: IDMAP/SID2XID/S-1-5-32-545  Timeout: 11:40:46       Value: -1:N
>
> ...
>
> Key: IDMAP/SID2XID/S-1-5-21-1449862128-1716478392-3139764938-3708
> Timeout: 11:41:17       Value: -1:N
>
> ...
>
> Key: IDMAP/SID2XID/S-1-5-21-1449862128-1716478392-3139764938-3680
> Timeout: 11:38:37       Value: -1:N  (expired)
>
> At the moment I'm blocked making any changes to the Domain, so I
> appreciate any help solving this issue.

-- 
*Raus aus der Massentierhaltung!*
wegewerk unterstützt BUND im Kampagnenbereich:
www.klasse-statt-masse.net <http://www.klasse-statt-masse.net/>

*Andreas Gaiser*
network systems
t +49 30 213087-61
andreas.gaiser at wegewerk.com <mailto:ags at wegewerk.com> | PGP
<https://pgp.mit.edu/pks/lookup?op=get&search=0xC488840940C32AD4>

*wegewerk gmbh*
brauerei königstadt | haus a
saarbrücker straße 24 | 10405 berlin | germany
t +49 30 213087-0 | f +49 30 213087-17

berlin, hrb 76336, ag berlin-charlottenburg
geschäftsführung: juri maier

More information about the samba mailing list