[Samba] Samba DC: Unable to convert first SID / NT_STATUS_INVALID_SID

Gyrfalcon gyrfalcon at ebonfire.com
Sun Nov 7 04:31:15 UTC 2021 

I recently added a second domain controller to my environment, running Samba 4.14.18 (Fedora 34).  I have had a single domain controller running Samba 4.9.4 (Fedora 29) for a few years, and it has been working quite well.

Frequently, member servers (winbind) report a "no logon servers" error and fail to authenticate users.  When this happens, I see errors like this in the Samba log on the new DC:

```
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]: Unable to convert first SID (S-1-5-21-3156550515-2802089874-1331173653-1152) in user token to a UID.  Conversion was returned as type 0, full token:
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]: Security token SIDs (7):
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  0]: S-1-5-21-3156550515-2802089874-1331173653-1152
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  1]: S-1-5-21-3156550515-2802089874-1331173653-515
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  2]: S-1-1-0
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  3]: S-1-5-2
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  4]: S-1-5-11
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  5]: S-1-5-32-545
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  6]: S-1-5-32-554
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:  Privileges (0x          800000):
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   Privilege[  0]: SeChangeNotifyPrivilege
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:  Rights (0x             400):
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   Right[  0]: SeRemoteInteractiveLogonRight
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]: smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_SID] || at ../../source3/smbd/smb2_sesssetup.c:146
```

The mentioned SID belongs to a computer account.

Is this expected behavior now?  Do computer accounts need a uidNumber attribute now?  I never had to assign them before.

Anyway, I tried assigning a uidNumber to one of the computer accounts that was having a problem, and then a similar error occurred, referring to the "Domain Computers" group.  I assigned a gidNumber to it, but that just led to this:

```
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]: Unable to convert SID (S-1-1-0) at index 2 in user token to a GID.  Conversion was returned as type 0, full token:
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]: Security token SIDs (7):
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  0]: S-1-5-21-3156550515-2802089874-1331173653-1109
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  1]: S-1-5-21-3156550515-2802089874-1331173653-515
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  2]: S-1-1-0
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  3]: S-1-5-2
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  4]: S-1-5-11
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  5]: S-1-5-32-545
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  6]: S-1-5-32-554
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:  Privileges (0x          800000):
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   Privilege[  0]: SeChangeNotifyPrivilege
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:  Rights (0x             400):
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   Right[  0]: SeRemoteInteractiveLogonRight
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]: smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_SID] || at ../../source3/smbd/smb2_sesssetup.c:146
```

My smb.conf is as follows (identical on both DCs, except the netbios name of course):

```
[global]
	netbios name = DC2
	realm = PYROCUFFLINK.BLUE
	server role = active directory domain controller
	workgroup = PYROCUFFLINK

	timestamp logs = no
	logging = systemd file at 0
	log level = 3
	log file = /dev/null

	idmap_ldb:use rfc2307 = yes

	template homedir = /home/%U
	template shell = /bin/bash

	tls enabled = yes
	tls keyfile = /etc/pki/tls/private/samba.key
	tls certfile = /etc/pki/tls/certs/samba.cer
	tls cafile = /etc/pki/tls/certs/samba-ca.crt

[netlogon]
	path = /var/lib/samba/sysvol/pyrocufflink.blue/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No
```

I am not sure where to look next.  Everything works well as long as clients communicate with the original DC.  LDAP and Kerberos work well on both DCs; it seems to be only Windows RPC that is a problem.

Any assistance would be most appreciated.

Dustin

More information about the samba mailing list