[Samba] Unable to convert SID at index 2 in user token to a GID
Sebastian Arcus
s.arcus at open-t.co.uk
Mon Apr 11 09:02:48 UTC 2022
I have a Samba 4.12.0 setup as AD DC with file sharing which has been
working fine for about 2 years. Last week, while testing a GPO on the
server and having to restart Samba a few times, it stopped allowing
users to access network shares. When I try to access network shares from
the Windows clients, I get the following:
"The security ID structure is invalid"
The following lines show up in the log in the Samba server:
[2022/04/11 09:46:45.560164, 0]
../../source4/auth/unix_token.c:123(security_token_to_unix_token)
Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-1115)
at index 2 in user token to a GID. Conversion was returned as type 0,
full token:
[2022/04/11 09:46:45.560319, 0]
../../libcli/security/security_token.c:56(security_token_debug)
Security token SIDs (9):
SID[ 0]: S-1-5-21-138851786-1502048827-544947111-1007
SID[ 1]: S-1-5-21-138851786-1502048827-544947111-513
SID[ 2]: S-1-5-21-138851786-1502048827-544947111-1115
SID[ 3]: S-1-5-21-138851786-1502048827-544947111-1117
SID[ 4]: S-1-1-0
SID[ 5]: S-1-5-2
SID[ 6]: S-1-5-11
SID[ 7]: S-1-5-32-545
SID[ 8]: S-1-5-32-554
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
I'm a little out of my depth here, as I don't quite understand what is
going on. I am assuming it is not the GPO I was working on, as I removed
it on the server and checked the registry settings on Windows clients
have been reverted - so that side seems to be working fine. Any hints
where to dig further would be much appreciated.
Below is my smb.conf:
[global]
bind interfaces only = Yes
interfaces = lo eth1 tun0
netbios name = SRV-01-AIRWISE
realm = AIRWISEPNEUMATICS.LAN
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AIRWISE
idmap_ldb:use rfc2307 = yes
# act as a NTP/time server
time server = yes
####################################
# Misc options
mangling method = hash2
mangle prefix = 6
# reset a file lock if a new connection comes from the same IP
reset on zero vc = yes
# disconnect inactive clients after so many minutes
deadtime = 10
####################################
# Printing options
# automatically share all printers on the server
load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
[printers]
path = /var/spool/samba
printable = yes
printing = cups
cups options = raw
[print$]
path = /srv/samba/printer_drivers
read only = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/airwisepneumatics.lan/scripts
read only = No
More information about the samba
mailing list