[Samba] Unable to convert SID at index 2 in user token to a GID

Sebastian Arcus s.arcus at open-t.co.uk
Mon Apr 11 09:02:48 UTC 2022 

I have a Samba 4.12.0 setup as AD DC with file sharing which has been 
working fine for about 2 years. Last week, while testing a GPO on the 
server and having to restart Samba a few times, it stopped allowing 
users to access network shares. When I try to access network shares from 
the Windows clients, I get the following:

"The security ID structure is invalid"

The following lines show up in the log in the Samba server:

[2022/04/11 09:46:45.560164,  0] 
../../source4/auth/unix_token.c:123(security_token_to_unix_token)
   Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-1115) 
at index 2 in user token to a GID.  Conversion was returned as type 0, 
full token:
[2022/04/11 09:46:45.560319,  0] 
../../libcli/security/security_token.c:56(security_token_debug)
   Security token SIDs (9):
     SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
     SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
     SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
     SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
     SID[  4]: S-1-1-0
     SID[  5]: S-1-5-2
     SID[  6]: S-1-5-11
     SID[  7]: S-1-5-32-545
     SID[  8]: S-1-5-32-554
    Privileges (0x          800000):
     Privilege[  0]: SeChangeNotifyPrivilege
    Rights (0x             400):
     Right[  0]: SeRemoteInteractiveLogonRight

I'm a little out of my depth here, as I don't quite understand what is 
going on. I am assuming it is not the GPO I was working on, as I removed 
it on the server and checked the registry settings on Windows clients 
have been reverted - so that side seems to be working fine. Any hints 
where to dig further would be much appreciated.

Below is my smb.conf:


[global]
bind interfaces only = Yes
interfaces = lo eth1 tun0
netbios name = SRV-01-AIRWISE
realm = AIRWISEPNEUMATICS.LAN
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AIRWISE
idmap_ldb:use rfc2307 = yes

# act as a NTP/time server
time server = yes

####################################
# Misc options

mangling method = hash2
mangle prefix = 6
# reset a file lock if a new connection comes from the same IP
reset on zero vc = yes
# disconnect inactive clients after so many minutes
deadtime = 10

####################################
# Printing options

# automatically share all printers on the server
load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork

[printers]
path = /var/spool/samba
printable = yes
printing = cups
cups options = raw

[print$]
path = /srv/samba/printer_drivers
read only = no

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/airwisepneumatics.lan/scripts
read only = No

More information about the samba mailing list