[Samba] Unable to convert SID at index 2 in user token to a GID
Sebastian Arcus
s.arcus at open-t.co.uk
Mon Apr 11 10:10:36 UTC 2022
On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
> I have a Samba 4.12.0 setup as AD DC with file sharing which has been
> working fine for about 2 years. Last week, while testing a GPO on the
> server and having to restart Samba a few times, it stopped allowing
> users to access network shares. When I try to access network shares from
> the Windows clients, I get the following:
>
> "The security ID structure is invalid"
>
> The following lines show up in the log in the Samba server:
>
> [2022/04/11 09:46:45.560164, 0]
> ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
> Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-1115)
> at index 2 in user token to a GID. Conversion was returned as type 0,
> full token:
> [2022/04/11 09:46:45.560319, 0]
> ../../libcli/security/security_token.c:56(security_token_debug)
> Security token SIDs (9):
> SID[ 0]: S-1-5-21-138851786-1502048827-544947111-1007
> SID[ 1]: S-1-5-21-138851786-1502048827-544947111-513
> SID[ 2]: S-1-5-21-138851786-1502048827-544947111-1115
> SID[ 3]: S-1-5-21-138851786-1502048827-544947111-1117
> SID[ 4]: S-1-1-0
> SID[ 5]: S-1-5-2
> SID[ 6]: S-1-5-11
> SID[ 7]: S-1-5-32-545
> SID[ 8]: S-1-5-32-554
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
Some further info, which I assume is connected somehow. If I lookup a
user on the command line with 'id', it only shows as being part of
"Domain Users" group. But if I look it up through RSAT on Windows, it
shows the additional groups it is part of. If I try to add it again to
the groups it is supposed to be part of, using samba-tool, I get the
following error:
ERROR: Failed to add members ['alan'] to group "ap-shares" - (68,
'Attribute member already exists for target GUID
d37dcc81-314c-46d9-885c-1d200879e746')
More information about the samba
mailing list