[Samba] Unable to convert SID at index 2 in user token to a GID
Rowland Penny
rpenny at samba.org
Mon Apr 11 10:51:56 UTC 2022
On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba wrote:
> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
> > I have a Samba 4.12.0 setup as AD DC with file sharing which has
> > been
> > working fine for about 2 years. Last week, while testing a GPO on
> > the
> > server and having to restart Samba a few times, it stopped
> > allowing
> > users to access network shares. When I try to access network shares
> > from
> > the Windows clients, I get the following:
> >
> > "The security ID structure is invalid"
> >
> > The following lines show up in the log in the Samba server:
> >
> > [2022/04/11 09:46:45.560164, 0]
> > ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
> > Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
> > 1115)
> > at index 2 in user token to a GID. Conversion was returned as type
> > 0,
> > full token:
> > [2022/04/11 09:46:45.560319, 0]
> > ../../libcli/security/security_token.c:56(security_token_debug)
> > Security token SIDs (9):
> > SID[ 0]: S-1-5-21-138851786-1502048827-544947111-1007
> > SID[ 1]: S-1-5-21-138851786-1502048827-544947111-513
> > SID[ 2]: S-1-5-21-138851786-1502048827-544947111-1115
> > SID[ 3]: S-1-5-21-138851786-1502048827-544947111-1117
> > SID[ 4]: S-1-1-0
> > SID[ 5]: S-1-5-2
> > SID[ 6]: S-1-5-11
> > SID[ 7]: S-1-5-32-545
> > SID[ 8]: S-1-5-32-554
> > Privileges (0x 800000):
> > Privilege[ 0]: SeChangeNotifyPrivilege
> > Rights (0x 400):
> > Right[ 0]: SeRemoteInteractiveLogonRight
>
> Some further info, which I assume is connected somehow. If I lookup
> a
> user on the command line with 'id', it only shows as being part of
> "Domain Users" group. But if I look it up through RSAT on Windows,
> it
> shows the additional groups it is part of. If I try to add it again
> to
> the groups it is supposed to be part of, using samba-tool, I get the
> following error:
>
> ERROR: Failed to add members ['alan'] to group "ap-shares" - (68,
> 'Attribute member already exists for target GUID
> d37dcc81-314c-46d9-885c-1d200879e746')
This looks like a problem with user & group mapping, what are you using
for authentication, nslcd, sssd or winbind.
Also 4.12.x is EOL as far as Samba is concerned, is there any way you
can upgrade Samba ?
Rowland
More information about the samba
mailing list