[Samba] Unable to convert SID at index 2 in user token to a GID

Rowland Penny rpenny at samba.org
Mon Apr 11 10:51:56 UTC 2022 

On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba wrote:
> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
> > I have a Samba 4.12.0 setup as AD DC with file sharing which has
> > been 
> > working fine for about 2 years. Last week, while testing a GPO on
> > the 
> > server and having to restart Samba a few times, it stopped
> > allowing 
> > users to access network shares. When I try to access network shares
> > from 
> > the Windows clients, I get the following:
> > 
> > "The security ID structure is invalid"
> > 
> > The following lines show up in the log in the Samba server:
> > 
> > [2022/04/11 09:46:45.560164,  0] 
> > ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
> >    Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
> > 1115) 
> > at index 2 in user token to a GID.  Conversion was returned as type
> > 0, 
> > full token:
> > [2022/04/11 09:46:45.560319,  0] 
> > ../../libcli/security/security_token.c:56(security_token_debug)
> >    Security token SIDs (9):
> >      SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
> >      SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
> >      SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
> >      SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
> >      SID[  4]: S-1-1-0
> >      SID[  5]: S-1-5-2
> >      SID[  6]: S-1-5-11
> >      SID[  7]: S-1-5-32-545
> >      SID[  8]: S-1-5-32-554
> >     Privileges (0x          800000):
> >      Privilege[  0]: SeChangeNotifyPrivilege
> >     Rights (0x             400):
> >      Right[  0]: SeRemoteInteractiveLogonRight
> 
> Some further info, which I assume is connected somehow. If I lookup
> a 
> user on the command line with 'id', it only shows as being part of 
> "Domain Users" group. But if I look it up through RSAT on Windows,
> it 
> shows the additional groups it is part of. If I try to add it again
> to 
> the groups it is supposed to be part of, using samba-tool, I get the 
> following error:
> 
> ERROR: Failed to add members ['alan'] to group "ap-shares" - (68, 
> 'Attribute member already exists for target GUID 
> d37dcc81-314c-46d9-885c-1d200879e746')

This looks like a problem with user & group mapping, what are you using
for authentication, nslcd, sssd or winbind.

Also 4.12.x is EOL as far as Samba is concerned, is there any way you
can upgrade Samba ?

Rowland

More information about the samba mailing list