[Samba] Unable to convert SID at index 2 in user token to a GID

Sebastian Arcus s.arcus at open-t.co.uk
Mon Apr 11 11:05:40 UTC 2022

On 11/04/2022 11:51, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba wrote:
>> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
>>> I have a Samba 4.12.0 setup as AD DC with file sharing which has
>>> been
>>> working fine for about 2 years. Last week, while testing a GPO on
>>> the
>>> server and having to restart Samba a few times, it stopped
>>> allowing
>>> users to access network shares. When I try to access network shares
>>> from
>>> the Windows clients, I get the following:
>>> "The security ID structure is invalid"
>>> The following lines show up in the log in the Samba server:
>>> [2022/04/11 09:46:45.560164,  0]
>>> ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
>>>     Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
>>> 1115)
>>> at index 2 in user token to a GID.  Conversion was returned as type
>>> 0,
>>> full token:
>>> [2022/04/11 09:46:45.560319,  0]
>>> ../../libcli/security/security_token.c:56(security_token_debug)
>>>     Security token SIDs (9):
>>>       SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
>>>       SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
>>>       SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
>>>       SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
>>>       SID[  4]: S-1-1-0
>>>       SID[  5]: S-1-5-2
>>>       SID[  6]: S-1-5-11
>>>       SID[  7]: S-1-5-32-545
>>>       SID[  8]: S-1-5-32-554
>>>      Privileges (0x          800000):
>>>       Privilege[  0]: SeChangeNotifyPrivilege
>>>      Rights (0x             400):
>>>       Right[  0]: SeRemoteInteractiveLogonRight
>> Some further info, which I assume is connected somehow. If I lookup
>> a
>> user on the command line with 'id', it only shows as being part of
>> "Domain Users" group. But if I look it up through RSAT on Windows,
>> it
>> shows the additional groups it is part of. If I try to add it again
>> to
>> the groups it is supposed to be part of, using samba-tool, I get the
>> following error:
>> ERROR: Failed to add members ['alan'] to group "ap-shares" - (68,
>> 'Attribute member already exists for target GUID
>> d37dcc81-314c-46d9-885c-1d200879e746')
> This looks like a problem with user & group mapping, what are you using
> for authentication, nslcd, sssd or winbind.

Thank you for the quick reply. I will guess I am using winbind, as the 
other two don't sound remotely familiar from the time I've setup Samba 
on this server using classic upgrade. If it helps, I am using the 
following in /etc/nsswitch.conf

passwd:     compat winbind
group:      compat winbind

> Also 4.12.x is EOL as far as Samba is concerned, is there any way you
> can upgrade Samba ?

Right at this moment upgrading this server would be a headache, as there 
is other software running on it which would need upgrading at the same 
time. If there is no other option, I could look into upgrading it, but 
if I could figure out what is happening first would be preferable.

More information about the samba mailing list