[Samba] Unable to convert SID at index 2 in user token to a GID

Sebastian Arcus s.arcus at open-t.co.uk
Wed Apr 13 12:01:27 UTC 2022 

On 11/04/2022 11:51, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba wrote:
>> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
>>> I have a Samba 4.12.0 setup as AD DC with file sharing which has
>>> been
>>> working fine for about 2 years. Last week, while testing a GPO on
>>> the
>>> server and having to restart Samba a few times, it stopped
>>> allowing
>>> users to access network shares. When I try to access network shares
>>> from
>>> the Windows clients, I get the following:
>>>
>>> "The security ID structure is invalid"
>>>
>>> The following lines show up in the log in the Samba server:
>>>
>>> [2022/04/11 09:46:45.560164,  0]
>>> ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
>>>     Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
>>> 1115)
>>> at index 2 in user token to a GID.  Conversion was returned as type
>>> 0,
>>> full token:
>>> [2022/04/11 09:46:45.560319,  0]
>>> ../../libcli/security/security_token.c:56(security_token_debug)
>>>     Security token SIDs (9):
>>>       SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
>>>       SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
>>>       SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
>>>       SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
>>>       SID[  4]: S-1-1-0
>>>       SID[  5]: S-1-5-2
>>>       SID[  6]: S-1-5-11
>>>       SID[  7]: S-1-5-32-545
>>>       SID[  8]: S-1-5-32-554
>>>      Privileges (0x          800000):
>>>       Privilege[  0]: SeChangeNotifyPrivilege
>>>      Rights (0x             400):
>>>       Right[  0]: SeRemoteInteractiveLogonRight
>>
>> Some further info, which I assume is connected somehow. If I lookup
>> a
>> user on the command line with 'id', it only shows as being part of
>> "Domain Users" group. But if I look it up through RSAT on Windows,
>> it
>> shows the additional groups it is part of. If I try to add it again
>> to
>> the groups it is supposed to be part of, using samba-tool, I get the
>> following error:
>>
>> ERROR: Failed to add members ['alan'] to group "ap-shares" - (68,
>> 'Attribute member already exists for target GUID
>> d37dcc81-314c-46d9-885c-1d200879e746')
> 
> This looks like a problem with user & group mapping, what are you using
> for authentication, nslcd, sssd or winbind.

Just an update on this. It turns out I broke this while trying to fix 
another initial problem. I replaced the file 
/var/lib/samba/private/idmap.ldb with one from a previous backup - which 
broke user & group mapping. I have restored the proper file and this 
particular error message has gone away. Sorry for the noise and thank 
you for the helpful hints.

More information about the samba mailing list