[Samba] samba crashes windows explorer (while trying to view file permissions)

Michael Tokarev mjt at tls.msk.ru
Sat Nov 19 13:12:09 UTC 2022

19.11.2022 15:55, Rowland Penny via samba wrote:
> On 19/11/2022 11:49, Michael Tokarev via samba wrote:
>> 19.11.2022 14:36, Michael Tokarev via samba wrote:
>>> Unable to convert second SID (S-1-5-21-540662649-332824406-1706519170-513) in user token to a GID. Conversion was returned as type 0, full token:
> They are all what is known as the 'Well Known SIDS', see here:
> https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
>> I found this:
>> https://www.spinics.net/lists/samba/msg174381.html
>> which shows an issue with idmap.ldb.
>> But in my case this is a fresh domain, created with nothing in /var/lib/samba/,
>> so I can't restore idmap.ldb from a backup, - because this file has just been
>> created (and no, I didn't try to replicate it to another DC yet, to fix the
>> uid/gid mismatches there as has been mentioned in another thread).
>>  From tdbdump /var/lib/samba/private/idmap.ldb:
> Try using ldbedit, it is a lot more readable:
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
> dn: CN=S-1-5-21-627072207-2265849604-124128874-513
> cn: S-1-5-21-627072207-2265849604-124128874-513
> objectClass: sidMap
> objectSid: S-1-5-21-627072207-2265849604-124128874-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-513

Oh. This one is nice.

And it looks like now I know where samba is getting the gid=100 in the
other thread :)

Thank you for this tip!

Well, but what do I do with this?  Why is samba unable to convert this
SID to a GID?

> '100' is the Unix group users, the SID '-513' is for Domain Users, so it is mapping Domain Users to the Unix group 'users'.
> Samba should not crash, so you need to find out why it is doing so. Is it something you are doing somehow ? If not, then a bug report should be raised 
> on the Samba bugzilla.

Samba is not crashes. It is the windows explorer which is crashing,
as outlined in my first email in this thread.

Rephrasing, windows explorer crashes due to samba.

Samba is just logging the above error message, that's all.
If it were crashing, I'd attache a stack trace for *sure*.

I recreated the domain from scratch (removing whole /var/log/samba/ /var/lib/samba/
/var/cache/samba/ and /run/samba/).  Now it has a different ID (expected).  But it
is still logging the same message:

2022/11/19 15:36:09.722496,  0] ../../source4/auth/unix_token.c:109(security_token_to_unix_token)
   Unable to convert second SID (S-1-5-21-880456541-1649917288-23935232-513) in user token to a GID.  Conversion was returned as type 0, full token:
[2022/11/19 15:36:09.722628,  0] ../../libcli/security/security_token.c:51(security_token_debug)
   Security token SIDs (10):
     SID[  0]: S-1-5-21-880456541-1649917288-23935232-1103
     SID[  1]: S-1-5-21-880456541-1649917288-23935232-513
     SID[  2]: S-1-5-21-880456541-1649917288-23935232-512
     SID[  3]: S-1-5-21-880456541-1649917288-23935232-572
     SID[  4]: S-1-1-0
     SID[  5]: S-1-5-2
     SID[  6]: S-1-5-11
     SID[  7]: S-1-5-32-545
     SID[  8]: S-1-5-32-544
     SID[  9]: S-1-5-32-554
    Privileges (0x        1FFFFF00):
     Privilege[  0]: SeTakeOwnershipPrivilege
     Privilege[  1]: SeBackupPrivilege
     Privilege[  2]: SeRestorePrivilege
     Privilege[  3]: SeRemoteShutdownPrivilege
     Privilege[  4]: SeSecurityPrivilege
     Privilege[  5]: SeSystemtimePrivilege
     Privilege[  6]: SeShutdownPrivilege
     Privilege[  7]: SeDebugPrivilege
     Privilege[  8]: SeSystemEnvironmentPrivilege
     Privilege[  9]: SeSystemProfilePrivilege
     Privilege[ 10]: SeProfileSingleProcessPrivilege
     Privilege[ 11]: SeIncreaseBasePriorityPrivilege
     Privilege[ 12]: SeLoadDriverPrivilege
     Privilege[ 13]: SeCreatePagefilePrivilege
     Privilege[ 14]: SeIncreaseQuotaPrivilege
     Privilege[ 15]: SeChangeNotifyPrivilege
     Privilege[ 16]: SeUndockPrivilege
     Privilege[ 17]: SeManageVolumePrivilege
     Privilege[ 18]: SeImpersonatePrivilege
     Privilege[ 19]: SeCreateGlobalPrivilege
     Privilege[ 20]: SeEnableDelegationPrivilege
    Rights (0x             403):
     Right[  0]: SeInteractiveLogonRight
     Right[  1]: SeNetworkLogonRight
     Right[  2]: SeRemoteInteractiveLogonRight

 From ldbedit of idmap.ldb:

# record 16
dn: CN=S-1-5-21-880456541-1649917288-23935232-513
cn: S-1-5-21-880456541-1649917288-23935232-513
objectClass: sidMap
objectSid: S-1-5-21-880456541-1649917288-23935232-513
xidNumber: 100
distinguishedName: CN=S-1-5-21-880456541-1649917288-23935232-513

An attempt to join this new domain from a windows10 machine
result in "The security identifier has an invalid structure"
(translated into English, not sure for the exact wording).

This is a freshly created domain.

Help? :)

Thank you!


More information about the samba mailing list