[Samba] samba crashes windows explorer (while trying to view file permissions)
Michael Tokarev
mjt at tls.msk.ru
Sat Nov 19 13:12:09 UTC 2022
19.11.2022 15:55, Rowland Penny via samba wrote:
>
>
> On 19/11/2022 11:49, Michael Tokarev via samba wrote:
>> 19.11.2022 14:36, Michael Tokarev via samba wrote:
>>> Unable to convert second SID (S-1-5-21-540662649-332824406-1706519170-513) in user token to a GID. Conversion was returned as type 0, full token:
>
> They are all what is known as the 'Well Known SIDS', see here:
>
> https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
>>
>> I found this:
>>
>> https://www.spinics.net/lists/samba/msg174381.html
>>
>> which shows an issue with idmap.ldb.
>>
>> But in my case this is a fresh domain, created with nothing in /var/lib/samba/,
>> so I can't restore idmap.ldb from a backup, - because this file has just been
>> created (and no, I didn't try to replicate it to another DC yet, to fix the
>> uid/gid mismatches there as has been mentioned in another thread).
>>
>> From tdbdump /var/lib/samba/private/idmap.ldb:
>
> Try using ldbedit, it is a lot more readable:
>
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>
> dn: CN=S-1-5-21-627072207-2265849604-124128874-513
> cn: S-1-5-21-627072207-2265849604-124128874-513
> objectClass: sidMap
> objectSid: S-1-5-21-627072207-2265849604-124128874-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-513
Oh. This one is nice.
And it looks like now I know where samba is getting the gid=100 in the
other thread :)
Thank you for this tip!
Well, but what do I do with this? Why is samba unable to convert this
SID to a GID?
> '100' is the Unix group users, the SID '-513' is for Domain Users, so it is mapping Domain Users to the Unix group 'users'.
>
> Samba should not crash, so you need to find out why it is doing so. Is it something you are doing somehow ? If not, then a bug report should be raised
> on the Samba bugzilla.
Samba is not crashes. It is the windows explorer which is crashing,
as outlined in my first email in this thread.
Rephrasing, windows explorer crashes due to samba.
Samba is just logging the above error message, that's all.
If it were crashing, I'd attache a stack trace for *sure*.
I recreated the domain from scratch (removing whole /var/log/samba/ /var/lib/samba/
/var/cache/samba/ and /run/samba/). Now it has a different ID (expected). But it
is still logging the same message:
2022/11/19 15:36:09.722496, 0] ../../source4/auth/unix_token.c:109(security_token_to_unix_token)
Unable to convert second SID (S-1-5-21-880456541-1649917288-23935232-513) in user token to a GID. Conversion was returned as type 0, full token:
[2022/11/19 15:36:09.722628, 0] ../../libcli/security/security_token.c:51(security_token_debug)
Security token SIDs (10):
SID[ 0]: S-1-5-21-880456541-1649917288-23935232-1103
SID[ 1]: S-1-5-21-880456541-1649917288-23935232-513
SID[ 2]: S-1-5-21-880456541-1649917288-23935232-512
SID[ 3]: S-1-5-21-880456541-1649917288-23935232-572
SID[ 4]: S-1-1-0
SID[ 5]: S-1-5-2
SID[ 6]: S-1-5-11
SID[ 7]: S-1-5-32-545
SID[ 8]: S-1-5-32-544
SID[ 9]: S-1-5-32-554
Privileges (0x 1FFFFF00):
Privilege[ 0]: SeTakeOwnershipPrivilege
Privilege[ 1]: SeBackupPrivilege
Privilege[ 2]: SeRestorePrivilege
Privilege[ 3]: SeRemoteShutdownPrivilege
Privilege[ 4]: SeSecurityPrivilege
Privilege[ 5]: SeSystemtimePrivilege
Privilege[ 6]: SeShutdownPrivilege
Privilege[ 7]: SeDebugPrivilege
Privilege[ 8]: SeSystemEnvironmentPrivilege
Privilege[ 9]: SeSystemProfilePrivilege
Privilege[ 10]: SeProfileSingleProcessPrivilege
Privilege[ 11]: SeIncreaseBasePriorityPrivilege
Privilege[ 12]: SeLoadDriverPrivilege
Privilege[ 13]: SeCreatePagefilePrivilege
Privilege[ 14]: SeIncreaseQuotaPrivilege
Privilege[ 15]: SeChangeNotifyPrivilege
Privilege[ 16]: SeUndockPrivilege
Privilege[ 17]: SeManageVolumePrivilege
Privilege[ 18]: SeImpersonatePrivilege
Privilege[ 19]: SeCreateGlobalPrivilege
Privilege[ 20]: SeEnableDelegationPrivilege
Rights (0x 403):
Right[ 0]: SeInteractiveLogonRight
Right[ 1]: SeNetworkLogonRight
Right[ 2]: SeRemoteInteractiveLogonRight
From ldbedit of idmap.ldb:
# record 16
dn: CN=S-1-5-21-880456541-1649917288-23935232-513
cn: S-1-5-21-880456541-1649917288-23935232-513
objectClass: sidMap
objectSid: S-1-5-21-880456541-1649917288-23935232-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-880456541-1649917288-23935232-513
An attempt to join this new domain from a windows10 machine
result in "The security identifier has an invalid structure"
(translated into English, not sure for the exact wording).
This is a freshly created domain.
Help? :)
Thank you!
/mjt
More information about the samba
mailing list