On 20/10/14 19:32, mots wrote:> I think I've made some progress: > > It's not actually the user "Administrator" that's broken, it's the group > "Administrators". > Its SID in both sam.ldf and idmap.ldf is S-1-5-32-544, which looks kind > of short.No, that is the complete SID, have a look here: http://support.microsoft.com/kb/243330# Rowland> Is there another place where the SID for groups is stored? > > Kind regards, > > mots > > Am 20.10.2014 um 14:41 schrieb mots: >> Alright, now it's getting weird. >> >> I've restored the whole /usr/local/samba/private directory from a one >> month old backup, yet I'm still getting the same error. >> >> Does anyone have an idea where else the problem could be? >> >> Kind regards, >> >> mots >> >> Am 18.10.2014 um 14:18 schrieb Rowland Penny: >>> On 18/10/14 12:26, mots wrote: >>>> My smb.conf file is really basic. I've only added a few lines for the >>>> print server and enabled schema updates so I could install the zarafa AD >>>> integration. It hasn't been changed since 29.09.2014. >>>> >>>> -rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf >>>> >>>> # Global parameters >>>> [global] >>>> workgroup = CLUSTER >>>> realm = CLUSTER.DOMAIN.CH >>>> netbios name = SAMBA >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> idmap_ldb:use rfc2307 = yes >>>> rpc_server:spoolss = external >>>> rpc_daemon:spoolssd = fork >>>> load printers = yes >>>> spoolss: architecture = Windows x64 >>>> unix extensions = no >>>> dsdb:schema update allowed = true >>>> load printers = yes >>>> >>>> >>>> [netlogon] >>>> path >>>> /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> [printers] >>>> path = /var/spool/samba >>>> printable = yes >>>> printing = CUPS >>>> >>>> [print$] >>>> path = /var/shares/Printer_drivers >>>> comment = Printer Drivers >>>> writeable = yes >>>> >>>> [profile$] >>>> path = /var/shares/profiles >>>> read only = no >>>> >>>> [doc$] >>>> path = /var/shares/docs >>>> read only = no >>>> >>>> [Customer] >>>> path = /var/shares/customer >>>> read only = No >>>> [Buspro] >>>> path = /var/shares/buspro >>>> read only = No >>>> >>>> [Daten] >>>> path = /var/shares/daten >>>> read only = no >>>> >>>> Am 18.10.2014 um 13:18 schrieb Rowland Penny: >>>>> On 18/10/14 12:06, mots wrote: >>>>>> Yes, the output maches the one from before. >>>>>> >>>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555 >>>>>> >>>>>> Am 18.10.2014 um 12:56 schrieb Rowland Penny: >>>>> OK, everything about the Administrator account seems correct (even the >>>>> accountExpires attribute, concentrating on the expiry day & month, I >>>>> totally missed that it wouldn't expire until the year 4253 LOL ) so I >>>>> am at a bit of a loss now. Perhaps there is something in smb.conf that >>>>> is causing this, so could you post your smb.conf. >>>>> >>>>> Rowland >>>>> >>>>>>> On 18/10/14 11:45, mots wrote: >>>>>>>> Thanks, but that didn't work, I'm still getting the same error. >>>>>>>> >>>>>>>> Also weird: If the account was expired, then I shouldn't have been >>>>>>>> able >>>>>>>> to log in at all, right? >>>>>>>> >>>>>>>> Kind regards, >>>>>>>> >>>>>>>> mots >>>>>>>> >>>>>>>> Am 18.10.2014 um 11:50 schrieb Rowland Penny: >>>>>>>>> On 18/10/14 10:20, mots wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month >>>>>>>>>> now. It >>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>> >>>>>>>>>> If I login to a Windows box with the Administrator account, I >>>>>>>>>> can't >>>>>>>>>> connect to any shares and clicking on a mapped drive returns the >>>>>>>>>> error >>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>> >>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box >>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>> >>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux >>>>>>>>>> server >>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>> NT_STATUS_INVALID_SID". >>>>>>>>>> >>>>>>>>>> Is there a way to fix this without restoring the database from >>>>>>>>>> backup? >>>>>>>>>> >>>>>>>>>> Kind regards, >>>>>>>>>> >>>>>>>>>> mots >>>>>>>>> possibly, have you done anything to the Administrator account ? >>>>>>>>> >>>>>>>>> Also can you post the (sanitized) result of: >>>>>>>>> >>>>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator >>>>>>>>> >>>>>>>>> You may have to alter '/var/lib/samba/private/sam.ldb' with the >>>>>>>>> path >>>>>>>>> to your sam.ldb >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>> That was the only obvious problem, ok lets check if the Administrator >>>>>>> has the correct SID: >>>>>>> >>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep >>>>>>> objectSid >>>>>>> >>>>>>> does the result match what you posted earlier ? >>>>>>> >>>>>>> objectSid: S-1-5-21-4290789724-2746532821-3856153555-500 >>>>>>> >>>>>>> Note: ignore the -500, this is the Administrator's RID and is always >>>>>>> '500' >>>>>>> >>>>>>> Rowland >>>>>>> >>> Hm, you said that you were using samba 4.2 and your smb.conf confirms >>> this (you are using the new(old) winbind 'winbindd') and I would have >>> thought that there would now be some of the familiar 'winbind' lines >>> in smb.conf. I would have thought the lines to map the builtin users >>> would be there: >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> >>> But I suppose that idmap.ldb is still doing this. >>> >>> This leads to what I think must be last thoughts on this, I wonder if >>> the Administrators SID is wrong in idmap.ldb: >>> >>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb >>> >>> Search for -500 and check the SID to see if it matches what you found >>> earlier. >>> >>> Rowland >>>
>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month >>>>>>>>>>> now. It >>>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>>> >>>>>>>>>>> If I login to a Windows box with the Administrator account, I >>>>>>>>>>> can't >>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the >>>>>>>>>>> error >>>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>>> >>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box >>>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>>> >>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux >>>>>>>>>>> server >>>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>>> NT_STATUS_INVALID_SID".>>>> Hm, you said that you were using samba 4.2 and your smb.conf confirms >>>> this (you are using the new(old) winbind 'winbindd') and I would have >>>> thought that there would now be some of the familiar 'winbind' lines >>>> in smb.conf. I would have thought the lines to map the builtin users >>>> would be there: >>>> >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> >>>> But I suppose that idmap.ldb is still doing this. >>>> >>>> This leads to what I think must be last thoughts on this, I wonder if >>>> the Administrators SID is wrong in idmap.ldb:Hello to all. i am still under this problem in 2 samba server 4.2* same problem and same behavior after a month for one server and two week for another My system is: Centos 6.5 addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux and Samba version 4.2.0rc2 then i have done the Rowland suggestion about check the administrator sid and the results was: ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb cn=Administrator dn: CN=Administrator,CN=Users,DC=domain,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20140918163432.0Z uSNCreated: 3545 name: Administrator objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan userAccountControl: 66048 msDS-SupportedEncryptionTypes: 0 pwdLastSet: 130658091420000000 whenChanged: 20150115152542.0Z uSNChanged: 4885 distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan # Referral ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan # Referral ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan # Referral ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan # returned 4 records # 1 entries # 3 referrals ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb DC=domain | grep objectSid objectSid: S-1-5-21-2643849351-2101160060-2305757802 ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb # record 39 dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500 cn: S-1-5-21-2643849351-2101160060-2305757802-500 objectClass: sidMap objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500 as reported the time is correct and administrator account never expire you can check here http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime i have noted that sid error "sometimes" (30 sec on 2/3 hour sometimes)not appear and i can work correctly with my administrator account for 30-40 sec. the same thing is on both of samba 4.2* i've tested this error from winxp/7/8/8.1 and is always the same. i post the smb.conf # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.LAN netbios name = ADDOMAIN server role = active directory domain controller dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = yes spoolss: architecture = Windows x64 [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [public] path = /dati/public read only = No [users] path = /dati/users read only = No [profiles] path = /dati/profiles read only = No oplocks=no [printers] path = /var/spool/samba printable = yes printing = CUPS [print$] path = /srv/samba/Printer_drivers comment = Printer Drivers writeable = yes in messages.log i have something when i try to login with administrator account with the right password; here i have a "Unable to convert SID" Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user token to a GID. Conversion was returned as type 1, full token: Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] ../libcli/security/security_token.c:63(security_token_debug) Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13): Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]: S-1-5-21-2643849351-2101160060-2305757802-500 Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]: S-1-5-21-2643849351-2101160060-2305757802-513 Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]: S-1-5-21-2643849351-2101160060-2305757802-520 Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]: S-1-5-21-2643849351-2101160060-2305757802-572 Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]: S-1-5-21-2643849351-2101160060-2305757802-519 Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]: S-1-5-21-2643849351-2101160060-2305757802-518 Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]: S-1-5-21-2643849351-2101160060-2305757802-512 Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0 Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2 Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11 Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544 Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545 Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554 Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00): Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: SeTakeOwnershipPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: SeBackupPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: SeRestorePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: SeRemoteShutdownPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: SeSecurityPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: SeSystemtimePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: SeShutdownPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: SeDebugPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]: SeSystemEnvironmentPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: SeSystemProfilePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]: SeProfileSingleProcessPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]: SeIncreaseBasePriorityPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: SeLoadDriverPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: SeCreatePagefilePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: SeIncreaseQuotaPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: SeChangeNotifyPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: SeUndockPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: SeManageVolumePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: SeImpersonatePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: SeCreateGlobalPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]: SeEnableDelegationPrivilege Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403): Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: SeInteractiveLogonRight Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: SeRemoteInteractiveLogonRight maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ? maybe this is an interesting part but i don't understand where to look. ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb # record 37 dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512 cn: S-1-5-21-2643849351-2101160060-2305757802-512 objectClass: sidMap objectSid: S-1-5-21-2643849351-2101160060-2305757802-512 type: ID_TYPE_BOTH xidNumber: 3000008 distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512 Someone have my similar behavior? any kind of help or suggestion is welcome. Many thanks in advance! Regards Charles