>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month >>>>>>>>>>> now. It >>>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>>> >>>>>>>>>>> If I login to a Windows box with the Administrator account, I >>>>>>>>>>> can't >>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the >>>>>>>>>>> error >>>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>>> >>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box >>>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>>> >>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux >>>>>>>>>>> server >>>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>>> NT_STATUS_INVALID_SID".>>>> Hm, you said that you were using samba 4.2 and your smb.conf confirms >>>> this (you are using the new(old) winbind 'winbindd') and I would have >>>> thought that there would now be some of the familiar 'winbind' lines >>>> in smb.conf. I would have thought the lines to map the builtin users >>>> would be there: >>>> >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> >>>> But I suppose that idmap.ldb is still doing this. >>>> >>>> This leads to what I think must be last thoughts on this, I wonder if >>>> the Administrators SID is wrong in idmap.ldb:Hello to all. i am still under this problem in 2 samba server 4.2* same problem and same behavior after a month for one server and two week for another My system is: Centos 6.5 addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux and Samba version 4.2.0rc2 then i have done the Rowland suggestion about check the administrator sid and the results was: ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb cn=Administrator dn: CN=Administrator,CN=Users,DC=domain,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20140918163432.0Z uSNCreated: 3545 name: Administrator objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan userAccountControl: 66048 msDS-SupportedEncryptionTypes: 0 pwdLastSet: 130658091420000000 whenChanged: 20150115152542.0Z uSNChanged: 4885 distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan # Referral ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan # Referral ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan # Referral ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan # returned 4 records # 1 entries # 3 referrals ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb DC=domain | grep objectSid objectSid: S-1-5-21-2643849351-2101160060-2305757802 ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb # record 39 dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500 cn: S-1-5-21-2643849351-2101160060-2305757802-500 objectClass: sidMap objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500 as reported the time is correct and administrator account never expire you can check here http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime i have noted that sid error "sometimes" (30 sec on 2/3 hour sometimes)not appear and i can work correctly with my administrator account for 30-40 sec. the same thing is on both of samba 4.2* i've tested this error from winxp/7/8/8.1 and is always the same. i post the smb.conf # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.LAN netbios name = ADDOMAIN server role = active directory domain controller dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = yes spoolss: architecture = Windows x64 [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [public] path = /dati/public read only = No [users] path = /dati/users read only = No [profiles] path = /dati/profiles read only = No oplocks=no [printers] path = /var/spool/samba printable = yes printing = CUPS [print$] path = /srv/samba/Printer_drivers comment = Printer Drivers writeable = yes in messages.log i have something when i try to login with administrator account with the right password; here i have a "Unable to convert SID" Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user token to a GID. Conversion was returned as type 1, full token: Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] ../libcli/security/security_token.c:63(security_token_debug) Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13): Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]: S-1-5-21-2643849351-2101160060-2305757802-500 Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]: S-1-5-21-2643849351-2101160060-2305757802-513 Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]: S-1-5-21-2643849351-2101160060-2305757802-520 Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]: S-1-5-21-2643849351-2101160060-2305757802-572 Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]: S-1-5-21-2643849351-2101160060-2305757802-519 Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]: S-1-5-21-2643849351-2101160060-2305757802-518 Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]: S-1-5-21-2643849351-2101160060-2305757802-512 Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0 Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2 Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11 Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544 Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545 Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554 Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00): Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: SeTakeOwnershipPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: SeBackupPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: SeRestorePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: SeRemoteShutdownPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: SeSecurityPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: SeSystemtimePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: SeShutdownPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: SeDebugPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]: SeSystemEnvironmentPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: SeSystemProfilePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]: SeProfileSingleProcessPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]: SeIncreaseBasePriorityPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: SeLoadDriverPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: SeCreatePagefilePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: SeIncreaseQuotaPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: SeChangeNotifyPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: SeUndockPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: SeManageVolumePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: SeImpersonatePrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: SeCreateGlobalPrivilege Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]: SeEnableDelegationPrivilege Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403): Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: SeInteractiveLogonRight Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: SeRemoteInteractiveLogonRight maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ? maybe this is an interesting part but i don't understand where to look. ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb # record 37 dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512 cn: S-1-5-21-2643849351-2101160060-2305757802-512 objectClass: sidMap objectSid: S-1-5-21-2643849351-2101160060-2305757802-512 type: ID_TYPE_BOTH xidNumber: 3000008 distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512 Someone have my similar behavior? any kind of help or suggestion is welcome. Many thanks in advance! Regards Charles
On 17/01/15 14:39, Carlo wrote:> >>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a >>>>>>>>>>>> month >>>>>>>>>>>> now. It >>>>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>>>> >>>>>>>>>>>> If I login to a Windows box with the Administrator account, I >>>>>>>>>>>> can't >>>>>>>>>>>> connect to any shares and clicking on a mapped drive >>>>>>>>>>>> returns the >>>>>>>>>>>> error >>>>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>>>> >>>>>>>>>>>> Opening "Active Directory Users and Computers" on the >>>>>>>>>>>> Windows box >>>>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>>>> >>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the >>>>>>>>>>>> GNU/Linux >>>>>>>>>>>> server >>>>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>>>> NT_STATUS_INVALID_SID". > >>>>> Hm, you said that you were using samba 4.2 and your smb.conf confirms >>>>> this (you are using the new(old) winbind 'winbindd') and I would have >>>>> thought that there would now be some of the familiar 'winbind' lines >>>>> in smb.conf. I would have thought the lines to map the builtin users >>>>> would be there: >>>>> >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-9999 >>>>> >>>>> But I suppose that idmap.ldb is still doing this. >>>>> >>>>> This leads to what I think must be last thoughts on this, I wonder if >>>>> the Administrators SID is wrong in idmap.ldb: > > Hello to all. > > i am still under this problem in 2 samba server 4.2* > > same problem and same behavior after a month for one server and two > week for another > > My system is: > Centos 6.5 > addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 > 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > and Samba version 4.2.0rc2 > > > then i have done the Rowland suggestion about check the administrator > sid and the results was: > > ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb > cn=Administrator > dn: CN=Administrator,CN=Users,DC=domain,DC=lan > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Administrator > description: Built-in account for administering the computer/domain > instanceType: 4 > whenCreated: 20140918163432.0Z > uSNCreated: 3545 > name: Administrator > objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 > adminCount: 1 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: Administrator > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan > isCriticalSystemObject: TRUE > memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan > memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan > memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan > memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan > memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan > userAccountControl: 66048 > msDS-SupportedEncryptionTypes: 0 > pwdLastSet: 130658091420000000 > whenChanged: 20150115152542.0Z > uSNChanged: 4885 > distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan > > # Referral > ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan > > # Referral > ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan > > # Referral > ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan > > # returned 4 records > # 1 entries > # 3 referrals > > > ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb > DC=domain | grep objectSid > objectSid: S-1-5-21-2643849351-2101160060-2305757802 > > > ---/usr/local/samba/bin/ldbedit -e vi -H > /usr/local/samba/private/idmap.ldb > > # record 39 > dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500 > cn: S-1-5-21-2643849351-2101160060-2305757802-500 > objectClass: sidMap > objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500 > > > as reported the time is correct and administrator account never expire > you can check here > http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime > > i have noted that sid error "sometimes" (30 sec on 2/3 hour > sometimes)not appear and i can work correctly with my administrator > account for 30-40 sec. > the same thing is on both of samba 4.2* > > i've tested this error from winxp/7/8/8.1 and is always the same. > > > > i post the smb.conf > > # Global parameters > [global] > workgroup = DOMAIN > realm = DOMAIN.LAN > netbios name = ADDOMAIN > server role = active directory domain controller > dns forwarder = 8.8.8.8 > idmap_ldb:use rfc2307 = yes > spoolss: architecture = Windows x64 > > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [public] > path = /dati/public > read only = No > > [users] > path = /dati/users > read only = No > > [profiles] > path = /dati/profiles > read only = No > oplocks=no > > [printers] > path = /var/spool/samba > printable = yes > printing = CUPS > > [print$] > path = /srv/samba/Printer_drivers > comment = Printer Drivers > writeable = yes > > > > in messages.log i have something when i try to login with > administrator account with the right password; here i have a "Unable > to convert SID" > > > Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] > ../source4/auth/unix_token.c:107(security_token_to_unix_token) > Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID > (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user > token to a GID. Conversion was returned as type 1, full token: > Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] > ../libcli/security/security_token.c:63(security_token_debug) > Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13): > Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]: > S-1-5-21-2643849351-2101160060-2305757802-500 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]: > S-1-5-21-2643849351-2101160060-2305757802-513 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]: > S-1-5-21-2643849351-2101160060-2305757802-520 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]: > S-1-5-21-2643849351-2101160060-2305757802-572 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]: > S-1-5-21-2643849351-2101160060-2305757802-519 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]: > S-1-5-21-2643849351-2101160060-2305757802-518 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]: > S-1-5-21-2643849351-2101160060-2305757802-512 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545 > Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554 > Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00): > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: > SeTakeOwnershipPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: > SeBackupPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: > SeRestorePrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: > SeRemoteShutdownPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: > SeSecurityPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: > SeSystemtimePrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: > SeShutdownPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: > SeDebugPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]: > SeSystemEnvironmentPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: > SeSystemProfilePrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]: > SeProfileSingleProcessPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]: > SeIncreaseBasePriorityPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: > SeLoadDriverPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: > SeCreatePagefilePrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: > SeIncreaseQuotaPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: > SeChangeNotifyPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: > SeUndockPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: > SeManageVolumePrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: > SeImpersonatePrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: > SeCreateGlobalPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]: > SeEnableDelegationPrivilege > Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403): > Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: > SeInteractiveLogonRight > Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight > Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: > SeRemoteInteractiveLogonRight > > > maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ? > > maybe this is an interesting part but i don't understand where to look. > > ---/usr/local/samba/bin/ldbedit -e vi -H > /usr/local/samba/private/idmap.ldb > # record 37 > dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512 > cn: S-1-5-21-2643849351-2101160060-2305757802-512 > objectClass: sidMap > objectSid: S-1-5-21-2643849351-2101160060-2305757802-512 > type: ID_TYPE_BOTH > xidNumber: 3000008 > distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512 > > > Someone have my similar behavior? > > any kind of help or suggestion is welcome. > > Many thanks in advance! > > Regards > > Charles >OK, I am a bit lost here, I can login as Administrator to my DC, so when you say 'when i try to login with administrator account with the right password', just how are you trying to login ? Also, why are you using 4.2.0rc2, is this a test domain or production ? If it is production, why are you ignoring what it says here: https://wiki.samba.org/index.php/Obtaining_Samba *Warning: Never install a development version in production! It may contain untested features and can cause damages to your installation! Development releases are for testing purposes only! *Also**why are you ignoring what it says here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions We /*_do not recommend_* using the Domain Controller as a file Server. This is due to issues with the winbind internal to the Domain Controller. The recommendation is to run separate file or Member Servers <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>. This still goes with 4.2 I recommend that you try again with the latest stable release, 4.1.16 and see if the problem still persists, if it does we stand a better chance of fixing it. Rowland /
Il 17/01/15 17:10, Rowland Penny ha scritto:> On 17/01/15 14:39, Carlo wrote: >> >>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month >>>>>>>>>>>>> now. It >>>>>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>>>>> >>>>>>>>>>>>> If I login to a Windows box with the Administrator account, I >>>>>>>>>>>>> can't >>>>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the >>>>>>>>>>>>> error >>>>>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>>>>> >>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box >>>>>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>>>>> >>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux >>>>>>>>>>>>> server >>>>>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>>>>> NT_STATUS_INVALID_SID". >> Hello to all. >> >> i am still under this problem in 2 samba server 4.2* >> >> same problem and same behavior after a month for one server and two week for >> another >> >> My system is: >> Centos 6.5 >> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC >> 2014 x86_64 x86_64 x86_64 GNU/Linux >> and Samba version 4.2.0rc2 >> >> >> then i have done the Rowland suggestion about check the administrator sid and >> the results was: >> >> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb >> cn=Administrator >> dn: CN=Administrator,CN=Users,DC=domain,DC=lan >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: Administrator >> description: Built-in account for administering the computer/domain >> instanceType: 4 >> whenCreated: 20140918163432.0Z >> uSNCreated: 3545 >> name: Administrator >> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83 >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 0 >> lastLogoff: 0 >> lastLogon: 0 >> primaryGroupID: 513 >> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >> adminCount: 1 >> accountExpires: 9223372036854775807 >> logonCount: 0 >> sAMAccountName: Administrator >> sAMAccountType: 805306368 >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan >> isCriticalSystemObject: TRUE >> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan >> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan >> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan >> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan >> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan >> userAccountControl: 66048 >> msDS-SupportedEncryptionTypes: 0 >> pwdLastSet: 130658091420000000 >> whenChanged: 20150115152542.0Z >> uSNChanged: 4885 >> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan >> >> # Referral >> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan >> >> # Referral >> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan >> >> # Referral >> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan >> >> # returned 4 records >> # 1 entries >> # 3 referrals >> >> >> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb >> DC=domain | grep objectSid >> objectSid: S-1-5-21-2643849351-2101160060-2305757802 >> >> >> ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb >> >> # record 39 >> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >> cn: S-1-5-21-2643849351-2101160060-2305757802-500 >> objectClass: sidMap >> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >> type: ID_TYPE_UID >> xidNumber: 0 >> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >> >> >> as reported the time is correct and administrator account never expire >> you can check here >> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime >> >> i have noted that sid error "sometimes" (30 sec on 2/3 hour sometimes)not >> appear and i can work correctly with my administrator account for 30-40 sec. >> the same thing is on both of samba 4.2* >> >> i've tested this error from winxp/7/8/8.1 and is always the same. >> >> >> >> i post the smb.conf >> >> # Global parameters >> [global] >> workgroup = DOMAIN >> realm = DOMAIN.LAN >> netbios name = ADDOMAIN >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> idmap_ldb:use rfc2307 = yes >> spoolss: architecture = Windows x64 >> >> >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> [public] >> path = /dati/public >> read only = No >> >> [users] >> path = /dati/users >> read only = No >> >> [profiles] >> path = /dati/profiles >> read only = No >> oplocks=no >> >> [printers] >> path = /var/spool/samba >> printable = yes >> printing = CUPS >> >> [print$] >> path = /srv/samba/Printer_drivers >> comment = Printer Drivers >> writeable = yes >> >> >> >> in messages.log i have something when i try to login with administrator >> account with the right password; here i have a "Unable to convert SID" >> >> >> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] >> ../source4/auth/unix_token.c:107(security_token_to_unix_token) >> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID >> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user token to a >> GID. Conversion was returned as type 1, full token: >> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] >> ../libcli/security/security_token.c:63(security_token_debug) >> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13): >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]: >> S-1-5-21-2643849351-2101160060-2305757802-500 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]: >> S-1-5-21-2643849351-2101160060-2305757802-513 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]: >> S-1-5-21-2643849351-2101160060-2305757802-520 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]: >> S-1-5-21-2643849351-2101160060-2305757802-572 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]: >> S-1-5-21-2643849351-2101160060-2305757802-519 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]: >> S-1-5-21-2643849351-2101160060-2305757802-518 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]: >> S-1-5-21-2643849351-2101160060-2305757802-512 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554 >> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00): >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: >> SeTakeOwnershipPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: SeBackupPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: SeRestorePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: >> SeRemoteShutdownPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: SeSecurityPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: SeSystemtimePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: SeShutdownPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: SeDebugPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]: >> SeSystemEnvironmentPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: >> SeSystemProfilePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]: >> SeProfileSingleProcessPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]: >> SeIncreaseBasePriorityPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: SeLoadDriverPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: >> SeCreatePagefilePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: >> SeIncreaseQuotaPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: >> SeChangeNotifyPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: SeUndockPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: >> SeManageVolumePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: SeImpersonatePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: >> SeCreateGlobalPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]: >> SeEnableDelegationPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403): >> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: SeInteractiveLogonRight >> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight >> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: >> SeRemoteInteractiveLogonRight >> >> >> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ? >> >> maybe this is an interesting part but i don't understand where to look. >> >> ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb >> # record 37 >> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >> cn: S-1-5-21-2643849351-2101160060-2305757802-512 >> objectClass: sidMap >> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512 >> type: ID_TYPE_BOTH >> xidNumber: 3000008 >> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >> >> >> Someone have my similar behavior? >> >> any kind of help or suggestion is welcome. >> >> Many thanks in advance! >> >> Regards >> >> Charles >> > > OK, I am a bit lost here, I can login as Administrator to my DC, so when you > say 'when i try to login with administrator account with the right password', > just how are you trying to login ?I've tried to login with "Administrator" user in shared folder or in user login at windows start. login with "Administrator" user with a wrong password samba denies correctly the login and don't tell nothing about SID. Only if i put the correct password samba respond to me the Invalid SID error and write log in messages.log and not let me to login or use shared folder> > Also, why are you using 4.2.0rc2, is this a test domain or production ? > If it is production, why are you ignoring what it says here: > https://wiki.samba.org/index.php/Obtaining_Samba > > *Warning: Never install a development version in production! It may contain > untested features and can cause damages to your installation! Development > releases are for testing purposes only! > > *Also**why are you ignoring what it says here: > https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versionstesting and all of them have the same behavior after some time. this thread was not started by me but i've made too many piece cut of old thread and done some misunderstanding sorry...> > We /*_do not recommend_* using the Domain Controller as a file Server. This is > due to issues with the winbind internal to the Domain Controller. The > recommendation is to run separate file or Member Servers > <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.ok i'll use kvm to separate fileserver from domain controller in production because i've only one server.> > This still goes with 4.2 > > I recommend that you try again with the latest stable release, 4.1.16 and see > if the problem still persists, if it does we stand a better chance of fixing it.With the latest stable release on 4.1.16 seems work well. No more SID error tomorrow i'll do some more accurate test Thank you for your support Rowland testing the 4.2rc4 the problem still exist do you reccomend me to write something of this behaviour at https://bugzilla.samba.org/? i still can reproduce the SID error with4.2rc2 /rc3 /rc4 charles> > Rowland > > /
Il 20/01/15 01:26, Andrew Bartlett ha scritto:> On Sun, 2015-01-18 at 19:10 +0100, Carlo wrote: > >> With the latest stable release on 4.1.16 seems work well. >> No more SID error >> tomorrow i'll do some more accurate test >> Thank you for your support Rowland >> >> testing the 4.2rc4 the problem still exist >> do you reccomend me to write something of this behaviour at >> https://bugzilla.samba.org/? >> i still can reproduce the SID error with4.2rc2 /rc3 /rc4 > Run 'net cache flush' to clear out the incorrect cache entry created by > the previous versions of Samba 4.2rc that had this bug.Tested! this also resolve the problem if you have SID error, so the problem is on the cache, but the Rowland suggestion also work well. because the problem appear only after some use or time, like 15-30 day of work may be the cache. How to see what's stored in cache? thanks Andrew> > Andrew Bartlett >
On Tue, 2015-01-20 at 10:28 +0100, Carlo wrote:> Il 20/01/15 01:26, Andrew Bartlett ha scritto: > > On Sun, 2015-01-18 at 19:10 +0100, Carlo wrote: > > > >> With the latest stable release on 4.1.16 seems work well. > >> No more SID error > >> tomorrow i'll do some more accurate test > >> Thank you for your support Rowland > >> > >> testing the 4.2rc4 the problem still exist > >> do you reccomend me to write something of this behaviour at > >> https://bugzilla.samba.org/? > >> i still can reproduce the SID error with4.2rc2 /rc3 /rc4 > > Run 'net cache flush' to clear out the incorrect cache entry created by > > the previous versions of Samba 4.2rc that had this bug. > > Tested! > > this also resolve the problem if you have SID error, so the problem is on the > cache, but the Rowland suggestion also work well.Reverting to the built-in winbind should be a last-resort choice, as that code will soon go away.> because the problem appear only after some use or time, like 15-30 day of work > may be the cache. > > How to see what's stored in cache?net cache list> thanks Andrew > > > > Andrew Bartlett > > >-- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba