samba - Jan 2015 - Administrators SID is invalid.

>>>>>>>>>>> I've got a samba 4.2 DC, which
has worked well for about a month
>>>>>>>>>>> now. It
>>>>>>>>>>> still works for all users except
"Administrator".
>>>>>>>>>>>
>>>>>>>>>>> If I login to a Windows box with
the Administrator account, I
>>>>>>>>>>> can't
>>>>>>>>>>> connect to any shares and clicking
on a mapped drive returns the
>>>>>>>>>>> error
>>>>>>>>>>> "The security ID structure is
invalid".
>>>>>>>>>>>
>>>>>>>>>>> Opening "Active Directory
Users and Computers" on the Windows box
>>>>>>>>>>> returns "The RPC server is
unavailable".
>>>>>>>>>>>
>>>>>>>>>>> Using "smbclient -L localhost
-UAdministrator" on the GNU/Linux
>>>>>>>>>>> server
>>>>>>>>>>> running samba I receife this error:
"session setup failed:
>>>>>>>>>>> NT_STATUS_INVALID_SID".
>>>> Hm, you said that you were using samba 4.2 and your smb.conf
confirms
>>>> this (you are using the new(old) winbind 'winbindd')
and I would have
>>>> thought that there would now be some of the familiar
'winbind' lines
>>>> in smb.conf. I would have thought the lines to map the builtin
users
>>>> would be there:
>>>>
>>>>          idmap config * : backend = tdb
>>>>          idmap config * : range = 2000-9999
>>>>
>>>> But I suppose that idmap.ldb is still doing this.
>>>>
>>>> This leads to what I think must be last thoughts on this, I
wonder if
>>>> the Administrators SID is wrong in idmap.ldb:
Hello to all.

i am still under this problem in 2 samba server 4.2*

same problem and same behavior after a month for one server and two week for
another

My system is:
Centos 6.5
addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 
2014 x86_64 x86_64 x86_64 GNU/Linux
and Samba version 4.2.0rc2


then i have done the Rowland suggestion about check the administrator sid and 
the results was:

---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
cn=Administrator
dn: CN=Administrator,CN=Users,DC=domain,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20140918163432.0Z
uSNCreated: 3545
name: Administrator
objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
userAccountControl: 66048
msDS-SupportedEncryptionTypes: 0
pwdLastSet: 130658091420000000
whenChanged: 20150115152542.0Z
uSNChanged: 4885
distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan

# Referral
ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan

# Referral
ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan

# Referral
ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan

# returned 4 records
# 1 entries
# 3 referrals


---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb DC=domain 
| grep objectSid
objectSid: S-1-5-21-2643849351-2101160060-2305757802


---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb

# record 39
dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
cn: S-1-5-21-2643849351-2101160060-2305757802-500
objectClass: sidMap
objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500


as reported the time is correct and administrator account never expire
you can check here 
http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime

i have noted that sid error "sometimes" (30 sec on 2/3 hour
sometimes)not appear
and i can work correctly with my administrator account for 30-40 sec.
the same thing is on both of samba 4.2*

i've tested this error from winxp/7/8/8.1 and is always the same.



i post the smb.conf

# Global parameters
[global]
     workgroup = DOMAIN
     realm = DOMAIN.LAN
     netbios name = ADDOMAIN
     server role = active directory domain controller
     dns forwarder = 8.8.8.8
     idmap_ldb:use rfc2307 = yes
     spoolss: architecture = Windows x64



[netlogon]
     path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

[public]
         path = /dati/public
         read only = No

[users]
         path = /dati/users
         read only = No

[profiles]
         path = /dati/profiles
         read only = No
     oplocks=no

[printers]
      path = /var/spool/samba
      printable = yes
      printing = CUPS

[print$]
      path = /srv/samba/Printer_drivers
      comment = Printer Drivers
      writeable = yes



in messages.log i have something when i try to login with administrator account 
with the right password; here i have a "Unable to convert SID"


Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] 
../source4/auth/unix_token.c:107(security_token_to_unix_token)
Jan 17 15:08:52 addomain smbd[21942]:   Unable to convert SID 
(S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user token to a 
GID.  Conversion was returned as type 1, full token:
Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] 
../libcli/security/security_token.c:63(security_token_debug)
Jan 17 15:08:52 addomain smbd[21942]:   Security token SIDs (13):
Jan 17 15:08:52 addomain smbd[21942]:     SID[  0]: 
S-1-5-21-2643849351-2101160060-2305757802-500
Jan 17 15:08:52 addomain smbd[21942]:     SID[  1]: 
S-1-5-21-2643849351-2101160060-2305757802-513
Jan 17 15:08:52 addomain smbd[21942]:     SID[  2]: 
S-1-5-21-2643849351-2101160060-2305757802-520
Jan 17 15:08:52 addomain smbd[21942]:     SID[  3]: 
S-1-5-21-2643849351-2101160060-2305757802-572
Jan 17 15:08:52 addomain smbd[21942]:     SID[  4]: 
S-1-5-21-2643849351-2101160060-2305757802-519
Jan 17 15:08:52 addomain smbd[21942]:     SID[  5]: 
S-1-5-21-2643849351-2101160060-2305757802-518
Jan 17 15:08:52 addomain smbd[21942]:     SID[  6]: 
S-1-5-21-2643849351-2101160060-2305757802-512
Jan 17 15:08:52 addomain smbd[21942]:     SID[  7]: S-1-1-0
Jan 17 15:08:52 addomain smbd[21942]:     SID[  8]: S-1-5-2
Jan 17 15:08:52 addomain smbd[21942]:     SID[  9]: S-1-5-11
Jan 17 15:08:52 addomain smbd[21942]:     SID[ 10]: S-1-5-32-544
Jan 17 15:08:52 addomain smbd[21942]:     SID[ 11]: S-1-5-32-545
Jan 17 15:08:52 addomain smbd[21942]:     SID[ 12]: S-1-5-32-554
Jan 17 15:08:52 addomain smbd[21942]:    Privileges (0x 1FFFFF00):
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  0]:
SeTakeOwnershipPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  1]: SeBackupPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  2]: SeRestorePrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  3]:
SeRemoteShutdownPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  4]: SeSecurityPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  5]: SeSystemtimePrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  6]: SeShutdownPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  7]: SeDebugPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  8]: 
SeSystemEnvironmentPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  9]:
SeSystemProfilePrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 10]: 
SeProfileSingleProcessPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 11]: 
SeIncreaseBasePriorityPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 12]: SeLoadDriverPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 13]:
SeCreatePagefilePrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 14]:
SeIncreaseQuotaPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 15]:
SeChangeNotifyPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 16]: SeUndockPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 17]:
SeManageVolumePrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 18]: SeImpersonatePrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 19]:
SeCreateGlobalPrivilege
Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 20]: 
SeEnableDelegationPrivilege
Jan 17 15:08:52 addomain smbd[21942]:    Rights (0x 403):
Jan 17 15:08:52 addomain smbd[21942]:     Right[  0]: SeInteractiveLogonRight
Jan 17 15:08:52 addomain smbd[21942]:     Right[  1]: SeNetworkLogonRight
Jan 17 15:08:52 addomain smbd[21942]:     Right[  2]:
SeRemoteInteractiveLogonRight


maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ?

maybe this is an interesting part but i don't understand where to look.

---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb
# record 37
dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
cn: S-1-5-21-2643849351-2101160060-2305757802-512
objectClass: sidMap
objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512


Someone have my similar behavior?

any kind of help or suggestion is welcome.

Many thanks in advance!

Regards

Charles

On 17/01/15 14:39, Carlo wrote:
>
>>>>>>>>>>>> I've got a samba 4.2 DC,
which has worked well for about a
>>>>>>>>>>>> month
>>>>>>>>>>>> now. It
>>>>>>>>>>>> still works for all users
except "Administrator".
>>>>>>>>>>>>
>>>>>>>>>>>> If I login to a Windows box
with the Administrator account, I
>>>>>>>>>>>> can't
>>>>>>>>>>>> connect to any shares and
clicking on a mapped drive
>>>>>>>>>>>> returns the
>>>>>>>>>>>> error
>>>>>>>>>>>> "The security ID structure
is invalid".
>>>>>>>>>>>>
>>>>>>>>>>>> Opening "Active Directory
Users and Computers" on the
>>>>>>>>>>>> Windows box
>>>>>>>>>>>> returns "The RPC server is
unavailable".
>>>>>>>>>>>>
>>>>>>>>>>>> Using "smbclient -L
localhost -UAdministrator" on the
>>>>>>>>>>>> GNU/Linux
>>>>>>>>>>>> server
>>>>>>>>>>>> running samba I receife this
error: "session setup failed:
>>>>>>>>>>>> NT_STATUS_INVALID_SID".
>
>>>>> Hm, you said that you were using samba 4.2 and your
smb.conf confirms
>>>>> this (you are using the new(old) winbind
'winbindd') and I would have
>>>>> thought that there would now be some of the familiar
'winbind' lines
>>>>> in smb.conf. I would have thought the lines to map the
builtin users
>>>>> would be there:
>>>>>
>>>>>          idmap config * : backend = tdb
>>>>>          idmap config * : range = 2000-9999
>>>>>
>>>>> But I suppose that idmap.ldb is still doing this.
>>>>>
>>>>> This leads to what I think must be last thoughts on this, I
wonder if
>>>>> the Administrators SID is wrong in idmap.ldb:
>
> Hello to all.
>
> i am still under this problem in 2 samba server 4.2*
>
> same problem and same behavior after a month for one server and two 
> week for another
>
> My system is:
> Centos 6.5
> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 
> 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> and Samba version 4.2.0rc2
>
>
> then i have done the Rowland suggestion about check the administrator 
> sid and the results was:
>
> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
> cn=Administrator
> dn: CN=Administrator,CN=Users,DC=domain,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20140918163432.0Z
> uSNCreated: 3545
> name: Administrator
> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
> userAccountControl: 66048
> msDS-SupportedEncryptionTypes: 0
> pwdLastSet: 130658091420000000
> whenChanged: 20150115152542.0Z
> uSNChanged: 4885
> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
>
> # Referral
> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
>
> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
> DC=domain | grep objectSid
> objectSid: S-1-5-21-2643849351-2101160060-2305757802
>
>
> ---/usr/local/samba/bin/ldbedit -e vi -H 
> /usr/local/samba/private/idmap.ldb
>
> # record 39
> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
> cn: S-1-5-21-2643849351-2101160060-2305757802-500
> objectClass: sidMap
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>
>
> as reported the time is correct and administrator account never expire
> you can check here 
>
http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
>
> i have noted that sid error "sometimes" (30 sec on 2/3 hour 
> sometimes)not appear and i can work correctly with my administrator 
> account for 30-40 sec.
> the same thing is on both of samba 4.2*
>
> i've tested this error from winxp/7/8/8.1 and is always the same.
>
>
>
> i post the smb.conf
>
> # Global parameters
> [global]
>     workgroup = DOMAIN
>     realm = DOMAIN.LAN
>     netbios name = ADDOMAIN
>     server role = active directory domain controller
>     dns forwarder = 8.8.8.8
>     idmap_ldb:use rfc2307 = yes
>     spoolss: architecture = Windows x64
>
>
>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
>     read only = No
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
> [public]
>         path = /dati/public
>         read only = No
>
> [users]
>         path = /dati/users
>         read only = No
>
> [profiles]
>         path = /dati/profiles
>         read only = No
>     oplocks=no
>
> [printers]
>      path = /var/spool/samba
>      printable = yes
>      printing = CUPS
>
> [print$]
>      path = /srv/samba/Printer_drivers
>      comment = Printer Drivers
>      writeable = yes
>
>
>
> in messages.log i have something when i try to login with 
> administrator account with the right password; here i have a "Unable 
> to convert SID"
>
>
> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] 
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
> Jan 17 15:08:52 addomain smbd[21942]:   Unable to convert SID 
> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user 
> token to a GID.  Conversion was returned as type 1, full token:
> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] 
> ../libcli/security/security_token.c:63(security_token_debug)
> Jan 17 15:08:52 addomain smbd[21942]:   Security token SIDs (13):
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  0]: 
> S-1-5-21-2643849351-2101160060-2305757802-500
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  1]: 
> S-1-5-21-2643849351-2101160060-2305757802-513
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  2]: 
> S-1-5-21-2643849351-2101160060-2305757802-520
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  3]: 
> S-1-5-21-2643849351-2101160060-2305757802-572
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  4]: 
> S-1-5-21-2643849351-2101160060-2305757802-519
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  5]: 
> S-1-5-21-2643849351-2101160060-2305757802-518
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  6]: 
> S-1-5-21-2643849351-2101160060-2305757802-512
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  7]: S-1-1-0
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  8]: S-1-5-2
> Jan 17 15:08:52 addomain smbd[21942]:     SID[  9]: S-1-5-11
> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 10]: S-1-5-32-544
> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 11]: S-1-5-32-545
> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 12]: S-1-5-32-554
> Jan 17 15:08:52 addomain smbd[21942]:    Privileges (0x 1FFFFF00):
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  0]: 
> SeTakeOwnershipPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  1]: 
> SeBackupPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  2]: 
> SeRestorePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  3]: 
> SeRemoteShutdownPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  4]: 
> SeSecurityPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  5]: 
> SeSystemtimePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  6]: 
> SeShutdownPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  7]: 
> SeDebugPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  8]: 
> SeSystemEnvironmentPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  9]: 
> SeSystemProfilePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 10]: 
> SeProfileSingleProcessPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 11]: 
> SeIncreaseBasePriorityPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 12]: 
> SeLoadDriverPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 13]: 
> SeCreatePagefilePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 14]: 
> SeIncreaseQuotaPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 15]: 
> SeChangeNotifyPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 16]: 
> SeUndockPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 17]: 
> SeManageVolumePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 18]: 
> SeImpersonatePrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 19]: 
> SeCreateGlobalPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 20]: 
> SeEnableDelegationPrivilege
> Jan 17 15:08:52 addomain smbd[21942]:    Rights (0x 403):
> Jan 17 15:08:52 addomain smbd[21942]:     Right[  0]: 
> SeInteractiveLogonRight
> Jan 17 15:08:52 addomain smbd[21942]:     Right[  1]: SeNetworkLogonRight
> Jan 17 15:08:52 addomain smbd[21942]:     Right[  2]: 
> SeRemoteInteractiveLogonRight
>
>
> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and
windbind ?
>
> maybe this is an interesting part but i don't understand where to look.
>
> ---/usr/local/samba/bin/ldbedit -e vi -H 
> /usr/local/samba/private/idmap.ldb
> # record 37
> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
> cn: S-1-5-21-2643849351-2101160060-2305757802-512
> objectClass: sidMap
> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
> type: ID_TYPE_BOTH
> xidNumber: 3000008
> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>
>
> Someone have my similar behavior?
>
> any kind of help or suggestion is welcome.
>
> Many thanks in advance!
>
> Regards
>
> Charles
>
OK, I am a bit lost here, I can login as Administrator to my DC, so when 
you say 'when i try to login with administrator account with the right 
password', just how are you trying to login ?

Also, why are you using 4.2.0rc2, is this a test domain or production ?
If it is production, why are you ignoring what it says here: 
https://wiki.samba.org/index.php/Obtaining_Samba

*Warning: Never install a development version in production! It may 
contain untested features and can cause damages to your installation! 
Development releases are for testing purposes only!

*Also**why are you ignoring what it says here: 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions

We /*_do not recommend_* using the Domain Controller as a file Server. 
This is due to issues with the winbind internal to the Domain 
Controller. The recommendation is to run separate file or Member Servers 
<https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.

This still goes with 4.2

I recommend that you try again with the latest stable release, 4.1.16 
and see if the problem still persists, if it does we stand a better 
chance of fixing it.

Rowland

/

Il 17/01/15 17:10, Rowland Penny ha scritto:
> On 17/01/15 14:39, Carlo wrote:
>>
>>>>>>>>>>>>> I've got a samba 4.2
DC, which has worked well for about a month
>>>>>>>>>>>>> now. It
>>>>>>>>>>>>> still works for all users
except "Administrator".
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I login to a Windows box
with the Administrator account, I
>>>>>>>>>>>>> can't
>>>>>>>>>>>>> connect to any shares and
clicking on a mapped drive returns the
>>>>>>>>>>>>> error
>>>>>>>>>>>>> "The security ID
structure is invalid".
>>>>>>>>>>>>>
>>>>>>>>>>>>> Opening "Active
Directory Users and Computers" on the Windows box
>>>>>>>>>>>>> returns "The RPC
server is unavailable".
>>>>>>>>>>>>>
>>>>>>>>>>>>> Using "smbclient -L
localhost -UAdministrator" on the GNU/Linux
>>>>>>>>>>>>> server
>>>>>>>>>>>>> running samba I receife
this error: "session setup failed:
>>>>>>>>>>>>>
NT_STATUS_INVALID_SID".
>> Hello to all.
>>
>> i am still under this problem in 2 samba server 4.2*
>>
>> same problem and same behavior after a month for one server and two
week for
>> another
>>
>> My system is:
>> Centos 6.5
>> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9
21:36:05 UTC
>> 2014 x86_64 x86_64 x86_64 GNU/Linux
>> and Samba version 4.2.0rc2
>>
>>
>> then i have done the Rowland suggestion about check the administrator
sid and
>> the results was:
>>
>> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>> cn=Administrator
>> dn: CN=Administrator,CN=Users,DC=domain,DC=lan
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Administrator
>> description: Built-in account for administering the computer/domain
>> instanceType: 4
>> whenCreated: 20140918163432.0Z
>> uSNCreated: 3545
>> name: Administrator
>> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>> adminCount: 1
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: Administrator
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan
>> isCriticalSystemObject: TRUE
>> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan
>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan
>> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan
>> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan
>> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan
>> userAccountControl: 66048
>> msDS-SupportedEncryptionTypes: 0
>> pwdLastSet: 130658091420000000
>> whenChanged: 20150115152542.0Z
>> uSNChanged: 4885
>> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan
>>
>> # Referral
>> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan
>>
>> # Referral
>> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan
>>
>> # Referral
>> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>>
>>
>> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>> DC=domain | grep objectSid
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802
>>
>>
>> ---/usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
>>
>> # record 39
>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>> cn: S-1-5-21-2643849351-2101160060-2305757802-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500
>>
>>
>> as reported the time is correct and administrator account never expire
>> you can check here 
>>
http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime
>>
>> i have noted that sid error "sometimes" (30 sec on 2/3 hour
sometimes)not
>> appear and i can work correctly with my administrator account for 30-40
sec.
>> the same thing is on both of samba 4.2*
>>
>> i've tested this error from winxp/7/8/8.1 and is always the same.
>>
>>
>>
>> i post the smb.conf
>>
>> # Global parameters
>> [global]
>>     workgroup = DOMAIN
>>     realm = DOMAIN.LAN
>>     netbios name = ADDOMAIN
>>     server role = active directory domain controller
>>     dns forwarder = 8.8.8.8
>>     idmap_ldb:use rfc2307 = yes
>>     spoolss: architecture = Windows x64
>>
>>
>>
>> [netlogon]
>>     path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts
>>     read only = No
>>
>> [sysvol]
>>     path = /usr/local/samba/var/locks/sysvol
>>     read only = No
>>
>> [public]
>>         path = /dati/public
>>         read only = No
>>
>> [users]
>>         path = /dati/users
>>         read only = No
>>
>> [profiles]
>>         path = /dati/profiles
>>         read only = No
>>     oplocks=no
>>
>> [printers]
>>      path = /var/spool/samba
>>      printable = yes
>>      printing = CUPS
>>
>> [print$]
>>      path = /srv/samba/Printer_drivers
>>      comment = Printer Drivers
>>      writeable = yes
>>
>>
>>
>> in messages.log i have something when i try to login with administrator
>> account with the right password; here i have a "Unable to convert
SID"
>>
>>
>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] 
>> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>> Jan 17 15:08:52 addomain smbd[21942]:   Unable to convert SID 
>> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user
token to a
>> GID.  Conversion was returned as type 1, full token:
>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] 
>> ../libcli/security/security_token.c:63(security_token_debug)
>> Jan 17 15:08:52 addomain smbd[21942]:   Security token SIDs (13):
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  0]: 
>> S-1-5-21-2643849351-2101160060-2305757802-500
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  1]: 
>> S-1-5-21-2643849351-2101160060-2305757802-513
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  2]: 
>> S-1-5-21-2643849351-2101160060-2305757802-520
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  3]: 
>> S-1-5-21-2643849351-2101160060-2305757802-572
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  4]: 
>> S-1-5-21-2643849351-2101160060-2305757802-519
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  5]: 
>> S-1-5-21-2643849351-2101160060-2305757802-518
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  6]: 
>> S-1-5-21-2643849351-2101160060-2305757802-512
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  7]: S-1-1-0
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  8]: S-1-5-2
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[  9]: S-1-5-11
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 10]: S-1-5-32-544
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 11]: S-1-5-32-545
>> Jan 17 15:08:52 addomain smbd[21942]:     SID[ 12]: S-1-5-32-554
>> Jan 17 15:08:52 addomain smbd[21942]:    Privileges (0x 1FFFFF00):
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  0]: 
>> SeTakeOwnershipPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  1]:
SeBackupPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  2]:
SeRestorePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  3]: 
>> SeRemoteShutdownPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  4]:
SeSecurityPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  5]:
SeSystemtimePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  6]:
SeShutdownPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  7]:
SeDebugPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  8]: 
>> SeSystemEnvironmentPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[  9]: 
>> SeSystemProfilePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 10]: 
>> SeProfileSingleProcessPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 11]: 
>> SeIncreaseBasePriorityPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 12]:
SeLoadDriverPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 13]: 
>> SeCreatePagefilePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 14]: 
>> SeIncreaseQuotaPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 15]: 
>> SeChangeNotifyPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 16]:
SeUndockPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 17]: 
>> SeManageVolumePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 18]:
SeImpersonatePrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 19]: 
>> SeCreateGlobalPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:     Privilege[ 20]: 
>> SeEnableDelegationPrivilege
>> Jan 17 15:08:52 addomain smbd[21942]:    Rights (0x 403):
>> Jan 17 15:08:52 addomain smbd[21942]:     Right[  0]:
SeInteractiveLogonRight
>> Jan 17 15:08:52 addomain smbd[21942]:     Right[  1]:
SeNetworkLogonRight
>> Jan 17 15:08:52 addomain smbd[21942]:     Right[  2]: 
>> SeRemoteInteractiveLogonRight
>>
>>
>> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and
windbind ?
>>
>> maybe this is an interesting part but i don't understand where to
look.
>>
>> ---/usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
>> # record 37
>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>> cn: S-1-5-21-2643849351-2101160060-2305757802-512
>> objectClass: sidMap
>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512
>> type: ID_TYPE_BOTH
>> xidNumber: 3000008
>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512
>>
>>
>> Someone have my similar behavior?
>>
>> any kind of help or suggestion is welcome.
>>
>> Many thanks in advance!
>>
>> Regards
>>
>> Charles
>>
>
> OK, I am a bit lost here, I can login as Administrator to my DC, so when
you
> say 'when i try to login with administrator account with the right
password',
> just how are you trying to login ?
I've tried to login with "Administrator" user in shared folder or
in user login
at windows start.

login with "Administrator" user with a wrong password samba denies
correctly the
login and don't tell nothing about SID.
Only if i put the correct password samba respond to me the Invalid SID error and
write log in messages.log and not let me to login or use shared
folder
>
> Also, why are you using 4.2.0rc2, is this a test domain or production ?
> If it is production, why are you ignoring what it says here: 
> https://wiki.samba.org/index.php/Obtaining_Samba
>
> *Warning: Never install a development version in production! It may contain
> untested features and can cause damages to your installation! Development 
> releases are for testing purposes only!
>
> *Also**why are you ignoring what it says here: 
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions
testing and all of them have the same behavior after some time.
this thread was not started by me but i've made too many piece cut of old
thread
and done some misunderstanding sorry...
>
> We /*_do not recommend_* using the Domain Controller as a file Server. This
is
> due to issues with the winbind internal to the Domain Controller. The 
> recommendation is to run separate file or Member Servers 
> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.
ok i'll use kvm to separate fileserver from domain controller in production 
because i've only one server.
>
> This still goes with 4.2
>
> I recommend that you try again with the latest stable release, 4.1.16 and
see
> if the problem still persists, if it does we stand a better chance of
fixing it.
With the latest stable release on 4.1.16  seems work well.
No more SID error
tomorrow i'll do some more accurate test
Thank you for your support Rowland

testing the 4.2rc4 the problem still exist
do you reccomend me to write something of this behaviour at 
https://bugzilla.samba.org/?
i still can reproduce the SID error with4.2rc2 /rc3 /rc4

charles
>
> Rowland
>
> /

Il 20/01/15 01:26, Andrew Bartlett ha scritto:
> On Sun, 2015-01-18 at 19:10 +0100, Carlo wrote:
>
>> With the latest stable release on 4.1.16  seems work well.
>> No more SID error
>> tomorrow i'll do some more accurate test
>> Thank you for your support Rowland
>>
>> testing the 4.2rc4 the problem still exist
>> do you reccomend me to write something of this behaviour at
>> https://bugzilla.samba.org/?
>> i still can reproduce the SID error with4.2rc2 /rc3 /rc4
> Run 'net cache flush' to clear out the incorrect cache entry
created by
> the previous versions of Samba 4.2rc that had this bug.
Tested!

this also resolve the problem if you have SID error, so the problem is on the 
cache, but the Rowland suggestion also work well.

because the problem appear only after some use or time, like 15-30 day of work 
may be the cache.

How to see what's stored in cache?

thanks Andrew
>
> Andrew Bartlett
>

On Tue, 2015-01-20 at 10:28 +0100, Carlo wrote:
> Il 20/01/15 01:26, Andrew Bartlett ha scritto:
> > On Sun, 2015-01-18 at 19:10 +0100, Carlo wrote:
> >
> >> With the latest stable release on 4.1.16  seems work well.
> >> No more SID error
> >> tomorrow i'll do some more accurate test
> >> Thank you for your support Rowland
> >>
> >> testing the 4.2rc4 the problem still exist
> >> do you reccomend me to write something of this behaviour at
> >> https://bugzilla.samba.org/?
> >> i still can reproduce the SID error with4.2rc2 /rc3 /rc4
> > Run 'net cache flush' to clear out the incorrect cache entry
created by
> > the previous versions of Samba 4.2rc that had this bug.
> 
> Tested!
> 
> this also resolve the problem if you have SID error, so the problem is on
the
> cache, but the Rowland suggestion also work well.
Reverting to the built-in winbind should be a last-resort choice, as
that code will soon go away.  
> because the problem appear only after some use or time, like 15-30 day of
work
> may be the cache.
> 
> How to see what's stored in cache?
net cache list
> thanks Andrew
> >
> > Andrew Bartlett
> >
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba