I recently upgraded Samba on my DC from a working 4.3 installation to 4.5.0. Once done, I followed the instructions here: https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes and ran: samba-tool dbcheck --cross-ncs --fix --yes After that, I can no longer access the shares on this machine. I get the "Security ID structure is invalid" error above. In addition, the RSAT can't speak to the DC, and other linux boxes (running sssd) are saying "Authentication server cannot be found" I am able to access the server using an ldap browser and am trying to piece my way to fixing this, but am coming up empty handed. This is my home server and only has three users, so I could technically wipe and rebuild the server, but since I have many clients who use Samba, I would like to figure out how to fix this in case it comes up again. The syslog is giving the following errors: ct 4 13:56:15 harleyquinn smbd[17702]: Unable to convert SID (S-1-5-11) at index 5 in user token to a GID. Conversion was returned as type 0, full token: Oct 4 13:56:15 harleyquinn smbd[17702]: [2016/10/04 13:56:15.283772, 0] ../libcli/security/security_token.c:63(security_token_debug) Oct 4 13:56:15 harleyquinn smbd[17702]: Security token SIDs (8): Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 0]: S-1-5-21-1319907214-2951884047-2640289736-1105 Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 1]: S-1-5-21-1319907214-2951884047-2640289736-1107 Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 2]: S-1-5-21-1319907214-2951884047-2640289736-513 Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 3]: S-1-1-0 Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 4]: S-1-5-2 Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 5]: S-1-5-11 Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 6]: S-1-5-32-545 Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 7]: S-1-5-32-554 Oct 4 13:56:15 harleyquinn smbd[17702]: Privileges (0x 800000): Oct 4 13:56:15 harleyquinn smbd[17702]: Privilege[ 0]: SeChangeNotifyPrivilege Oct 4 13:56:15 harleyquinn smbd[17702]: Rights (0x 400): Oct 4 13:56:15 harleyquinn smbd[17702]: Right[ 0]: SeRemoteInteractiveLogonRight Oct 4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367502, 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) Oct 4 13:56:15 harleyquinn smbd[17703]: Unable to convert SID (S-1-5-11) at index 5 in user token to a GID. Conversion was returned as type 0, full token: Oct 4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367835, 0] ../libcli/security/security_token.c:63(security_token_debug) Oct 4 13:56:15 harleyquinn smbd[17703]: Security token SIDs (8): Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 0]: S-1-5-21-1319907214-2951884047-2640289736-1105 Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 1]: S-1-5-21-1319907214-2951884047-2640289736-1107 Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 2]: S-1-5-21-1319907214-2951884047-2640289736-513 Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 3]: S-1-1-0 Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 4]: S-1-5-2 Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 5]: S-1-5-11 Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 6]: S-1-5-32-545 Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 7]: S-1-5-32-554 Oct 4 13:56:15 harleyquinn smbd[17703]: Privileges (0x 800000): Oct 4 13:56:15 harleyquinn smbd[17703]: Privilege[ 0]: SeChangeNotifyPrivilege Oct 4 13:56:15 harleyquinn smbd[17703]: Rights (0x 400): Oct 4 13:56:15 harleyquinn smbd[17703]: Right[ 0]: SeRemoteInteractiveLogonRight These are repeated for various SIDs. Also, the samba-tool dbcheck is unable to fix the following: ERROR: incorrect GUID component for member in object CN=Domain Admins,CN=Users,DC=dc1,DC=evilgenius,DC=net - <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net Change DN to <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES] ERROR: Failed to fix incorrect GUID on attribute member : (53, 'Attribute member already deleted for target GUID a8e1e07a-cab8-4222-a024-97d59084268b') I'm not even sure where to start fixing this and am not finding anything similar via google. -Ron -- Riomar Group <http://www.riomargroup.com>*Ron García-Vidal | President | Riomar Group (A NYC, NYS & PANYNJ Certified MBE & DBE)* 1315 Prospect Ave., First Floor | Brooklyn, NY 11218 7400 SW 50th Street, Unit 304 | Miami, FL 33155 (347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com> ron at riomargroup.com <mailto:ron at riomargroup.com>
On Tue, 4 Oct 2016 14:00:02 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> I recently upgraded Samba on my DC from a working 4.3 installation to > 4.5.0. Once done, I followed the instructions here: > > https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes > > and ran: > > samba-tool dbcheck --cross-ncs --fix --yes > > After that, I can no longer access the shares on this machine. I get > the "Security ID structure is invalid" error above. In addition, the > RSAT can't speak to the DC, and other linux boxes (running sssd) are > saying "Authentication server cannot be found" > > I am able to access the server using an ldap browser and am trying to > piece my way to fixing this, but am coming up empty handed. This is > my home server and only has three users, so I could technically wipe > and rebuild the server, but since I have many clients who use Samba, > I would like to figure out how to fix this in case it comes up again. > > The syslog is giving the following errors: > > ct 4 13:56:15 harleyquinn smbd[17702]: Unable to convert SID > (S-1-5-11) at index 5 in user token to a GID. Conversion was > returned as type 0, full token: > Oct 4 13:56:15 harleyquinn smbd[17702]: [2016/10/04 > 13:56:15.283772, > 0] ../libcli/security/security_token.c:63(security_token_debug) Oct > 4 13:56:15 harleyquinn smbd[17702]: Security token SIDs (8): Oct 4 > 13:56:15 harleyquinn smbd[17702]: SID[ 0]: > S-1-5-21-1319907214-2951884047-2640289736-1105 Oct 4 13:56:15 > harleyquinn smbd[17702]: SID[ 1]: > S-1-5-21-1319907214-2951884047-2640289736-1107 Oct 4 13:56:15 > harleyquinn smbd[17702]: SID[ 2]: > S-1-5-21-1319907214-2951884047-2640289736-513 Oct 4 13:56:15 > harleyquinn smbd[17702]: SID[ 3]: S-1-1-0 Oct 4 13:56:15 > harleyquinn smbd[17702]: SID[ 4]: S-1-5-2 Oct 4 13:56:15 > harleyquinn smbd[17702]: SID[ 5]: S-1-5-11 Oct 4 13:56:15 > harleyquinn smbd[17702]: SID[ 6]: S-1-5-32-545 Oct 4 13:56:15 > harleyquinn smbd[17702]: SID[ 7]: S-1-5-32-554 Oct 4 13:56:15 > harleyquinn smbd[17702]: Privileges (0x 800000): Oct 4 > 13:56:15 harleyquinn smbd[17702]: Privilege[ 0]: > SeChangeNotifyPrivilege Oct 4 13:56:15 harleyquinn smbd[17702]: > Rights (0x 400): Oct 4 13:56:15 harleyquinn smbd[17702]: > Right[ 0]: SeRemoteInteractiveLogonRight > Oct 4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 > 13:56:15.367502, > 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) > Oct 4 13:56:15 harleyquinn smbd[17703]: Unable to convert SID > (S-1-5-11) at index 5 in user token to a GID. Conversion was > returned as type 0, full token: Oct 4 13:56:15 harleyquinn > smbd[17703]: [2016/10/04 13:56:15.367835, > 0] ../libcli/security/security_token.c:63(security_token_debug) Oct > 4 13:56:15 harleyquinn smbd[17703]: Security token SIDs (8): Oct 4 > 13:56:15 harleyquinn smbd[17703]: SID[ 0]: > S-1-5-21-1319907214-2951884047-2640289736-1105 Oct 4 13:56:15 > harleyquinn smbd[17703]: SID[ 1]: > S-1-5-21-1319907214-2951884047-2640289736-1107 Oct 4 13:56:15 > harleyquinn smbd[17703]: SID[ 2]: > S-1-5-21-1319907214-2951884047-2640289736-513 Oct 4 13:56:15 > harleyquinn smbd[17703]: SID[ 3]: S-1-1-0 Oct 4 13:56:15 > harleyquinn smbd[17703]: SID[ 4]: S-1-5-2 Oct 4 13:56:15 > harleyquinn smbd[17703]: SID[ 5]: S-1-5-11 Oct 4 13:56:15 > harleyquinn smbd[17703]: SID[ 6]: S-1-5-32-545 Oct 4 13:56:15 > harleyquinn smbd[17703]: SID[ 7]: S-1-5-32-554 Oct 4 13:56:15 > harleyquinn smbd[17703]: Privileges (0x 800000): Oct 4 > 13:56:15 harleyquinn smbd[17703]: Privilege[ 0]: > SeChangeNotifyPrivilege Oct 4 13:56:15 harleyquinn smbd[17703]: > Rights (0x 400): Oct 4 13:56:15 harleyquinn smbd[17703]: > Right[ 0]: SeRemoteInteractiveLogonRight > > These are repeated for various SIDs. > > Also, the samba-tool dbcheck is unable to fix the following: > > ERROR: incorrect GUID component for member in object CN=Domain > Admins,CN=Users,DC=dc1,DC=evilgenius,DC=net - > <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP > User,CN=Users,DC=dc1,DC=mydomain,DC=net > > Change DN to > <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP > User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES] > ERROR: Failed to fix incorrect GUID on attribute member : (53, > 'Attribute member already deleted for target GUID > a8e1e07a-cab8-4222-a024-97d59084268b') > > I'm not even sure where to start fixing this and am not finding > anything similar via google. > > -Ron > > >It looks like you have a dangling link for a member of Domain Admins that has been deleted. Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117' and if it doesn't exist, see if you can identify the user in the Domain Admins object and delete that. Back everything up first. Rowland
On 10/4/16 2:40 PM, Rowland Penny via samba wrote:> On Tue, 4 Oct 2016 14:00:02 -0400 > Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >> ERROR: incorrect GUID component for member in object CN=Domain >> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >> User,CN=Users,DC=dc1,DC=mydomain,DC=net >> >> Change DN to >> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP >> User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES] >> ERROR: Failed to fix incorrect GUID on attribute member : (53, >> 'Attribute member already deleted for target GUID >> a8e1e07a-cab8-4222-a024-97d59084268b') >> >> I'm not even sure where to start fixing this and am not finding >> anything similar via google. >> >> -Ron >> >> >> > It looks like you have a dangling link for a member of Domain Admins > that has been deleted. > > Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117' > and if it doesn't exist, see if you can identify the user in the Domain > Admins object and delete that. > Back everything up first. > >The DN indicated is a user called LDAP User that I created to interact with the LDAP. And that user's SID is the one ending in 1117. The thing is, that user isn't in "members" of the Domain Admins. The only users in that group are Administrator and my user account. I tried adding LDAP User to the Domain Admins group and removing it, the problem still persists. To add to this, when I run the samba-tool dbcheck without the --fix option, I get two additional entries: ERROR: incorrect GUID component for member in object CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net Not fixing incorrect GUID ERROR: incorrect DN SID component for member in object CN=Schema Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<RMD_ADDTIME=130335204740000000>;<RMD_CHANGETIME=130335284920000000>;<RMD_FLAGS=1>;<RMD_INVOCID=bf3306c6-bbc7-40c7-b63f-9b2c6f6ffe2a>;<RMD_LOCAL_USN=6243>;<RMD_ORIGINATING_USN=6243>;<RMD_VERSION=3>;CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net Not fixing SID component mismatch ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Users,DC=dc1,DC=mydomain,DC=net - <GUID=7a02c46a50021940a2a812cc03497f7f>;<RMD_ADDTIME=130335204750000000>;<RMD_CHANGETIME=130335204750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6230>;<RMD_ORIGINATING_USN=6230>;<RMD_VERSION=1>;CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net Not fixing SID component mismatch In all three cases, the CN is LDAP User, but 1) LDAP User is not in any of these three groups and 2) the GUID component listed is different (what does the GUID refer to. I'm not seeing it in LDAP. I am seeing an objectGUID, is that the same thing?) -Ron
Here is some more information that could be helpful. This is the entry for LDAP User in ldbedit: # record 253 dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: LDAP User sn: User givenName: LDAP instanceType: 4 whenCreated: 20140106220805.0Z displayName: LDAP User uSNCreated: 6218 name: LDAP User objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: LDAPUser sAMAccountType: 805306368 userPrincipalName: LDAPUser at dc1.mydomain.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net pwdLastSet: 130335199430000000 lockoutTime: 0 userAccountControl: 66048 msDS-SupportedEncryptionTypes: 0 primaryGroupID: 514 whenChanged: 20140107003451.0Z uSNChanged: 6241 distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net Here is the entry for Domain Admins: # record 70 dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net objectClass: top objectClass: group cn: Domain Admins description: Designated administrators of the domain instanceType: 4 whenCreated: 20131130221548.0Z uSNCreated: 3549 name: Domain Admins objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd objectSid: S-1-5-21-1319907214-2951884047-2640289736-512 adminCount: 1 sAMAccountName: Domain Admins sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=dc1,DC=mydomain,DC=net member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net whenChanged: 20161004204939.0Z uSNChanged: 49368 distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net I'm not really understanding where the dbcheck errors are coming from. Please let me know if further log info would be helpful. -Ron On 10/4/16 5:01 PM, Ron García-Vidal via samba wrote:> > On 10/4/16 2:40 PM, Rowland Penny via samba wrote: >> On Tue, 4 Oct 2016 14:00:02 -0400 >> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >> >>> ERROR: incorrect GUID component for member in object CN=Domain >>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >>> >>> User,CN=Users,DC=dc1,DC=mydomain,DC=net >>> >>> Change DN to >>> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP >>> >>> User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES] >>> ERROR: Failed to fix incorrect GUID on attribute member : (53, >>> 'Attribute member already deleted for target GUID >>> a8e1e07a-cab8-4222-a024-97d59084268b') >>> >>> I'm not even sure where to start fixing this and am not finding >>> anything similar via google. >>> >>> -Ron >>> >>> >>> >> It looks like you have a dangling link for a member of Domain Admins >> that has been deleted. >> >> Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117' >> and if it doesn't exist, see if you can identify the user in the Domain >> Admins object and delete that. >> Back everything up first. >> >> > The DN indicated is a user called LDAP User that I created to interact > with the LDAP. And that user's SID is the one ending in 1117. The > thing is, that user isn't in "members" of the Domain Admins. The only > users in that group are Administrator and my user account. I tried > adding LDAP User to the Domain Admins group and removing it, the > problem still persists. > > To add to this, when I run the samba-tool dbcheck without the --fix > option, I get two additional entries: > > ERROR: incorrect GUID component for member in object CN=Domain > Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - > <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP > User,CN=Users,DC=dc1,DC=mydomain,DC=net > Not fixing incorrect GUID > ERROR: incorrect DN SID component for member in object CN=Schema > Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - > <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<RMD_ADDTIME=130335204740000000>;<RMD_CHANGETIME=130335284920000000>;<RMD_FLAGS=1>;<RMD_INVOCID=bf3306c6-bbc7-40c7-b63f-9b2c6f6ffe2a>;<RMD_LOCAL_USN=6243>;<RMD_ORIGINATING_USN=6243>;<RMD_VERSION=3>;CN=LDAP > User,CN=Users,DC=dc1,DC=mydomain,DC=net > Not fixing SID component mismatch > ERROR: incorrect DN SID component for member in object CN=Domain > Users,CN=Users,DC=dc1,DC=mydomain,DC=net - > <GUID=7a02c46a50021940a2a812cc03497f7f>;<RMD_ADDTIME=130335204750000000>;<RMD_CHANGETIME=130335204750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6230>;<RMD_ORIGINATING_USN=6230>;<RMD_VERSION=1>;CN=LDAP > User,CN=Users,DC=dc1,DC=mydomain,DC=net > Not fixing SID component mismatch > > In all three cases, the CN is LDAP User, but 1) LDAP User is not in > any of these three groups and 2) the GUID component listed is > different (what does the GUID refer to. I'm not seeing it in LDAP. I > am seeing an objectGUID, is that the same thing?) > > -Ron >
On Wed, 5 Oct 2016 10:37:51 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> Here is some more information that could be helpful. This is the > entry for LDAP User in ldbedit: > > # record 253 > dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: LDAP User > sn: User > givenName: LDAP > instanceType: 4 > whenCreated: 20140106220805.0Z > displayName: LDAP User > uSNCreated: 6218 > name: LDAP User > objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: LDAPUser > sAMAccountType: 805306368 > userPrincipalName: LDAPUser at dc1.mydomain.net > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net > pwdLastSet: 130335199430000000 > lockoutTime: 0 > userAccountControl: 66048 > msDS-SupportedEncryptionTypes: 0 > primaryGroupID: 514 > whenChanged: 20140107003451.0Z > uSNChanged: 6241 > distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >I don't know if this is part of your problem, but why is the primaryGroupID of LDAPUser 'Domain Guests' ?? Try changing it to 513 (Domain Users) Rowland
On 10/5/16 11:17 AM, Rowland Penny via samba wrote:> On Wed, 5 Oct 2016 10:37:51 -0400 > Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >> Here is some more information that could be helpful. This is the >> entry for LDAP User in ldbedit: >> >> # record 253 >> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: LDAP User >> sn: User >> givenName: LDAP >> instanceType: 4 >> whenCreated: 20140106220805.0Z >> displayName: LDAP User >> uSNCreated: 6218 >> name: LDAP User >> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 0 >> lastLogoff: 0 >> lastLogon: 0 >> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 >> accountExpires: 9223372036854775807 >> logonCount: 0 >> sAMAccountName: LDAPUser >> sAMAccountType: 805306368 >> userPrincipalName: LDAPUser at dc1.mydomain.net >> objectCategory: >> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net >> pwdLastSet: 130335199430000000 >> lockoutTime: 0 >> userAccountControl: 66048 >> msDS-SupportedEncryptionTypes: 0 >> primaryGroupID: 514 >> whenChanged: 20140107003451.0Z >> uSNChanged: 6241 >> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >> > I don't know if this is part of your problem, but why is the > primaryGroupID of LDAPUser 'Domain Guests' ?? > Try changing it to 513 (Domain Users) >I get the following error from both ldbedit and from ldapadmin: failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - error in module samldb: Unwilling to perform during LDB_MODIFY
On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote:> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >> On Wed, 5 Oct 2016 10:37:51 -0400 >> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >> >>> Here is some more information that could be helpful. This is the >>> entry for LDAP User in ldbedit: >>> >>> # record 253 >>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> cn: LDAP User >>> sn: User >>> givenName: LDAP >>> instanceType: 4 >>> whenCreated: 20140106220805.0Z >>> displayName: LDAP User >>> uSNCreated: 6218 >>> name: LDAP User >>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f >>> badPwdCount: 0 >>> codePage: 0 >>> countryCode: 0 >>> badPasswordTime: 0 >>> lastLogoff: 0 >>> lastLogon: 0 >>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 >>> accountExpires: 9223372036854775807 >>> logonCount: 0 >>> sAMAccountName: LDAPUser >>> sAMAccountType: 805306368 >>> userPrincipalName: LDAPUser at dc1.mydomain.net >>> objectCategory: >>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net >>> pwdLastSet: 130335199430000000 >>> lockoutTime: 0 >>> userAccountControl: 66048 >>> msDS-SupportedEncryptionTypes: 0 >>> primaryGroupID: 514 >>> whenChanged: 20140107003451.0Z >>> uSNChanged: 6241 >>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>> >> I don't know if this is part of your problem, but why is the >> primaryGroupID of LDAPUser 'Domain Guests' ?? >> Try changing it to 513 (Domain Users) >> > I get the following error from both ldbedit and from ldapadmin: > > failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - > error in module samldb: Unwilling to perform during LDB_MODIFY >In trying to sort through this myself, I seems to be missing something. Can anyone shed light on why samba-tool dbcheck gives me this message? ERROR: incorrect GUID component for member in object CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net The GUID that it's giving doesn't show up anywhere when I ldbedit my sam.db. I'm trying to figure out how I can manually correct the GUID component that it's screaming about, but I can't find anything in the sam.db that mentions GUID other than objectGUID. Any hints? -Ron
lingpanda101 at gmail.com
2016-Oct-06 16:50 UTC
[Samba] The security id structure is invalid
On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote:> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>> On Wed, 5 Oct 2016 10:37:51 -0400 >>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>> >>>> Here is some more information that could be helpful. This is the >>>> entry for LDAP User in ldbedit: >>>> >>>> # record 253 >>>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: user >>>> cn: LDAP User >>>> sn: User >>>> givenName: LDAP >>>> instanceType: 4 >>>> whenCreated: 20140106220805.0Z >>>> displayName: LDAP User >>>> uSNCreated: 6218 >>>> name: LDAP User >>>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f >>>> badPwdCount: 0 >>>> codePage: 0 >>>> countryCode: 0 >>>> badPasswordTime: 0 >>>> lastLogoff: 0 >>>> lastLogon: 0 >>>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 >>>> accountExpires: 9223372036854775807 >>>> logonCount: 0 >>>> sAMAccountName: LDAPUser >>>> sAMAccountType: 805306368 >>>> userPrincipalName: LDAPUser at dc1.mydomain.net >>>> objectCategory: >>>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net >>>> pwdLastSet: 130335199430000000 >>>> lockoutTime: 0 >>>> userAccountControl: 66048 >>>> msDS-SupportedEncryptionTypes: 0 >>>> primaryGroupID: 514 >>>> whenChanged: 20140107003451.0Z >>>> uSNChanged: 6241 >>>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>> >>> I don't know if this is part of your problem, but why is the >>> primaryGroupID of LDAPUser 'Domain Guests' ?? >>> Try changing it to 513 (Domain Users) >>> >> I get the following error from both ldbedit and from ldapadmin: >> >> failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - >> error in module samldb: Unwilling to perform during LDB_MODIFY >> > In trying to sort through this myself, I seems to be missing > something. Can anyone shed light on why samba-tool dbcheck gives me > this message? > > ERROR: incorrect GUID component for member in object CN=Domain > Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - > <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP > User,CN=Users,DC=dc1,DC=mydomain,DC=net > > The GUID that it's giving doesn't show up anywhere when I ldbedit my > sam.db. I'm trying to figure out how I can manually correct the GUID > component that it's screaming about, but I can't find anything in the > sam.db that mentions GUID other than objectGUID. Any hints? > > -Ron >Ron I haven't read through this whole thread but is user 'LDAP User' a deleted object? if so it's harmless. A fix at some point will come to remove these from 'dbcheck'. I had similar issues. See my thread http://samba.2283325.n4.nabble.com/replPropertyMetaData-amp-KCC-issues-after-updating-to-Samba-4-5-0-td4707962.html#a4708208 -- -James
On Thu, 6 Oct 2016 12:35:54 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: > > On 10/5/16 11:17 AM, Rowland Penny via samba wrote: > >> On Wed, 5 Oct 2016 10:37:51 -0400 > >> Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >> > >>> Here is some more information that could be helpful. This is the > >>> entry for LDAP User in ldbedit: > >>> > >>> # record 253 > >>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net > >>> objectClass: top > >>> objectClass: person > >>> objectClass: organizationalPerson > >>> objectClass: user > >>> cn: LDAP User > >>> sn: User > >>> givenName: LDAP > >>> instanceType: 4 > >>> whenCreated: 20140106220805.0Z > >>> displayName: LDAP User > >>> uSNCreated: 6218 > >>> name: LDAP User > >>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f > >>> badPwdCount: 0 > >>> codePage: 0 > >>> countryCode: 0 > >>> badPasswordTime: 0 > >>> lastLogoff: 0 > >>> lastLogon: 0 > >>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 > >>> accountExpires: 9223372036854775807 > >>> logonCount: 0 > >>> sAMAccountName: LDAPUser > >>> sAMAccountType: 805306368 > >>> userPrincipalName: LDAPUser at dc1.mydomain.net > >>> objectCategory: > >>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net > >>> pwdLastSet: 130335199430000000 > >>> lockoutTime: 0 > >>> userAccountControl: 66048 > >>> msDS-SupportedEncryptionTypes: 0 > >>> primaryGroupID: 514 > >>> whenChanged: 20140107003451.0Z > >>> uSNChanged: 6241 > >>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net > >>> > >> I don't know if this is part of your problem, but why is the > >> primaryGroupID of LDAPUser 'Domain Guests' ?? > >> Try changing it to 513 (Domain Users) > >> > > I get the following error from both ldbedit and from ldapadmin: > > > > failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - > > error in module samldb: Unwilling to perform during LDB_MODIFY > > > In trying to sort through this myself, I seems to be missing > something. Can anyone shed light on why samba-tool dbcheck gives me > this message? > > ERROR: incorrect GUID component for member in object CN=Domain > Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - > <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP > User,CN=Users,DC=dc1,DC=mydomain,DC=net > > The GUID that it's giving doesn't show up anywhere when I ldbedit my > sam.db. I'm trying to figure out how I can manually correct the GUID > component that it's screaming about, but I can't find anything in the > sam.db that mentions GUID other than objectGUID. Any hints? > > -Ron >If you examine the 'Domain Admins' object in AD, you should find lines like these: objectGUID: 0dc3c303-b37f-4830-a1c2-d8cb7434f5d5 member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com The first is the GUID and every object in AD has one, so try searching for your GUID in this format: 7ae0e1a8-b8ca-2242-a024-97d59084268b If you find it, the object it is in should have a 'memberof' attribute that contains the Domain Admins DN. 'member' and 'memberof' are linked, deleting the 'member' attribute should delete the 'memberof' attribute, but I do not know if the reverse works in the same way. Rowland
On 10/6/16 1:02 PM, Rowland Penny via samba wrote:> On Thu, 6 Oct 2016 12:35:54 -0400 > Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>>> On Wed, 5 Oct 2016 10:37:51 -0400 >>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>>> >>>>> Here is some more information that could be helpful. This is the >>>>> entry for LDAP User in ldbedit: >>>>> >>>>> # record 253 >>>>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>>> objectClass: top >>>>> objectClass: person >>>>> objectClass: organizationalPerson >>>>> objectClass: user >>>>> cn: LDAP User >>>>> sn: User >>>>> givenName: LDAP >>>>> instanceType: 4 >>>>> whenCreated: 20140106220805.0Z >>>>> displayName: LDAP User >>>>> uSNCreated: 6218 >>>>> name: LDAP User >>>>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f >>>>> badPwdCount: 0 >>>>> codePage: 0 >>>>> countryCode: 0 >>>>> badPasswordTime: 0 >>>>> lastLogoff: 0 >>>>> lastLogon: 0 >>>>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 >>>>> accountExpires: 9223372036854775807 >>>>> logonCount: 0 >>>>> sAMAccountName: LDAPUser >>>>> sAMAccountType: 805306368 >>>>> userPrincipalName: LDAPUser at dc1.mydomain.net >>>>> objectCategory: >>>>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net >>>>> pwdLastSet: 130335199430000000 >>>>> lockoutTime: 0 >>>>> userAccountControl: 66048 >>>>> msDS-SupportedEncryptionTypes: 0 >>>>> primaryGroupID: 514 >>>>> whenChanged: 20140107003451.0Z >>>>> uSNChanged: 6241 >>>>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>>> >>>> I don't know if this is part of your problem, but why is the >>>> primaryGroupID of LDAPUser 'Domain Guests' ?? >>>> Try changing it to 513 (Domain Users) >>>> >>> I get the following error from both ldbedit and from ldapadmin: >>> >>> failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - >>> error in module samldb: Unwilling to perform during LDB_MODIFY >>> >> In trying to sort through this myself, I seems to be missing >> something. Can anyone shed light on why samba-tool dbcheck gives me >> this message? >> >> ERROR: incorrect GUID component for member in object CN=Domain >> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >> User,CN=Users,DC=dc1,DC=mydomain,DC=net >> >> The GUID that it's giving doesn't show up anywhere when I ldbedit my >> sam.db. I'm trying to figure out how I can manually correct the GUID >> component that it's screaming about, but I can't find anything in the >> sam.db that mentions GUID other than objectGUID. Any hints? >> >> -Ron >> > If you examine the 'Domain Admins' object in AD, you should find lines > like these: > > objectGUID: 0dc3c303-b37f-4830-a1c2-d8cb7434f5d5 > member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com > > The first is the GUID and every object in AD has one, so try searching > for your GUID in this format: > > 7ae0e1a8-b8ca-2242-a024-97d59084268b > > If you find it, the object it is in should have a 'memberof' attribute > that contains the Domain Admins DN. > > 'member' and 'memberof' are linked, deleting the 'member' attribute > should delete the 'memberof' attribute, but I do not know if the > reverse works in the same way.Thanks for this clarification. I have even searched for the string 7ae0, because I thought the GUID would be hyphenated, and that string does not exit in the ldb. Above I pasted the ldb entry for "LDAP User" and here's the relevant lines from the "Domain Admins" group: dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net cn: Domain Admins objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd objectSid: S-1-5-21-1319907214-2951884047-2640289736-512 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=dc1,DC=mydomain,DC=net member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net So that's why the error I'm getting from the dbcheck isn't making sense. Also, I'm assuming that this is the source of my "Security id structure is invalid" error, but I don't actually know that. Am I barking up the right tree? -Ron
On 10/6/16 12:50 PM, lingpanda101--- via samba wrote:> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote: >> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>>> On Wed, 5 Oct 2016 10:37:51 -0400 >>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>>> >>>>> Here is some more information that could be helpful. This is the >>>>> entry for LDAP User in ldbedit: >>>>> >>>>> # record 253 >>>>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>>> objectClass: top >>>>> objectClass: person >>>>> objectClass: organizationalPerson >>>>> objectClass: user >>>>> cn: LDAP User >>>>> sn: User >>>>> givenName: LDAP >>>>> instanceType: 4 >>>>> whenCreated: 20140106220805.0Z >>>>> displayName: LDAP User >>>>> uSNCreated: 6218 >>>>> name: LDAP User >>>>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f >>>>> badPwdCount: 0 >>>>> codePage: 0 >>>>> countryCode: 0 >>>>> badPasswordTime: 0 >>>>> lastLogoff: 0 >>>>> lastLogon: 0 >>>>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 >>>>> accountExpires: 9223372036854775807 >>>>> logonCount: 0 >>>>> sAMAccountName: LDAPUser >>>>> sAMAccountType: 805306368 >>>>> userPrincipalName: LDAPUser at dc1.mydomain.net >>>>> objectCategory: >>>>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net >>>>> pwdLastSet: 130335199430000000 >>>>> lockoutTime: 0 >>>>> userAccountControl: 66048 >>>>> msDS-SupportedEncryptionTypes: 0 >>>>> primaryGroupID: 514 >>>>> whenChanged: 20140107003451.0Z >>>>> uSNChanged: 6241 >>>>> distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>>> >>>> I don't know if this is part of your problem, but why is the >>>> primaryGroupID of LDAPUser 'Domain Guests' ?? >>>> Try changing it to 513 (Domain Users) >>>> >>> I get the following error from both ldbedit and from ldapadmin: >>> >>> failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - >>> error in module samldb: Unwilling to perform during LDB_MODIFY >>> >> In trying to sort through this myself, I seems to be missing >> something. Can anyone shed light on why samba-tool dbcheck gives me >> this message? >> >> ERROR: incorrect GUID component for member in object CN=Domain >> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >> User,CN=Users,DC=dc1,DC=mydomain,DC=net >> >> The GUID that it's giving doesn't show up anywhere when I ldbedit my >> sam.db. I'm trying to figure out how I can manually correct the GUID >> component that it's screaming about, but I can't find anything in the >> sam.db that mentions GUID other than objectGUID. Any hints? >> >> -Ron >> > > Ron I haven't read through this whole thread but is user 'LDAP User' a > deleted object? if so it's harmless. A fix at some point will come to > remove these from 'dbcheck'. I had similar issues. See my thread > > http://samba.2283325.n4.nabble.com/replPropertyMetaData-amp-KCC-issues-after-updating-to-Samba-4-5-0-td4707962.html#a4708208 > >Thanks for pointing me there. LDAP User is not a deleted object. Above is the actual sam.db entry for LDAP User. From your thread, I'm gathering that the error I'm getting shouldn't be fatal regardless, so I'm wondering if I'm tracking down the wrong path to fix the "Security ID structure is invalid" error. -Ron
On Thu, 6 Oct 2016 13:46:11 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/6/16 1:02 PM, Rowland Penny via samba wrote: > > On Thu, 6 Oct 2016 12:35:54 -0400 > > Ron García-Vidal via samba <samba at lists.samba.org> wrote: > > > >> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: > >>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: > >>>> On Wed, 5 Oct 2016 10:37:51 -0400 > >>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >>>> > >>>>> Here is some more information that could be helpful. This is the > >>>>> entry for LDAP User in ldbedit: > >>>>> > >>>>> # record 253 > >>>>> dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net > >>>>> objectClass: top > >>>>> objectClass: person > >>>>> objectClass: organizationalPerson > >>>>> objectClass: user > >>>>> cn: LDAP User > >>>>> sn: User > >>>>> givenName: LDAP > >>>>> instanceType: 4 > >>>>> whenCreated: 20140106220805.0Z > >>>>> displayName: LDAP User > >>>>> uSNCreated: 6218 > >>>>> name: LDAP User > >>>>> objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f > >>>>> badPwdCount: 0 > >>>>> codePage: 0 > >>>>> countryCode: 0 > >>>>> badPasswordTime: 0 > >>>>> lastLogoff: 0 > >>>>> lastLogon: 0 > >>>>> objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117 > >>>>> accountExpires: 9223372036854775807 > >>>>> logonCount: 0 > >>>>> sAMAccountName: LDAPUser > >>>>> sAMAccountType: 805306368 > >>>>> userPrincipalName: LDAPUser at dc1.mydomain.net > >>>>> objectCategory: > >>>>> CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net > >>>>> pwdLastSet: 130335199430000000 > >>>>> lockoutTime: 0 > >>>>> userAccountControl: 66048 > >>>>> msDS-SupportedEncryptionTypes: 0 > >>>>> primaryGroupID: 514 > >>>>> whenChanged: 20140107003451.0Z > >>>>> uSNChanged: 6241 > >>>>> distinguishedName: CN=LDAP > >>>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net > >>>>> > >>>> I don't know if this is part of your problem, but why is the > >>>> primaryGroupID of LDAPUser 'Domain Guests' ?? > >>>> Try changing it to 513 (Domain Users) > >>>> > >>> I get the following error from both ldbedit and from ldapadmin: > >>> > >>> failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - > >>> error in module samldb: Unwilling to perform during LDB_MODIFY > >>> > >> In trying to sort through this myself, I seems to be missing > >> something. Can anyone shed light on why samba-tool dbcheck gives me > >> this message? > >> > >> ERROR: incorrect GUID component for member in object CN=Domain > >> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - > >> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP > >> User,CN=Users,DC=dc1,DC=mydomain,DC=net > >> > >> The GUID that it's giving doesn't show up anywhere when I ldbedit > >> my sam.db. I'm trying to figure out how I can manually correct the > >> GUID component that it's screaming about, but I can't find > >> anything in the sam.db that mentions GUID other than objectGUID. > >> Any hints? > >> > >> -Ron > >> > > If you examine the 'Domain Admins' object in AD, you should find > > lines like these: > > > > objectGUID: 0dc3c303-b37f-4830-a1c2-d8cb7434f5d5 > > member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com > > > > The first is the GUID and every object in AD has one, so try > > searching for your GUID in this format: > > > > 7ae0e1a8-b8ca-2242-a024-97d59084268b > > > > If you find it, the object it is in should have a 'memberof' > > attribute that contains the Domain Admins DN. > > > > 'member' and 'memberof' are linked, deleting the 'member' attribute > > should delete the 'memberof' attribute, but I do not know if the > > reverse works in the same way. > Thanks for this clarification. I have even searched for the string > 7ae0, because I thought the GUID would be hyphenated, and that string > does not exit in the ldb. Above I pasted the ldb entry for "LDAP > User" and here's the relevant lines from the "Domain Admins" group: > > dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net > cn: Domain Admins > objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd > objectSid: S-1-5-21-1319907214-2951884047-2640289736-512 > objectCategory: > CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net > memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net > memberOf: CN=Denied RODC Password Replication > Group,CN=Users,DC=dc1,DC=mydomain,DC=net > member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net > member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net > > So that's why the error I'm getting from the dbcheck isn't making > sense. > > Also, I'm assuming that this is the source of my "Security id > structure is invalid" error, but I don't actually know that. Am I > barking up the right tree? > > -Ron >Does 'myuser' exist and if so, does it have a 'memberof' attribute containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ? Rowland
On 10/6/16 2:02 PM, Rowland Penny via samba wrote:> > Does 'myuser' exist and if so, does it have a 'memberof' attribute > containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ? >Yes to both of these.
On Thu, 6 Oct 2016 14:09:20 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/6/16 2:02 PM, Rowland Penny via samba wrote: > > > > Does 'myuser' exist and if so, does it have a 'memberof' attribute > > containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ? > > > Yes to both of these. >have you tried expanding your ldbsearch by adding '--cross-ncs' and '--show-deleted' Rowland
On 10/6/16 2:19 PM, Rowland Penny via samba wrote:> On Thu, 6 Oct 2016 14:09:20 -0400 > Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >> On 10/6/16 2:02 PM, Rowland Penny via samba wrote: >>> Does 'myuser' exist and if so, does it have a 'memberof' attribute >>> containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ? >>> >> Yes to both of these. >> > have you tried expanding your ldbsearch by adding '--cross-ncs' and > '--show-deleted' >I hadn't. I didn't know about these. But using those, I still can't find the pattern 7ae0. -Ron
On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote:> On 10/6/16 12:50 PM, lingpanda101--- via samba wrote: >> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote: >>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>>>> On Wed, 5 Oct 2016 10:37:51 -0400 >>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>>>> In trying to sort through this myself, I seems to be missing >>>>> something. Can anyone shed light on why samba-tool dbcheck gives >>>>> me this message? >>> >>> ERROR: incorrect GUID component for member in object CN=Domain >>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >>> User,CN=Users,DC=dc1,DC=mydomain,DC=net >>> >>> The GUID that it's giving doesn't show up anywhere when I ldbedit my >>> sam.db. I'm trying to figure out how I can manually correct the GUID >>> component that it's screaming about, but I can't find anything in >>> the sam.db that mentions GUID other than objectGUID. Any hints?Resorting to a simple grep, I have found the entry that's causing the issue in the file /usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb How does this file relate to the sam.db file? Is it safe to edit this file directly to remove the offending GUID? -Ron
On 10/7/16 8:51 AM, Ron García-Vidal via samba wrote:> On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote: >> On 10/6/16 12:50 PM, lingpanda101--- via samba wrote: >>> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote: >>>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >>>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>>>>> On Wed, 5 Oct 2016 10:37:51 -0400 >>>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>>>>> In trying to sort through this myself, I seems to be missing >>>>>> something. Can anyone shed light on why samba-tool dbcheck gives >>>>>> me this message? >>>> >>>> ERROR: incorrect GUID component for member in object CN=Domain >>>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >>>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>> >>>> The GUID that it's giving doesn't show up anywhere when I ldbedit >>>> my sam.db. I'm trying to figure out how I can manually correct the >>>> GUID component that it's screaming about, but I can't find anything >>>> in the sam.db that mentions GUID other than objectGUID. Any hints? > > Resorting to a simple grep, I have found the entry that's causing the > issue in the file > /usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb > > How does this file relate to the sam.db file? Is it safe to edit this > file directly to remove the offending GUID?Looks like I have been barking up the wrong tree on this. I copied the ldb mentioned above to a backup and manually removed the entries that the testdb was complaining about. Testdb now comes back clean, but the Invalid security ID structure error continues. The logs are showing multiple instances of: Unable to convert SID (S-1-5-11) at index 5 in user token to a GID. Conversion was returned as type 0, full token: I have a 74k log file that records me starting up the smbd and trying to access a share. Is adding this as an attachment the best way to send it? -Ron
lingpanda101 at gmail.com
2016-Oct-07 13:27 UTC
[Samba] The security id structure is invalid
On 10/7/2016 8:51 AM, Ron García-Vidal via samba wrote:> On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote: >> On 10/6/16 12:50 PM, lingpanda101--- via samba wrote: >>> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote: >>>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >>>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>>>>> On Wed, 5 Oct 2016 10:37:51 -0400 >>>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>>>>> In trying to sort through this myself, I seems to be missing >>>>>> something. Can anyone shed light on why samba-tool dbcheck gives >>>>>> me this message? >>>> >>>> ERROR: incorrect GUID component for member in object CN=Domain >>>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >>>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>> >>>> The GUID that it's giving doesn't show up anywhere when I ldbedit >>>> my sam.db. I'm trying to figure out how I can manually correct the >>>> GUID component that it's screaming about, but I can't find anything >>>> in the sam.db that mentions GUID other than objectGUID. Any hints? > > Resorting to a simple grep, I have found the entry that's causing the > issue in the file > /usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb > > How does this file relate to the sam.db file? Is it safe to edit this > file directly to remove the offending GUID? > > -Ron >See if this thread is helpful. https://lists.samba.org/archive/samba/2015-February/189634.html -- -James
On Fri, 7 Oct 2016 08:51:42 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote: > > On 10/6/16 12:50 PM, lingpanda101--- via samba wrote: > >> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote: > >>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: > >>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: > >>>>> On Wed, 5 Oct 2016 10:37:51 -0400 > >>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >>>>> In trying to sort through this myself, I seems to be missing > >>>>> something. Can anyone shed light on why samba-tool dbcheck > >>>>> gives me this message? > >>> > >>> ERROR: incorrect GUID component for member in object CN=Domain > >>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - > >>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP > >>> User,CN=Users,DC=dc1,DC=mydomain,DC=net > >>> > >>> The GUID that it's giving doesn't show up anywhere when I ldbedit > >>> my sam.db. I'm trying to figure out how I can manually correct > >>> the GUID component that it's screaming about, but I can't find > >>> anything in the sam.db that mentions GUID other than objectGUID. > >>> Any hints? > > Resorting to a simple grep, I have found the entry that's causing the > issue in the file > /usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb > > How does this file relate to the sam.db file? Is it safe to edit this > file directly to remove the offending GUID? > > -Ron >sam.ldb is the pathway into the files in sam.ldb.d and you shouldn't directly modify the .ldb files in sam.ldb.d Rowland
On 10/7/16 9:27 AM, lingpanda101--- via samba wrote:> On 10/7/2016 8:51 AM, Ron García-Vidal via samba wrote: >> On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote: >>> On 10/6/16 12:50 PM, lingpanda101--- via samba wrote: >>>> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote: >>>>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >>>>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>>>>>> On Wed, 5 Oct 2016 10:37:51 -0400 >>>>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>>>>>> In trying to sort through this myself, I seems to be missing >>>>>>> something. Can anyone shed light on why samba-tool dbcheck gives >>>>>>> me this message? >>>>> >>>>> ERROR: incorrect GUID component for member in object CN=Domain >>>>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >>>>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >>>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>>> >>>>> The GUID that it's giving doesn't show up anywhere when I ldbedit >>>>> my sam.db. I'm trying to figure out how I can manually correct the >>>>> GUID component that it's screaming about, but I can't find >>>>> anything in the sam.db that mentions GUID other than objectGUID. >>>>> Any hints? >> >> Resorting to a simple grep, I have found the entry that's causing the >> issue in the file >> /usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb >> >> How does this file relate to the sam.db file? Is it safe to edit this >> file directly to remove the offending GUID? >> >> -Ron >> > > See if this thread is helpful. > https://lists.samba.org/archive/samba/2015-February/189634.html >It does explain what that file is, thanks. But it doesn't explain why I could see the entry that testdb was complaining about there, but not through sam.db. I guess this is just the dangling entry cleanup you mentioned previously? In any event, even after manually cleaning this up, the invalid ID structure message continues. I've posted separately about that. -Ron
On 10/7/16 9:25 AM, Ron García-Vidal via samba wrote:> On 10/7/16 8:51 AM, Ron García-Vidal via samba wrote: >> On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote: >>> On 10/6/16 12:50 PM, lingpanda101--- via samba wrote: >>>> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote: >>>>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote: >>>>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote: >>>>>>> On Wed, 5 Oct 2016 10:37:51 -0400 >>>>>>> Ron García-Vidal via samba <samba at lists.samba.org> wrote: >>>>>>> In trying to sort through this myself, I seems to be missing >>>>>>> something. Can anyone shed light on why samba-tool dbcheck gives >>>>>>> me this message? >>>>> >>>>> ERROR: incorrect GUID component for member in object CN=Domain >>>>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net - >>>>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP >>>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net >>>>> >>>>> The GUID that it's giving doesn't show up anywhere when I ldbedit >>>>> my sam.db. I'm trying to figure out how I can manually correct the >>>>> GUID component that it's screaming about, but I can't find >>>>> anything in the sam.db that mentions GUID other than objectGUID. >>>>> Any hints? >> >> Resorting to a simple grep, I have found the entry that's causing the >> issue in the file >> /usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb >> >> How does this file relate to the sam.db file? Is it safe to edit this >> file directly to remove the offending GUID? > > Looks like I have been barking up the wrong tree on this. I copied the > ldb mentioned above to a backup and manually removed the entries that > the testdb was complaining about. Testdb now comes back clean, but the > Invalid security ID structure error continues. The logs are showing > multiple instances of: > Unable to convert SID (S-1-5-11) at index 5 in user token to a GID. > Conversion was returned as type 0, full token: > > I have a 74k log file that records me starting up the smbd and trying > to access a share. Is adding this as an attachment the best way to > send it?I've restored the original DBs as it seems the dbcheck error I was focusing on was a red herring. I'm now trying to look at the "Unable to convert SID" messages, as these are the only other errors I've seen. A reminder that this started after I ran "samba-tool dbcheck --cross-ncs --fix --yes" after upgrading to 4.5 as per this article: https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes I'm hoping to find a way to manually fix the db or hoping for a repair tool. I'm not sure what to make of these errors. Ron
On 10/7/16 10:39 AM, Ron García-Vidal via samba wrote:> I've restored the original DBs as it seems the dbcheck error I was > focusing on was a red herring. I'm now trying to look at the "Unable > to convert SID" messages, as these are the only other errors I've > seen. A reminder that this started after I ran "samba-tool dbcheck > --cross-ncs --fix --yes" after upgrading to 4.5 as per this article: > https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes > > > I'm hoping to find a way to manually fix the db or hoping for a repair > tool. I'm not sure what to make of these errors.Picking up on my new thread, I've been investigating the log errors I'm seeing, here is one example: Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856473, 0] ../source4/auth/unix_token.c:79(se curity_token_to_unix_token) Oct 7 09:16:27 sambaserver smbd[7612]: Unable to convert first SID (S-1-5-21-1319907214-2951884047-26402 89736-1111) in user token to a UID. Conversion was returned as type 0, full token: Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856685, 0] ../libcli/security/security_token. c:63(security_token_debug) Oct 7 09:16:27 sambaserver smbd[7612]: Security token SIDs (7): Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 0]: S-1-5-21-1319907214-2951884047-2640289736-1111 Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 1]: S-1-5-21-1319907214-2951884047-2640289736-515 Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 2]: S-1-1-0 Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 3]: S-1-5-2 Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 4]: S-1-5-11 Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 5]: S-1-5-32-554 Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 6]: S-1-5-32-545 Oct 7 09:16:27 sambaserver smbd[7612]: Privileges (0x 800000): Oct 7 09:16:27 sambaserver smbd[7612]: Privilege[ 0]: SeChangeNotifyPrivilege Oct 7 09:16:27 sambaserver smbd[7612]: Rights (0x 400): Oct 7 09:16:27 sambaserver smbd[7612]: Right[ 0]: SeRemoteInteractiveLogonRight Here is what the SID looks like in the idmap.ldb: dn: CN=S-1-5-21-1319907214-2951884047-2640289736-1111 cn: S-1-5-21-1319907214-2951884047-2640289736-1111 objectClass: sidMap objectSid: S-1-5-21-1319907214-2951884047-2640289736-1111 type: ID_TYPE_BOTH xidNumber: 3000033 distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-1111 This SID doesn't show up in the sam.ldb. Is this something that I manually have to hunt down the mismatched or is there a way to repair the idmap.ldb?
On Fri, 7 Oct 2016 14:58:24 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/7/16 10:39 AM, Ron García-Vidal via samba wrote: > > I've restored the original DBs as it seems the dbcheck error I was > > focusing on was a red herring. I'm now trying to look at the > > "Unable to convert SID" messages, as these are the only other > > errors I've seen. A reminder that this started after I ran > > "samba-tool dbcheck --cross-ncs --fix --yes" after upgrading to 4.5 > > as per this article: > > https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes > > > > > > I'm hoping to find a way to manually fix the db or hoping for a > > repair tool. I'm not sure what to make of these errors. > Picking up on my new thread, I've been investigating the log errors > I'm seeing, here is one example: > > Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856473, > 0] ../source4/auth/unix_token.c:79(se > curity_token_to_unix_token) > Oct 7 09:16:27 sambaserver smbd[7612]: Unable to convert first SID > (S-1-5-21-1319907214-2951884047-26402 > 89736-1111) in user token to a UID. Conversion was returned as type > 0, full token: > Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856685, > 0] ../libcli/security/security_token. > c:63(security_token_debug) > Oct 7 09:16:27 sambaserver smbd[7612]: Security token SIDs (7): > Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 0]: > S-1-5-21-1319907214-2951884047-2640289736-1111 > Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 1]: > S-1-5-21-1319907214-2951884047-2640289736-515 > Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 2]: S-1-1-0 > Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 3]: S-1-5-2 > Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 4]: S-1-5-11 > Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 5]: S-1-5-32-554 > Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 6]: S-1-5-32-545 > Oct 7 09:16:27 sambaserver smbd[7612]: Privileges (0x 800000): > Oct 7 09:16:27 sambaserver smbd[7612]: Privilege[ 0]: > SeChangeNotifyPrivilege > Oct 7 09:16:27 sambaserver smbd[7612]: Rights (0x 400): > Oct 7 09:16:27 sambaserver smbd[7612]: Right[ 0]: > SeRemoteInteractiveLogonRight > > Here is what the SID looks like in the idmap.ldb: > dn: CN=S-1-5-21-1319907214-2951884047-2640289736-1111 > cn: S-1-5-21-1319907214-2951884047-2640289736-1111 > objectClass: sidMap > objectSid: S-1-5-21-1319907214-2951884047-2640289736-1111 > type: ID_TYPE_BOTH > xidNumber: 3000033 > distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-1111 > > This SID doesn't show up in the sam.ldb. Is this something that I > manually have to hunt down the mismatched or is there a way to repair > the idmap.ldb? >idmap.ldb is very easy to repair, just open it in ldbedit, find the sid and delete the entire object, close and save. If the user/group does exist in sam.ldb, it will be recreated in idmap.ldb, but with a different ID number. Rowland
On 10/7/16 3:30 PM, Rowland Penny via samba wrote:> idmap.ldb is very easy to repair, just open it in ldbedit, find the sid > and delete the entire object, close and save. > > If the user/group does exist in sam.ldb, it will be recreated in > idmap.ldb, but with a different ID number. >Ok, I fixed the issue with the SID ending in 1111, but this one remains (and the "Security ID structure is invalid" message continues): Oct 7 15:39:05 sambaserver smbd[8087]: Unable to convert SID (S-1-5-21-1319907214-2951884047-2640289736- 512) at index 2 in user token to a GID. Conversion was returned as type 0, full token: Oct 7 15:39:05 sambaserver smbd[8087]: [2016/10/07 15:39:05.688406, 0] ../libcli/security/security_token. c:63(security_token_debug) Oct 7 15:39:05 sambaserver smbd[8087]: Security token SIDs (14): Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 0]: S-1-5-21-1319907214-2951884047-2640289736-1104 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 1]: S-1-5-21-1319907214-2951884047-2640289736-1107 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 2]: S-1-5-21-1319907214-2951884047-2640289736-512 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 3]: S-1-5-21-1319907214-2951884047-2640289736-572 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 4]: S-1-5-21-1319907214-2951884047-2640289736-520 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 5]: S-1-5-21-1319907214-2951884047-2640289736-513 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 6]: S-1-1-0 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 7]: S-1-5-2 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 8]: S-1-5-11 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 9]: S-1-5-32-544 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 10]: S-1-5-32-550 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 11]: S-1-5-32-551 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 12]: S-1-5-32-545 Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 13]: S-1-5-32-554 Oct 7 15:39:05 sambaserver smbd[8087]: Privileges (0x 1FFFFF80): Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 0]: SeTakeOwnershipPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 1]: SeBackupPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 2]: SeRestorePrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 3]: SeRemoteShutdownPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 4]: SeDiskOperatorPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 5]: SeSecurityPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 6]: SeSystemtimePrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 7]: SeShutdownPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 8]: SeDebugPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 9]: SeSystemEnvironmentPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 10]: SeSystemProfilePrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 11]: SeProfileSingleProcessPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 12]: SeIncreaseBasePriorityPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 13]: SeLoadDriverPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 14]: SeCreatePagefilePrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 15]: SeIncreaseQuotaPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 16]: SeChangeNotifyPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 17]: SeUndockPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 18]: SeManageVolumePrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 19]: SeImpersonatePrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 20]: SeCreateGlobalPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 21]: SeEnableDelegationPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: Rights (0x 403): Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 0]: SeInteractiveLogonRight Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 1]: SeNetworkLogonRight Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 2]: SeRemoteInteractiveLogonRight The SID ending is 512 is the Domain Admins group. Here's what it looks like in sam.ldb: dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net objectClass: top objectClass: group cn: Domain Admins description: Designated administrators of the domain instanceType: 4 whenCreated: 20131130221548.0Z uSNCreated: 3549 name: Domain Admins objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd objectSid: S-1-5-21-1319907214-2951884047-2640289736-512 adminCount: 1 sAMAccountName: Domain Admins sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=dc1,DC=mydomain,DC=net member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net whenChanged: 20161004204939.0Z uSNChanged: 49368 distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net And here's what it looks like in idmap.ldb: dn: CN=S-1-5-21-1319907214-2951884047-2640289736-512 cn: S-1-5-21-1319907214-2951884047-2640289736-512 objectClass: sidMap objectSid: S-1-5-21-1319907214-2951884047-2640289736-512 type: ID_TYPE_BOTH xidNumber: 3000008 distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-512
On Fri, 7 Oct 2016 15:58:06 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/7/16 3:30 PM, Rowland Penny via samba wrote: > > idmap.ldb is very easy to repair, just open it in ldbedit, find the > > sid and delete the entire object, close and save. > > > > If the user/group does exist in sam.ldb, it will be recreated in > > idmap.ldb, but with a different ID number. > > > Ok, I fixed the issue with the SID ending in 1111, but this one > remains (and the "Security ID structure is invalid" message > continues): > > Oct 7 15:39:05 sambaserver smbd[8087]: Unable to convert SID > (S-1-5-21-1319907214-2951884047-2640289736- > 512) at index 2 in user token to a GID. Conversion was returned as > type 0, full token: > Oct 7 15:39:05 sambaserver smbd[8087]: [2016/10/07 15:39:05.688406, > 0] ../libcli/security/security_token. > c:63(security_token_debug) > Oct 7 15:39:05 sambaserver smbd[8087]: Security token SIDs (14): > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 0]: > S-1-5-21-1319907214-2951884047-2640289736-1104 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 1]: > S-1-5-21-1319907214-2951884047-2640289736-1107 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 2]: > S-1-5-21-1319907214-2951884047-2640289736-512 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 3]: > S-1-5-21-1319907214-2951884047-2640289736-572 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 4]: > S-1-5-21-1319907214-2951884047-2640289736-520 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 5]: > S-1-5-21-1319907214-2951884047-2640289736-513 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 6]: S-1-1-0 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 7]: S-1-5-2 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 8]: S-1-5-11 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 9]: S-1-5-32-544 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 10]: S-1-5-32-550 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 11]: S-1-5-32-551 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 12]: S-1-5-32-545 > Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 13]: S-1-5-32-554 > Oct 7 15:39:05 sambaserver smbd[8087]: Privileges (0x 1FFFFF80): > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 0]: > SeTakeOwnershipPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 1]: > SeBackupPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 2]: > SeRestorePrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 3]: > SeRemoteShutdownPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 4]: > SeDiskOperatorPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 5]: > SeSecurityPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 6]: > SeSystemtimePrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 7]: > SeShutdownPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 8]: > SeDebugPrivilege Oct 7 15:39:05 sambaserver smbd[8087]: > Privilege[ 9]: SeSystemEnvironmentPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 10]: > SeSystemProfilePrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 11]: > SeProfileSingleProcessPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 12]: > SeIncreaseBasePriorityPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 13]: > SeLoadDriverPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 14]: > SeCreatePagefilePrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 15]: > SeIncreaseQuotaPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 16]: > SeChangeNotifyPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 17]: > SeUndockPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 18]: > SeManageVolumePrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 19]: > SeImpersonatePrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 20]: > SeCreateGlobalPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 21]: > SeEnableDelegationPrivilege > Oct 7 15:39:05 sambaserver smbd[8087]: Rights (0x 403): > Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 0]: > SeInteractiveLogonRight > Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 1]: > SeNetworkLogonRight Oct 7 15:39:05 sambaserver smbd[8087]: > Right[ 2]: SeRemoteInteractiveLogonRight > > The SID ending is 512 is the Domain Admins group. Here's what it > looks like in sam.ldb: > > dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net > objectClass: top > objectClass: group > cn: Domain Admins > description: Designated administrators of the domain > instanceType: 4 > whenCreated: 20131130221548.0Z > uSNCreated: 3549 > name: Domain Admins > objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd > objectSid: S-1-5-21-1319907214-2951884047-2640289736-512 > adminCount: 1 > sAMAccountName: Domain Admins > sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: > CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net > isCriticalSystemObject: TRUE > memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net > memberOf: CN=Denied RODC Password Replication > Group,CN=Users,DC=dc1,DC=mydomain,DC=net > member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net > member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net > whenChanged: 20161004204939.0Z > uSNChanged: 49368 > distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net > > And here's what it looks like in idmap.ldb: > > dn: CN=S-1-5-21-1319907214-2951884047-2640289736-512 > cn: S-1-5-21-1319907214-2951884047-2640289736-512 > objectClass: sidMap > objectSid: S-1-5-21-1319907214-2951884047-2640289736-512 > type: ID_TYPE_BOTH > xidNumber: 3000008 > distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-512 > > >Try running this on the DC: wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512 Rowland
On 10/8/16 3:55 AM, Rowland Penny via samba wrote:> Try running this on the DC: > wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512 >Winbind is not running on the DC, it's only using sssd. I get: failed to call wbcSidToGid: WBC_ERR_WINBIND_NOT_AVAILABLE This was also the case before the 4.3 to 4.5 upgrade. -Ron
On Sat, 8 Oct 2016 09:58:10 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/8/16 3:55 AM, Rowland Penny via samba wrote: > > Try running this on the DC: > > wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512 > > > Winbind is not running on the DC, it's only using sssd. I get: failed > to call wbcSidToGid: WBC_ERR_WINBIND_NOT_AVAILABLE > > This was also the case before the 4.3 to 4.5 upgrade. > > -Ron >Please post your smb.conf from the DC, the 'samba' deamon should start winbind, if you run 'ps ax | grep winbind', you should get something like this: 1846 ? Ss 48:07 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 1887 ? S 135:14 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 1909 ? S 0:10 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 1911 ? S 24:12 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 1917 ? S 1:58 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground Rowland
On 10/8/16 10:32 AM, Rowland Penny via samba wrote:> Please post your smb.conf from the DC, the 'samba' deamon should start > winbind, if you run 'ps ax | grep winbind', you should get something > like this:Sorry, Samba wasn't running when I tried that command. Here's the output: wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-1319907214-2951884047-2640289736-512 to gid Here is my smb.conf: # Global parameters [global] workgroup = MYDOMAIN realm = DC1.MYDOMAIN.NET netbios name = SAMBASERVER server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate time server = yes ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd/ idmap_ldb:use rfc2307 = yes # debug level = 9 # Winbind settings idmap config * : backend = tdb idmap config * : range = 30000-40000 idmap config MYDOMAIN : default = yes idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : schema_mode = rfc2307 idmap config MYDOMAIN : range = 0-200000 template shell = /bin/bash template homedir = /home/%ACCOUNTNAME% winbind separator = + winbind use default domain = Yes winbind nss info = rfc2307 winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes winbind offline logon = Yes #======================= Share Definitions ======================[netlogon] path = /usr/local/samba/var/locks/sysvol/dc1.evilgenius.net/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No ;[homes] ; comment = Home Directories ; browseable = no
See inline comments: On Sat, 8 Oct 2016 13:00:22 -0400 Ron García-Vidal via samba <samba at lists.samba.org> wrote:> On 10/8/16 10:32 AM, Rowland Penny via samba wrote: > > Please post your smb.conf from the DC, the 'samba' deamon should > > start winbind, if you run 'ps ax | grep winbind', you should get > > something like this: > Sorry, Samba wasn't running when I tried that command. Here's the > output: > > wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512 > failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-1319907214-2951884047-2640289736-512 > to gid > > Here is my smb.conf: > > # Global parameters > [global] > workgroup = MYDOMAIN > realm = DC1.MYDOMAIN.NET > netbios name = SAMBASERVER > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > time server = yes > ntp signd socket directory > = /usr/local/samba/var/lib/ntp_signd/ idmap_ldb:use rfc2307 = yes > # debug level = 9 >You might as well remove the next 7 lines, they do nothing on a DC> # Winbind settings > idmap config * : backend = tdb > idmap config * : range = 30000-40000 > > idmap config MYDOMAIN : default = yes > idmap config MYDOMAIN : backend = ad > idmap config MYDOMAIN : schema_mode = rfc2307 > idmap config MYDOMAIN : range = 0-200000 > > template shell = /bin/bashReplace %ACCOUNTNAME% with %U> template homedir = /home/%ACCOUNTNAME%I would also remove the next block of lines, except possibly for the 'enum' ones> winbind separator = + > winbind use default domain = Yes > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = Yes > winbind offline logon = Yes > > > > #======================= Share Definitions ======================> [netlogon] > path > = /usr/local/samba/var/locks/sysvol/dc1.evilgenius.net/scripts read > only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > ;[homes] > ; comment = Home Directories > ; browseable = no > >Can I also suggest replacing 'winbind' in the 'server services' line with 'winbindd' Do any of your users log into the DC ? Rowland
Ron García-Vidal
2016-Oct-08 17:47 UTC
[Samba] The security id structure is invalid [SOLVED]
On 10/8/16 1:14 PM, Rowland Penny via samba wrote:> See inline comments: > > On Sat, 8 Oct 2016 13:00:22 -0400 > Ron García-Vidal via samba <samba at lists.samba.org> wrote: > >> On 10/8/16 10:32 AM, Rowland Penny via samba wrote: >>> Please post your smb.conf from the DC, the 'samba' deamon should >>> start winbind, if you run 'ps ax | grep winbind', you should get >>> something like this: >> Sorry, Samba wasn't running when I tried that command. Here's the >> output: >> >> wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512 >> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND >> Could not convert sid S-1-5-21-1319907214-2951884047-2640289736-512 >> to gid >> >> Here is my smb.conf: >> >> # Global parameters >> [global] >> workgroup = MYDOMAIN >> realm = DC1.MYDOMAIN.NET >> netbios name = SAMBASERVER >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbind, ntp_signd, kcc, dnsupdate >> time server = yes >> ntp signd socket directory >> = /usr/local/samba/var/lib/ntp_signd/ idmap_ldb:use rfc2307 = yes >> # debug level = 9 >> > You might as well remove the next 7 lines, they do nothing on a DC > >> # Winbind settings >> idmap config * : backend = tdb >> idmap config * : range = 30000-40000 >> >> idmap config MYDOMAIN : default = yes >> idmap config MYDOMAIN : backend = ad >> idmap config MYDOMAIN : schema_mode = rfc2307 >> idmap config MYDOMAIN : range = 0-200000 >> >> template shell = /bin/bash > Replace %ACCOUNTNAME% with %U > >> template homedir = /home/%ACCOUNTNAME% > I would also remove the next block of lines, except possibly for the > 'enum' ones > >> winbind separator = + >> winbind use default domain = Yes >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind enum users = yes >> winbind enum groups = yes >> winbind nested groups = Yes >> winbind offline logon = Yes >> >> >> >> #======================= Share Definitions ======================>> [netlogon] >> path >> = /usr/local/samba/var/locks/sysvol/dc1.evilgenius.net/scripts read >> only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> ;[homes] >> ; comment = Home Directories >> ; browseable = no >> >> > Can I also suggest replacing 'winbind' in the 'server services' line > with 'winbindd' > > Do any of your users log into the DC ? >Made all of these changes and it resolved the issue. I'm not sure which one made the difference? Yes there are a few users who log into the DC via ssh. Thanks for your help. -Ron