Il 17/01/15 17:10, Rowland Penny ha scritto:> On 17/01/15 14:39, Carlo wrote: >> >>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about a month >>>>>>>>>>>>> now. It >>>>>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>>>>> >>>>>>>>>>>>> If I login to a Windows box with the Administrator account, I >>>>>>>>>>>>> can't >>>>>>>>>>>>> connect to any shares and clicking on a mapped drive returns the >>>>>>>>>>>>> error >>>>>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>>>>> >>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the Windows box >>>>>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>>>>> >>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux >>>>>>>>>>>>> server >>>>>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>>>>> NT_STATUS_INVALID_SID". >> Hello to all. >> >> i am still under this problem in 2 samba server 4.2* >> >> same problem and same behavior after a month for one server and two week for >> another >> >> My system is: >> Centos 6.5 >> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC >> 2014 x86_64 x86_64 x86_64 GNU/Linux >> and Samba version 4.2.0rc2 >> >> >> then i have done the Rowland suggestion about check the administrator sid and >> the results was: >> >> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb >> cn=Administrator >> dn: CN=Administrator,CN=Users,DC=domain,DC=lan >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: Administrator >> description: Built-in account for administering the computer/domain >> instanceType: 4 >> whenCreated: 20140918163432.0Z >> uSNCreated: 3545 >> name: Administrator >> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83 >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 0 >> lastLogoff: 0 >> lastLogon: 0 >> primaryGroupID: 513 >> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >> adminCount: 1 >> accountExpires: 9223372036854775807 >> logonCount: 0 >> sAMAccountName: Administrator >> sAMAccountType: 805306368 >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan >> isCriticalSystemObject: TRUE >> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan >> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan >> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan >> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan >> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan >> userAccountControl: 66048 >> msDS-SupportedEncryptionTypes: 0 >> pwdLastSet: 130658091420000000 >> whenChanged: 20150115152542.0Z >> uSNChanged: 4885 >> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan >> >> # Referral >> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan >> >> # Referral >> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan >> >> # Referral >> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan >> >> # returned 4 records >> # 1 entries >> # 3 referrals >> >> >> ---/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb >> DC=domain | grep objectSid >> objectSid: S-1-5-21-2643849351-2101160060-2305757802 >> >> >> ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb >> >> # record 39 >> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >> cn: S-1-5-21-2643849351-2101160060-2305757802-500 >> objectClass: sidMap >> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >> type: ID_TYPE_UID >> xidNumber: 0 >> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >> >> >> as reported the time is correct and administrator account never expire >> you can check here >> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime >> >> i have noted that sid error "sometimes" (30 sec on 2/3 hour sometimes)not >> appear and i can work correctly with my administrator account for 30-40 sec. >> the same thing is on both of samba 4.2* >> >> i've tested this error from winxp/7/8/8.1 and is always the same. >> >> >> >> i post the smb.conf >> >> # Global parameters >> [global] >> workgroup = DOMAIN >> realm = DOMAIN.LAN >> netbios name = ADDOMAIN >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> idmap_ldb:use rfc2307 = yes >> spoolss: architecture = Windows x64 >> >> >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> [public] >> path = /dati/public >> read only = No >> >> [users] >> path = /dati/users >> read only = No >> >> [profiles] >> path = /dati/profiles >> read only = No >> oplocks=no >> >> [printers] >> path = /var/spool/samba >> printable = yes >> printing = CUPS >> >> [print$] >> path = /srv/samba/Printer_drivers >> comment = Printer Drivers >> writeable = yes >> >> >> >> in messages.log i have something when i try to login with administrator >> account with the right password; here i have a "Unable to convert SID" >> >> >> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, 0] >> ../source4/auth/unix_token.c:107(security_token_to_unix_token) >> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID >> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user token to a >> GID. Conversion was returned as type 1, full token: >> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, 0] >> ../libcli/security/security_token.c:63(security_token_debug) >> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13): >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]: >> S-1-5-21-2643849351-2101160060-2305757802-500 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]: >> S-1-5-21-2643849351-2101160060-2305757802-513 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]: >> S-1-5-21-2643849351-2101160060-2305757802-520 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]: >> S-1-5-21-2643849351-2101160060-2305757802-572 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]: >> S-1-5-21-2643849351-2101160060-2305757802-519 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]: >> S-1-5-21-2643849351-2101160060-2305757802-518 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]: >> S-1-5-21-2643849351-2101160060-2305757802-512 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545 >> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554 >> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00): >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: >> SeTakeOwnershipPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: SeBackupPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: SeRestorePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: >> SeRemoteShutdownPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: SeSecurityPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: SeSystemtimePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: SeShutdownPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: SeDebugPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]: >> SeSystemEnvironmentPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: >> SeSystemProfilePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]: >> SeProfileSingleProcessPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]: >> SeIncreaseBasePriorityPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: SeLoadDriverPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: >> SeCreatePagefilePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: >> SeIncreaseQuotaPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: >> SeChangeNotifyPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: SeUndockPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: >> SeManageVolumePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: SeImpersonatePrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: >> SeCreateGlobalPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]: >> SeEnableDelegationPrivilege >> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403): >> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: SeInteractiveLogonRight >> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: SeNetworkLogonRight >> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: >> SeRemoteInteractiveLogonRight >> >> >> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ? >> >> maybe this is an interesting part but i don't understand where to look. >> >> ---/usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb >> # record 37 >> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >> cn: S-1-5-21-2643849351-2101160060-2305757802-512 >> objectClass: sidMap >> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512 >> type: ID_TYPE_BOTH >> xidNumber: 3000008 >> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >> >> >> Someone have my similar behavior? >> >> any kind of help or suggestion is welcome. >> >> Many thanks in advance! >> >> Regards >> >> Charles >> > > OK, I am a bit lost here, I can login as Administrator to my DC, so when you > say 'when i try to login with administrator account with the right password', > just how are you trying to login ?I've tried to login with "Administrator" user in shared folder or in user login at windows start. login with "Administrator" user with a wrong password samba denies correctly the login and don't tell nothing about SID. Only if i put the correct password samba respond to me the Invalid SID error and write log in messages.log and not let me to login or use shared folder> > Also, why are you using 4.2.0rc2, is this a test domain or production ? > If it is production, why are you ignoring what it says here: > https://wiki.samba.org/index.php/Obtaining_Samba > > *Warning: Never install a development version in production! It may contain > untested features and can cause damages to your installation! Development > releases are for testing purposes only! > > *Also**why are you ignoring what it says here: > https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versionstesting and all of them have the same behavior after some time. this thread was not started by me but i've made too many piece cut of old thread and done some misunderstanding sorry...> > We /*_do not recommend_* using the Domain Controller as a file Server. This is > due to issues with the winbind internal to the Domain Controller. The > recommendation is to run separate file or Member Servers > <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>.ok i'll use kvm to separate fileserver from domain controller in production because i've only one server.> > This still goes with 4.2 > > I recommend that you try again with the latest stable release, 4.1.16 and see > if the problem still persists, if it does we stand a better chance of fixing it.With the latest stable release on 4.1.16 seems work well. No more SID error tomorrow i'll do some more accurate test Thank you for your support Rowland testing the 4.2rc4 the problem still exist do you reccomend me to write something of this behaviour at https://bugzilla.samba.org/? i still can reproduce the SID error with4.2rc2 /rc3 /rc4 charles> > Rowland > > /
On 18/01/15 18:10, Carlo wrote:> Il 17/01/15 17:10, Rowland Penny ha scritto: >> On 17/01/15 14:39, Carlo wrote: >>> >>>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about >>>>>>>>>>>>>> a month >>>>>>>>>>>>>> now. It >>>>>>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>>>>>> >>>>>>>>>>>>>> If I login to a Windows box with the Administrator >>>>>>>>>>>>>> account, I >>>>>>>>>>>>>> can't >>>>>>>>>>>>>> connect to any shares and clicking on a mapped drive >>>>>>>>>>>>>> returns the >>>>>>>>>>>>>> error >>>>>>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>>>>>> >>>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the >>>>>>>>>>>>>> Windows box >>>>>>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>>>>>> >>>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the >>>>>>>>>>>>>> GNU/Linux >>>>>>>>>>>>>> server >>>>>>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>>>>>> NT_STATUS_INVALID_SID". >>> Hello to all. >>> >>> i am still under this problem in 2 samba server 4.2* >>> >>> same problem and same behavior after a month for one server and two >>> week for another >>> >>> My system is: >>> Centos 6.5 >>> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 >>> 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >>> and Samba version 4.2.0rc2 >>> >>> >>> then i have done the Rowland suggestion about check the >>> administrator sid and the results was: >>> >>> ---/usr/local/samba/bin/ldbsearch -H >>> /usr/local/samba/private/sam.ldb cn=Administrator >>> dn: CN=Administrator,CN=Users,DC=domain,DC=lan >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> cn: Administrator >>> description: Built-in account for administering the computer/domain >>> instanceType: 4 >>> whenCreated: 20140918163432.0Z >>> uSNCreated: 3545 >>> name: Administrator >>> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83 >>> badPwdCount: 0 >>> codePage: 0 >>> countryCode: 0 >>> badPasswordTime: 0 >>> lastLogoff: 0 >>> lastLogon: 0 >>> primaryGroupID: 513 >>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >>> adminCount: 1 >>> accountExpires: 9223372036854775807 >>> logonCount: 0 >>> sAMAccountName: Administrator >>> sAMAccountType: 805306368 >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan >>> isCriticalSystemObject: TRUE >>> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan >>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan >>> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan >>> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan >>> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan >>> userAccountControl: 66048 >>> msDS-SupportedEncryptionTypes: 0 >>> pwdLastSet: 130658091420000000 >>> whenChanged: 20150115152542.0Z >>> uSNChanged: 4885 >>> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan >>> >>> # Referral >>> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan >>> >>> # Referral >>> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan >>> >>> # Referral >>> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan >>> >>> # returned 4 records >>> # 1 entries >>> # 3 referrals >>> >>> >>> ---/usr/local/samba/bin/ldbsearch -H >>> /usr/local/samba/private/sam.ldb DC=domain | grep objectSid >>> objectSid: S-1-5-21-2643849351-2101160060-2305757802 >>> >>> >>> ---/usr/local/samba/bin/ldbedit -e vi -H >>> /usr/local/samba/private/idmap.ldb >>> >>> # record 39 >>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >>> cn: S-1-5-21-2643849351-2101160060-2305757802-500 >>> objectClass: sidMap >>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >>> type: ID_TYPE_UID >>> xidNumber: 0 >>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >>> >>> >>> as reported the time is correct and administrator account never expire >>> you can check here >>> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime >>> >>> i have noted that sid error "sometimes" (30 sec on 2/3 hour >>> sometimes)not appear and i can work correctly with my administrator >>> account for 30-40 sec. >>> the same thing is on both of samba 4.2* >>> >>> i've tested this error from winxp/7/8/8.1 and is always the same. >>> >>> >>> >>> i post the smb.conf >>> >>> # Global parameters >>> [global] >>> workgroup = DOMAIN >>> realm = DOMAIN.LAN >>> netbios name = ADDOMAIN >>> server role = active directory domain controller >>> dns forwarder = 8.8.8.8 >>> idmap_ldb:use rfc2307 = yes >>> spoolss: architecture = Windows x64 >>> >>> >>> >>> [netlogon] >>> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts >>> read only = No >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> [public] >>> path = /dati/public >>> read only = No >>> >>> [users] >>> path = /dati/users >>> read only = No >>> >>> [profiles] >>> path = /dati/profiles >>> read only = No >>> oplocks=no >>> >>> [printers] >>> path = /var/spool/samba >>> printable = yes >>> printing = CUPS >>> >>> [print$] >>> path = /srv/samba/Printer_drivers >>> comment = Printer Drivers >>> writeable = yes >>> >>> >>> >>> in messages.log i have something when i try to login with >>> administrator account with the right password; here i have a "Unable >>> to convert SID" >>> >>> >>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, >>> 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) >>> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID >>> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user >>> token to a GID. Conversion was returned as type 1, full token: >>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, >>> 0] ../libcli/security/security_token.c:63(security_token_debug) >>> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13): >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]: >>> S-1-5-21-2643849351-2101160060-2305757802-500 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]: >>> S-1-5-21-2643849351-2101160060-2305757802-513 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]: >>> S-1-5-21-2643849351-2101160060-2305757802-520 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]: >>> S-1-5-21-2643849351-2101160060-2305757802-572 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]: >>> S-1-5-21-2643849351-2101160060-2305757802-519 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]: >>> S-1-5-21-2643849351-2101160060-2305757802-518 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]: >>> S-1-5-21-2643849351-2101160060-2305757802-512 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545 >>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554 >>> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00): >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: >>> SeTakeOwnershipPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: >>> SeBackupPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: >>> SeRestorePrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: >>> SeRemoteShutdownPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: >>> SeSecurityPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: >>> SeSystemtimePrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: >>> SeShutdownPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: >>> SeDebugPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]: >>> SeSystemEnvironmentPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: >>> SeSystemProfilePrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]: >>> SeProfileSingleProcessPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]: >>> SeIncreaseBasePriorityPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: >>> SeLoadDriverPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: >>> SeCreatePagefilePrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: >>> SeIncreaseQuotaPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: >>> SeChangeNotifyPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: >>> SeUndockPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: >>> SeManageVolumePrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: >>> SeImpersonatePrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: >>> SeCreateGlobalPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]: >>> SeEnableDelegationPrivilege >>> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403): >>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: >>> SeInteractiveLogonRight >>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: >>> SeNetworkLogonRight >>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: >>> SeRemoteInteractiveLogonRight >>> >>> >>> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ? >>> >>> maybe this is an interesting part but i don't understand where to look. >>> >>> ---/usr/local/samba/bin/ldbedit -e vi -H >>> /usr/local/samba/private/idmap.ldb >>> # record 37 >>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >>> cn: S-1-5-21-2643849351-2101160060-2305757802-512 >>> objectClass: sidMap >>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512 >>> type: ID_TYPE_BOTH >>> xidNumber: 3000008 >>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >>> >>> >>> Someone have my similar behavior? >>> >>> any kind of help or suggestion is welcome. >>> >>> Many thanks in advance! >>> >>> Regards >>> >>> Charles >>> >> >> OK, I am a bit lost here, I can login as Administrator to my DC, so >> when you say 'when i try to login with administrator account with the >> right password', just how are you trying to login ? > I've tried to login with "Administrator" user in shared folder or in > user login at windows start.Sorry, but I still don't understand just where you are trying to logging into and how. I think you mean that you cannot log into a domain joined machine as Administrator and when you try to connect to the share as Administrator when logged in as another user, you cannot connect. Is this correct ??> > login with "Administrator" user with a wrong password samba denies > correctly the login and don't tell nothing about SID. > Only if i put the correct password samba respond to me the Invalid SID > error and write log in messages.log and not let me to login or use > shared folder >> >> Also, why are you using 4.2.0rc2, is this a test domain or production ? >> If it is production, why are you ignoring what it says here: >> https://wiki.samba.org/index.php/Obtaining_Samba >> >> *Warning: Never install a development version in production! It may >> contain untested features and can cause damages to your installation! >> Development releases are for testing purposes only! >> >> *Also**why are you ignoring what it says here: >> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions > testing and all of them have the same behavior after some time. > this thread was not started by me but i've made too many piece cut of > old thread and done some misunderstanding sorry... > >> >> We /*_do not recommend_* using the Domain Controller as a file >> Server. This is due to issues with the winbind internal to the Domain >> Controller. The recommendation is to run separate file or Member >> Servers >> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>. > ok i'll use kvm to separate fileserver from domain controller in > production because i've only one server. >> >> This still goes with 4.2 >> >> I recommend that you try again with the latest stable release, 4.1.16 >> and see if the problem still persists, if it does we stand a better >> chance of fixing it. > > With the latest stable release on 4.1.16 seems work well. > No more SID error > tomorrow i'll do some more accurate test > Thank you for your support Rowland > > testing the 4.2rc4 the problem still exist > do you reccomend me to write something of this behaviour at > https://bugzilla.samba.org/? > i still can reproduce the SID error with4.2rc2 /rc3 /rc4If it works with 4.1.16 but not with 4.2.0rc4 and everything else is the same, then yes it does seem that it is a bug. You could try changing the winbind daemon used by the 4.2.0rc4 machine, you would this by adding 'server services = +winbind -winbindd' to smb.conf and restarting. If this works and you can now login as 'Administrator', then you need to file a bug report about this. Rowland> > charles >> >> Rowland >> >> / > >
On 18/01/15 18:27, Rowland Penny wrote:> On 18/01/15 18:10, Carlo wrote: >> Il 17/01/15 17:10, Rowland Penny ha scritto: >>> On 17/01/15 14:39, Carlo wrote: >>>> >>>>>>>>>>>>>>> I've got a samba 4.2 DC, which has worked well for about >>>>>>>>>>>>>>> a month >>>>>>>>>>>>>>> now. It >>>>>>>>>>>>>>> still works for all users except "Administrator". >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If I login to a Windows box with the Administrator >>>>>>>>>>>>>>> account, I >>>>>>>>>>>>>>> can't >>>>>>>>>>>>>>> connect to any shares and clicking on a mapped drive >>>>>>>>>>>>>>> returns the >>>>>>>>>>>>>>> error >>>>>>>>>>>>>>> "The security ID structure is invalid". >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Opening "Active Directory Users and Computers" on the >>>>>>>>>>>>>>> Windows box >>>>>>>>>>>>>>> returns "The RPC server is unavailable". >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Using "smbclient -L localhost -UAdministrator" on the >>>>>>>>>>>>>>> GNU/Linux >>>>>>>>>>>>>>> server >>>>>>>>>>>>>>> running samba I receife this error: "session setup failed: >>>>>>>>>>>>>>> NT_STATUS_INVALID_SID". >>>> Hello to all. >>>> >>>> i am still under this problem in 2 samba server 4.2* >>>> >>>> same problem and same behavior after a month for one server and two >>>> week for another >>>> >>>> My system is: >>>> Centos 6.5 >>>> addomain.domain.lan 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 >>>> 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >>>> and Samba version 4.2.0rc2 >>>> >>>> >>>> then i have done the Rowland suggestion about check the >>>> administrator sid and the results was: >>>> >>>> ---/usr/local/samba/bin/ldbsearch -H >>>> /usr/local/samba/private/sam.ldb cn=Administrator >>>> dn: CN=Administrator,CN=Users,DC=domain,DC=lan >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: user >>>> cn: Administrator >>>> description: Built-in account for administering the computer/domain >>>> instanceType: 4 >>>> whenCreated: 20140918163432.0Z >>>> uSNCreated: 3545 >>>> name: Administrator >>>> objectGUID: a02e2234-550f-4c8d-9f3e-6cef1547cb83 >>>> badPwdCount: 0 >>>> codePage: 0 >>>> countryCode: 0 >>>> badPasswordTime: 0 >>>> lastLogoff: 0 >>>> lastLogon: 0 >>>> primaryGroupID: 513 >>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >>>> adminCount: 1 >>>> accountExpires: 9223372036854775807 >>>> logonCount: 0 >>>> sAMAccountName: Administrator >>>> sAMAccountType: 805306368 >>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=lan >>>> isCriticalSystemObject: TRUE >>>> memberOf: CN=Administrators,CN=Builtin,DC=domain,DC=lan >>>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=lan >>>> memberOf: CN=Enterprise Admins,CN=Users,DC=domain,DC=lan >>>> memberOf: CN=Schema Admins,CN=Users,DC=domain,DC=lan >>>> memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=lan >>>> userAccountControl: 66048 >>>> msDS-SupportedEncryptionTypes: 0 >>>> pwdLastSet: 130658091420000000 >>>> whenChanged: 20150115152542.0Z >>>> uSNChanged: 4885 >>>> distinguishedName: CN=Administrator,CN=Users,DC=domain,DC=lan >>>> >>>> # Referral >>>> ref: ldap://domain.lan/CN=Configuration,DC=domain,DC=lan >>>> >>>> # Referral >>>> ref: ldap://domain.lan/DC=DomainDnsZones,DC=domain,DC=lan >>>> >>>> # Referral >>>> ref: ldap://domain.lan/DC=ForestDnsZones,DC=domain,DC=lan >>>> >>>> # returned 4 records >>>> # 1 entries >>>> # 3 referrals >>>> >>>> >>>> ---/usr/local/samba/bin/ldbsearch -H >>>> /usr/local/samba/private/sam.ldb DC=domain | grep objectSid >>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802 >>>> >>>> >>>> ---/usr/local/samba/bin/ldbedit -e vi -H >>>> /usr/local/samba/private/idmap.ldb >>>> >>>> # record 39 >>>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >>>> cn: S-1-5-21-2643849351-2101160060-2305757802-500 >>>> objectClass: sidMap >>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-500 >>>> type: ID_TYPE_UID >>>> xidNumber: 0 >>>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-500 >>>> >>>> >>>> as reported the time is correct and administrator account never expire >>>> you can check here >>>> http://www.chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp?pwdLastSet,%20accountExpires,%20lastLogonTimestamp,%20lastLogon,%20and%20badPasswordTime >>>> >>>> i have noted that sid error "sometimes" (30 sec on 2/3 hour >>>> sometimes)not appear and i can work correctly with my administrator >>>> account for 30-40 sec. >>>> the same thing is on both of samba 4.2* >>>> >>>> i've tested this error from winxp/7/8/8.1 and is always the same. >>>> >>>> >>>> >>>> i post the smb.conf >>>> >>>> # Global parameters >>>> [global] >>>> workgroup = DOMAIN >>>> realm = DOMAIN.LAN >>>> netbios name = ADDOMAIN >>>> server role = active directory domain controller >>>> dns forwarder = 8.8.8.8 >>>> idmap_ldb:use rfc2307 = yes >>>> spoolss: architecture = Windows x64 >>>> >>>> >>>> >>>> [netlogon] >>>> path = /usr/local/samba/var/locks/sysvol/domain.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> [public] >>>> path = /dati/public >>>> read only = No >>>> >>>> [users] >>>> path = /dati/users >>>> read only = No >>>> >>>> [profiles] >>>> path = /dati/profiles >>>> read only = No >>>> oplocks=no >>>> >>>> [printers] >>>> path = /var/spool/samba >>>> printable = yes >>>> printing = CUPS >>>> >>>> [print$] >>>> path = /srv/samba/Printer_drivers >>>> comment = Printer Drivers >>>> writeable = yes >>>> >>>> >>>> >>>> in messages.log i have something when i try to login with >>>> administrator account with the right password; here i have a >>>> "Unable to convert SID" >>>> >>>> >>>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586545, >>>> 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) >>>> Jan 17 15:08:52 addomain smbd[21942]: Unable to convert SID >>>> (S-1-5-21-2643849351-2101160060-2305757802-512) at index 6 in user >>>> token to a GID. Conversion was returned as type 1, full token: >>>> Jan 17 15:08:52 addomain smbd[21942]: [2015/01/17 15:08:52.586612, >>>> 0] ../libcli/security/security_token.c:63(security_token_debug) >>>> Jan 17 15:08:52 addomain smbd[21942]: Security token SIDs (13): >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 0]: >>>> S-1-5-21-2643849351-2101160060-2305757802-500 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 1]: >>>> S-1-5-21-2643849351-2101160060-2305757802-513 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 2]: >>>> S-1-5-21-2643849351-2101160060-2305757802-520 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 3]: >>>> S-1-5-21-2643849351-2101160060-2305757802-572 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 4]: >>>> S-1-5-21-2643849351-2101160060-2305757802-519 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 5]: >>>> S-1-5-21-2643849351-2101160060-2305757802-518 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 6]: >>>> S-1-5-21-2643849351-2101160060-2305757802-512 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 7]: S-1-1-0 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 8]: S-1-5-2 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 9]: S-1-5-11 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 10]: S-1-5-32-544 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 11]: S-1-5-32-545 >>>> Jan 17 15:08:52 addomain smbd[21942]: SID[ 12]: S-1-5-32-554 >>>> Jan 17 15:08:52 addomain smbd[21942]: Privileges (0x 1FFFFF00): >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 0]: >>>> SeTakeOwnershipPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 1]: >>>> SeBackupPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 2]: >>>> SeRestorePrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 3]: >>>> SeRemoteShutdownPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 4]: >>>> SeSecurityPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 5]: >>>> SeSystemtimePrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 6]: >>>> SeShutdownPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 7]: >>>> SeDebugPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 8]: >>>> SeSystemEnvironmentPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 9]: >>>> SeSystemProfilePrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 10]: >>>> SeProfileSingleProcessPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 11]: >>>> SeIncreaseBasePriorityPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 12]: >>>> SeLoadDriverPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 13]: >>>> SeCreatePagefilePrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 14]: >>>> SeIncreaseQuotaPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 15]: >>>> SeChangeNotifyPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 16]: >>>> SeUndockPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 17]: >>>> SeManageVolumePrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 18]: >>>> SeImpersonatePrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 19]: >>>> SeCreateGlobalPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Privilege[ 20]: >>>> SeEnableDelegationPrivilege >>>> Jan 17 15:08:52 addomain smbd[21942]: Rights (0x 403): >>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 0]: >>>> SeInteractiveLogonRight >>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 1]: >>>> SeNetworkLogonRight >>>> Jan 17 15:08:52 addomain smbd[21942]: Right[ 2]: >>>> SeRemoteInteractiveLogonRight >>>> >>>> >>>> maybe the problem was on "idmap_ldb:use rfc2307 = yes" and windbind ? >>>> >>>> maybe this is an interesting part but i don't understand where to >>>> look. >>>> >>>> ---/usr/local/samba/bin/ldbedit -e vi -H >>>> /usr/local/samba/private/idmap.ldb >>>> # record 37 >>>> dn: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >>>> cn: S-1-5-21-2643849351-2101160060-2305757802-512 >>>> objectClass: sidMap >>>> objectSid: S-1-5-21-2643849351-2101160060-2305757802-512 >>>> type: ID_TYPE_BOTH >>>> xidNumber: 3000008 >>>> distinguishedName: CN=S-1-5-21-2643849351-2101160060-2305757802-512 >>>> >>>> >>>> Someone have my similar behavior? >>>> >>>> any kind of help or suggestion is welcome. >>>> >>>> Many thanks in advance! >>>> >>>> Regards >>>> >>>> Charles >>>> >>> >>> OK, I am a bit lost here, I can login as Administrator to my DC, so >>> when you say 'when i try to login with administrator account with >>> the right password', just how are you trying to login ? >> I've tried to login with "Administrator" user in shared folder or in >> user login at windows start. > > Sorry, but I still don't understand just where you are trying to > logging into and how. I think you mean that you cannot log into a > domain joined machine as Administrator and when you try to connect to > the share as Administrator when logged in as another user, you cannot > connect. Is this correct ?? > > >> >> login with "Administrator" user with a wrong password samba denies >> correctly the login and don't tell nothing about SID. >> Only if i put the correct password samba respond to me the Invalid >> SID error and write log in messages.log and not let me to login or >> use shared folder >>> >>> Also, why are you using 4.2.0rc2, is this a test domain or production ? >>> If it is production, why are you ignoring what it says here: >>> https://wiki.samba.org/index.php/Obtaining_Samba >>> >>> *Warning: Never install a development version in production! It may >>> contain untested features and can cause damages to your >>> installation! Development releases are for testing purposes only! >>> >>> *Also**why are you ignoring what it says here: >>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Versions >> testing and all of them have the same behavior after some time. >> this thread was not started by me but i've made too many piece cut of >> old thread and done some misunderstanding sorry... >> >>> >>> We /*_do not recommend_* using the Domain Controller as a file >>> Server. This is due to issues with the winbind internal to the >>> Domain Controller. The recommendation is to run separate file or >>> Member Servers >>> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server>. >> ok i'll use kvm to separate fileserver from domain controller in >> production because i've only one server. >>> >>> This still goes with 4.2 >>> >>> I recommend that you try again with the latest stable release, >>> 4.1.16 and see if the problem still persists, if it does we stand a >>> better chance of fixing it. >> >> With the latest stable release on 4.1.16 seems work well. >> No more SID error >> tomorrow i'll do some more accurate test >> Thank you for your support Rowland >> >> testing the 4.2rc4 the problem still exist >> do you reccomend me to write something of this behaviour at >> https://bugzilla.samba.org/? >> i still can reproduce the SID error with4.2rc2 /rc3 /rc4 > > If it works with 4.1.16 but not with 4.2.0rc4 and everything else is > the same, then yes it does seem that it is a bug. You could try > changing the winbind daemon used by the 4.2.0rc4 machine, you would > this by adding 'server services = +winbind -winbindd' to smb.conf and > restarting. > > If this works and you can now login as 'Administrator', then you need > to file a bug report about this. > > Rowland >> >> charles >>> >>> Rowland >>> >>> / >> >> >OK, did a bit more investigation into this and I can login into a samba 4.2.0rc2 DC as 'Administrator', but I had to do a bit more config than the standard './configure, make, make install' gives. I had to install 'apt-get install libpam-krb5' (this is on Debian Wheezy) Link some files: ln -s /usr/local/samba/lib/libnss_winbind.so /lib/x86_64-linux-gnu/libnss_winbind.so ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so.2 ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2 ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so Create a pam config file: nano /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so Add a line to smb.conf: template shell = /bin/bash Add 'winbind' to the 'passwd' & 'group' lines in /etc/nsswitch.conf Allowed root to login via ssh ran 'ssh Administrator at 192.168.0.245' Administrator at 192.168.0.245's password: Creating directory '/home/%D/%U'. Linux dc42 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. So as you can see, it works for me. Rowland