samba - May 2016 - NT_STATUS_INVALID_SID in a SDC

Hi All

I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have 
backported Samba 4.3.18 and is working well.

I have installed a SDC (if I may use that name) on a different network, 
the same version of Samba but on a Debian Jessie on AMD64. I followed 
every instruction in 
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory.
So every test worked fine.

But now when i try to login, to view a share or to join the domain I get 
NT_STATUS_INVALID_SID or " The security id structure is invalid".
Not only with the administrator but with any user.

    root at parmenides2:~# smbclient -L localhost -UAdministrator
    Enter Administrator's password:
    session setup failed: NT_STATUS_INVALID_SID

I am really out of arguments


What I have already done:

1. The mirror is OK

#> samba-tool drs showrepl

Is OK

#> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator 
--filter=whenChanged

I have ran this from both PDCs and get SUCCESS


2. I have read all similar messages

I have found some similar cases but none with a solution. And I have 
read ALL literally


3. My smb.conf

I have installed my main controller following 
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
and it was generated automatically. I added "idmap_ldb:use" and
"log level"


# Global parameters
[global]
         workgroup = EXAMPLE-W10
         realm = EXAMPLE.COM
         netbios name = DC1
         server role = active directory domain controller
         dns forwarder = 192.168.10.7
         idmap_ldb:use rfc2307 = yes
         log level = 1

[netlogon]
         path = /var/lib/samba/sysvol/example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No


On DC2 changes the netbios name and dns forwarder .. but everything else 
is the same.



4.  ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator

dn: CN=Administrator,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20160505021322.0Z
uSNCreated: 3223
name: Administrator
objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
codePage: 0
countryCode: 0
pwdLastSet: 131068880020000000
primaryGroupID: 513
objectSid: S-1-5-21-508106755-2976483754-4106360514-500
adminCount: 1
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: TRUE
lastLogonTimestamp: 131068882546671530
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
accountExpires: 0
whenChanged: 20160510132605.0Z
uSNChanged: 3721
userAccountControl: 66048
lastLogon: 131073689683266740
distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com


5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep objectSid

objectSid: S-1-5-21-508106755-2976483754-4106360514


I appreciate any help

Cheers

Kasandra

On 10/05/16 18:22, Kasandra Padisha wrote:
>
> Hi All
>
> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have 
> backported Samba 4.3.18 and is working well.
Hi, where did you get 4.3.18 from ??? or do you mean 4.3.8, if so, try 
again with 4.3.9, this has some updates for regressions that 4.3.8 
introduced.

Oh and a 'PDC' is something else entirely, you have a 'DC' :-)
>
> I have installed a SDC (if I may use that name) 
No, you cannot :-D
It is just another DC :-)

Rowland
> on a different network, the same version of Samba but on a Debian 
> Jessie on AMD64. I followed every instruction in 
>
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory.
> So every test worked fine.
>
> But now when i try to login, to view a share or to join the domain I 
> get NT_STATUS_INVALID_SID or " The security id structure is
invalid".
> Not only with the administrator but with any user.
>
>    root at parmenides2:~# smbclient -L localhost -UAdministrator
>    Enter Administrator's password:
>    session setup failed: NT_STATUS_INVALID_SID
>
> I am really out of arguments
>
>
> What I have already done:
>
> 1. The mirror is OK
>
> #> samba-tool drs showrepl
>
> Is OK
>
> #> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator 
> --filter=whenChanged
>
> I have ran this from both PDCs and get SUCCESS
>
>
> 2. I have read all similar messages
>
> I have found some similar cases but none with a solution. And I have 
> read ALL literally
>
>
> 3. My smb.conf
>
> I have installed my main controller following 
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
> and it was generated automatically. I added "idmap_ldb:use" and
"log
> level"
>
>
> # Global parameters
> [global]
>         workgroup = EXAMPLE-W10
>         realm = EXAMPLE.COM
>         netbios name = DC1
>         server role = active directory domain controller
>         dns forwarder = 192.168.10.7
>         idmap_ldb:use rfc2307 = yes
>         log level = 1
>
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
> On DC2 changes the netbios name and dns forwarder .. but everything 
> else is the same.
>
>
>
> 4.  ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20160505021322.0Z
> uSNCreated: 3223
> name: Administrator
> objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
> codePage: 0
> countryCode: 0
> pwdLastSet: 131068880020000000
> primaryGroupID: 513
> objectSid: S-1-5-21-508106755-2976483754-4106360514-500
> adminCount: 1
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> isCriticalSystemObject: TRUE
> lastLogonTimestamp: 131068882546671530
> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
> accountExpires: 0
> whenChanged: 20160510132605.0Z
> uSNChanged: 3721
> userAccountControl: 66048
> lastLogon: 131073689683266740
> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>
>
> 5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep 
> objectSid
>
> objectSid: S-1-5-21-508106755-2976483754-4106360514
>
>
> I appreciate any help
>
> Cheers
>
> Kasandra
>

Hi

Thanks for you answer

1. Sorry It was a mistype:  The version is samba_4.3.8+dfsg-1~bpo80+1.  
I backported from stretch to jessie as I want to keep my Debian 
environment clean.
I do not fancy to compile it from source. I am a bit old fashion :-) :-) :-)

2. I use PDC and SDC as a legacy from previous versions. I Undestand why 
it is outdated but actually, even in Samba4, It is kind of true: DC2 
knows who is DC1 all the time and there is a big trouble when DC1 is 
broken: DC2 get kind of orphaned.

#> samba-tool fsmo show

SchemaMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

Nice topic ..but I does not help me.


2. Is there any other sugestions apart from Update ?  I have already a 
working installation on DC1 so I do not think upgrade may be a solution.


I appreciate a lead to follow in order to solve this little problem

Cheers


El 10/05/16 a las 13:31, Rowland penny escribió:
> On 10/05/16 18:22, Kasandra Padisha wrote:
>>
>> Hi All
>>
>> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have 
>> backported Samba 4.3.18 and is working well.
>
> Hi, where did you get 4.3.18 from ??? or do you mean 4.3.8, if so, try 
> again with 4.3.9, this has some updates for regressions that 4.3.8 
> introduced.
>
> Oh and a 'PDC' is something else entirely, you have a 'DC'
:-)
>
>>
>> I have installed a SDC (if I may use that name) 
>
> No, you cannot :-D
> It is just another DC :-)
>
> Rowland
>> on a different network, the same version of Samba but on a Debian 
>> Jessie on AMD64. I followed every instruction in 
>>
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory.
>> So every test worked fine.
>>
>> But now when i try to login, to view a share or to join the domain I 
>> get NT_STATUS_INVALID_SID or " The security id structure is
invalid".
>> Not only with the administrator but with any user.
>>
>>    root at parmenides2:~# smbclient -L localhost -UAdministrator
>>    Enter Administrator's password:
>>    session setup failed: NT_STATUS_INVALID_SID
>>
>> I am really out of arguments
>>
>>
>> What I have already done:
>>
>> 1. The mirror is OK
>>
>> #> samba-tool drs showrepl
>>
>> Is OK
>>
>> #> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator 
>> --filter=whenChanged
>>
>> I have ran this from both PDCs and get SUCCESS
>>
>>
>> 2. I have read all similar messages
>>
>> I have found some similar cases but none with a solution. And I have 
>> read ALL literally
>>
>>
>> 3. My smb.conf
>>
>> I have installed my main controller following 
>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>> and it was generated automatically. I added "idmap_ldb:use"
and "log
>> level"
>>
>>
>> # Global parameters
>> [global]
>>         workgroup = EXAMPLE-W10
>>         realm = EXAMPLE.COM
>>         netbios name = DC1
>>         server role = active directory domain controller
>>         dns forwarder = 192.168.10.7
>>         idmap_ldb:use rfc2307 = yes
>>         log level = 1
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/example.com/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>>
>> On DC2 changes the netbios name and dns forwarder .. but everything 
>> else is the same.
>>
>>
>>
>> 4.  ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>>
>> dn: CN=Administrator,CN=Users,DC=example,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Administrator
>> description: Built-in account for administering the computer/domain
>> instanceType: 4
>> whenCreated: 20160505021322.0Z
>> uSNCreated: 3223
>> name: Administrator
>> objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
>> codePage: 0
>> countryCode: 0
>> pwdLastSet: 131068880020000000
>> primaryGroupID: 513
>> objectSid: S-1-5-21-508106755-2976483754-4106360514-500
>> adminCount: 1
>> sAMAccountName: Administrator
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>> isCriticalSystemObject: TRUE
>> lastLogonTimestamp: 131068882546671530
>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
>> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
>> accountExpires: 0
>> whenChanged: 20160510132605.0Z
>> uSNChanged: 3721
>> userAccountControl: 66048
>> lastLogon: 131073689683266740
>> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>>
>>
>> 5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep 
>> objectSid
>>
>> objectSid: S-1-5-21-508106755-2976483754-4106360514
>>
>>
>> I appreciate any help
>>
>> Cheers
>>
>> Kasandra
>>
>
>