samba - Oct 2016 - NT_STATUS_INVALID_SID

I have a brand-new install of Debian 8 without systemd and a
freshly-built Samba 4 install with issues. I created this as a
standalone AD DC, setup group policies, etc and then took it to the
client location. Now nothing works. I keep getting "RPC server
unavailable" on Windows machines and trying to list shares on the DC
itself results in NT_STATUS_INVALID_SID. I am lost as there are not many
results for this in Google, so I am here.

Configuration:
./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
--enable-fhs

Beyond that, nothing else was done differently.

My smb.conf:
# Global parameters
[global]
        netbios name = DC01
        realm = MEDARTS.LAN
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MEDARTS
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999
        idmap config MEDARTS:backend = ad
        idmap config MEDARTS:schema_mode = rfc2307
        idmap config MEDARTS:range = 10000-99999
        winbind nss info = rfc2307

[netlogon]
        path = /var/lib/samba/sysvol/medarts.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Note that the SIDs are out of my specified range below:
ldbsearch -H /var/lib/samba/private/idmap.ldb
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid: S-1-1-0
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-1-0

# record 2
dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
cn: S-1-5-21-1106274642-2786564146-798650368-501
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-501
type: ID_TYPE_BOTH
xidNumber: 3000011
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501

# record 3
dn: CN=CONFIG
cn: CONFIG
lowerBound: 3000000
upperBound: 4000000
xidNumber: 3000019
distinguishedName: CN=CONFIG

# record 4
dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
cn: S-1-5-21-1106274642-2786564146-798650368-500
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500

# record 5
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11

# record 6
dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
cn: S-1-5-21-1106274642-2786564146-798650368-572
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-572
type: ID_TYPE_BOTH
xidNumber: 3000005
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572

# record 7
dn: CN=S-1-5-9
cn: S-1-5-9
objectClass: sidMap
objectSid: S-1-5-9
type: ID_TYPE_BOTH
xidNumber: 3000010
distinguishedName: CN=S-1-5-9

# record 8
dn: CN=S-1-5-7
cn: S-1-5-7
objectClass: sidMap
objectSid: S-1-5-7
type: ID_TYPE_UID
xidNumber: 65534
distinguishedName: CN=S-1-5-7

# record 9
dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
cn: S-1-5-21-1106274642-2786564146-798650368-1104
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
type: ID_TYPE_BOTH
xidNumber: 3000017
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104

# record 10
dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
cn: S-1-5-21-1106274642-2786564146-798650368-520
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-520
type: ID_TYPE_BOTH
xidNumber: 3000004
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520

# record 11
dn: CN=S-1-5-32-554
cn: S-1-5-32-554
objectClass: sidMap
objectSid: S-1-5-32-554
type: ID_TYPE_BOTH
xidNumber: 3000016
distinguishedName: CN=S-1-5-32-554

# record 12
dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
cn: S-1-5-21-1106274642-2786564146-798650368-519
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-519
type: ID_TYPE_BOTH
xidNumber: 3000006
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519

# record 13
dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
cn: S-1-5-21-1106274642-2786564146-798650368-514
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-514
type: ID_TYPE_BOTH
xidNumber: 3000012
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514

# record 14
dn: CN=S-1-5-32-545
cn: S-1-5-32-545
objectClass: sidMap
objectSid: S-1-5-32-545
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-5-32-545

# record 15
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

# record 16
dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
cn: S-1-5-21-1106274642-2786564146-798650368-518
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-518
type: ID_TYPE_BOTH
xidNumber: 3000007
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518

# record 17
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549

# record 18
dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
cn: S-1-5-21-1106274642-2786564146-798650368-513
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513

# record 19
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18

# record 20
dn: CN=S-1-5-2
cn: S-1-5-2
objectClass: sidMap
objectSid: S-1-5-2
type: ID_TYPE_BOTH
xidNumber: 3000014
distinguishedName: CN=S-1-5-2

# record 21
dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
cn: S-1-5-21-1106274642-2786564146-798650368-512
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-512
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512

# record 22
dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
cn: S-1-5-21-1106274642-2786564146-798650368-515
objectClass: sidMap
objectSid: S-1-5-21-1106274642-2786564146-798650368-515
type: ID_TYPE_BOTH
xidNumber: 3000018
distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515

# record 23
dn: CN=S-1-5-32-546
cn: S-1-5-32-546
objectClass: sidMap
objectSid: S-1-5-32-546
type: ID_TYPE_BOTH
xidNumber: 3000015
distinguishedName: CN=S-1-5-32-546

# returned 23 records
# 23 entries
# 0 referrals

My max allowed was 99999 but I see SIDs over 300k! This is what I
believe my issue is. This is Samba v4.5, stable. Thanks in advance for
any help.
-- 
Lead IT/IS Specialist
Reach Technology FP, Inc

I guess I should note that it seems like the high SIDs will resolve,
except for 300000. Below is an example.

root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
total 16
drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
total 16
drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
{6AC1786C-016F-11D2-945F-00C04FB984F9}

Also, the issue I am having with RPC:

root at dc01:~# smbclient -L \\localhost -U reachfp
Enter reachfp's password:
session setup failed: NT_STATUS_INVALID_SID

I am calling it a day. I can remote in but I need this up quickly, if
possible. This is for a client who lost her entire business in Hurricane
Matthew. There was mud on the ceiling tiles of the building. Flooding
was BAD here. She is trying to get going and we need her domain up. If
this is a major issue I can blow a day creating a new domain if need-be.
Thank you for your time and help.

PS: "reachfp" is the domain administrator account. We rename it for
all
of our clients. We set it back if we ever part ways with a client, but
that hasn't happened in my seven years with this company.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
> I have a brand-new install of Debian 8 without systemd and a
> freshly-built Samba 4 install with issues. I created this as a
> standalone AD DC, setup group policies, etc and then took it to the
> client location. Now nothing works. I keep getting "RPC server
> unavailable" on Windows machines and trying to list shares on the DC
> itself results in NT_STATUS_INVALID_SID. I am lost as there are not many
> results for this in Google, so I am here.
> 
> Configuration:
> ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
> --enable-fhs
> 
> Beyond that, nothing else was done differently.
> 
> My smb.conf:
> # Global parameters
> [global]
>         netbios name = DC01
>         realm = MEDARTS.LAN
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = MEDARTS
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>         idmap config MEDARTS:backend = ad
>         idmap config MEDARTS:schema_mode = rfc2307
>         idmap config MEDARTS:range = 10000-99999
>         winbind nss info = rfc2307
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/medarts.lan/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> Note that the SIDs are out of my specified range below:
> ldbsearch -H /var/lib/samba/private/idmap.ldb
> # record 1
> dn: CN=S-1-1-0
> cn: S-1-1-0
> objectClass: sidMap
> objectSid: S-1-1-0
> type: ID_TYPE_BOTH
> xidNumber: 3000013
> distinguishedName: CN=S-1-1-0
> 
> # record 2
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
> cn: S-1-5-21-1106274642-2786564146-798650368-501
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-501
> type: ID_TYPE_BOTH
> xidNumber: 3000011
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
> 
> # record 3
> dn: CN=CONFIG
> cn: CONFIG
> lowerBound: 3000000
> upperBound: 4000000
> xidNumber: 3000019
> distinguishedName: CN=CONFIG
> 
> # record 4
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
> cn: S-1-5-21-1106274642-2786564146-798650368-500
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
> 
> # record 5
> dn: CN=S-1-5-11
> cn: S-1-5-11
> objectClass: sidMap
> objectSid: S-1-5-11
> type: ID_TYPE_BOTH
> xidNumber: 3000003
> distinguishedName: CN=S-1-5-11
> 
> # record 6
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
> cn: S-1-5-21-1106274642-2786564146-798650368-572
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-572
> type: ID_TYPE_BOTH
> xidNumber: 3000005
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
> 
> # record 7
> dn: CN=S-1-5-9
> cn: S-1-5-9
> objectClass: sidMap
> objectSid: S-1-5-9
> type: ID_TYPE_BOTH
> xidNumber: 3000010
> distinguishedName: CN=S-1-5-9
> 
> # record 8
> dn: CN=S-1-5-7
> cn: S-1-5-7
> objectClass: sidMap
> objectSid: S-1-5-7
> type: ID_TYPE_UID
> xidNumber: 65534
> distinguishedName: CN=S-1-5-7
> 
> # record 9
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> cn: S-1-5-21-1106274642-2786564146-798650368-1104
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
> type: ID_TYPE_BOTH
> xidNumber: 3000017
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> 
> # record 10
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
> cn: S-1-5-21-1106274642-2786564146-798650368-520
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-520
> type: ID_TYPE_BOTH
> xidNumber: 3000004
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
> 
> # record 11
> dn: CN=S-1-5-32-554
> cn: S-1-5-32-554
> objectClass: sidMap
> objectSid: S-1-5-32-554
> type: ID_TYPE_BOTH
> xidNumber: 3000016
> distinguishedName: CN=S-1-5-32-554
> 
> # record 12
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
> cn: S-1-5-21-1106274642-2786564146-798650368-519
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-519
> type: ID_TYPE_BOTH
> xidNumber: 3000006
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
> 
> # record 13
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
> cn: S-1-5-21-1106274642-2786564146-798650368-514
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-514
> type: ID_TYPE_BOTH
> xidNumber: 3000012
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
> 
> # record 14
> dn: CN=S-1-5-32-545
> cn: S-1-5-32-545
> objectClass: sidMap
> objectSid: S-1-5-32-545
> type: ID_TYPE_BOTH
> xidNumber: 3000009
> distinguishedName: CN=S-1-5-32-545
> 
> # record 15
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
> 
> # record 16
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
> cn: S-1-5-21-1106274642-2786564146-798650368-518
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-518
> type: ID_TYPE_BOTH
> xidNumber: 3000007
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
> 
> # record 17
> dn: CN=S-1-5-32-549
> cn: S-1-5-32-549
> objectClass: sidMap
> objectSid: S-1-5-32-549
> type: ID_TYPE_BOTH
> xidNumber: 3000001
> distinguishedName: CN=S-1-5-32-549
> 
> # record 18
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
> cn: S-1-5-21-1106274642-2786564146-798650368-513
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
> 
> # record 19
> dn: CN=S-1-5-18
> cn: S-1-5-18
> objectClass: sidMap
> objectSid: S-1-5-18
> type: ID_TYPE_BOTH
> xidNumber: 3000002
> distinguishedName: CN=S-1-5-18
> 
> # record 20
> dn: CN=S-1-5-2
> cn: S-1-5-2
> objectClass: sidMap
> objectSid: S-1-5-2
> type: ID_TYPE_BOTH
> xidNumber: 3000014
> distinguishedName: CN=S-1-5-2
> 
> # record 21
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
> cn: S-1-5-21-1106274642-2786564146-798650368-512
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-512
> type: ID_TYPE_BOTH
> xidNumber: 3000008
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
> 
> # record 22
> dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
> cn: S-1-5-21-1106274642-2786564146-798650368-515
> objectClass: sidMap
> objectSid: S-1-5-21-1106274642-2786564146-798650368-515
> type: ID_TYPE_BOTH
> xidNumber: 3000018
> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
> 
> # record 23
> dn: CN=S-1-5-32-546
> cn: S-1-5-32-546
> objectClass: sidMap
> objectSid: S-1-5-32-546
> type: ID_TYPE_BOTH
> xidNumber: 3000015
> distinguishedName: CN=S-1-5-32-546
> 
> # returned 23 records
> # 23 entries
> # 0 referrals
> 
> My max allowed was 99999 but I see SIDs over 300k! This is what I
> believe my issue is. This is Samba v4.5, stable. Thanks in advance for
> any help.
>

Take a look at this thread: 
https://lists.samba.org/archive/samba/2016-October/204104.html. Try the 
patch and let me know.

Thanks,
Arthur

On 10/26/2016 4:27 PM, Ryan Ashley via samba wrote:
> I guess I should note that it seems like the high SIDs will resolve,
> except for 300000. Below is an example.
>
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
> total 16
> drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
> drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
> total 16
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
>
> Also, the issue I am having with RPC:
>
> root at dc01:~# smbclient -L \\localhost -U reachfp
> Enter reachfp's password:
> session setup failed: NT_STATUS_INVALID_SID
>
> I am calling it a day. I can remote in but I need this up quickly, if
> possible. This is for a client who lost her entire business in Hurricane
> Matthew. There was mud on the ceiling tiles of the building. Flooding
> was BAD here. She is trying to get going and we need her domain up. If
> this is a major issue I can blow a day creating a new domain if need-be.
> Thank you for your time and help.
>
> PS: "reachfp" is the domain administrator account. We rename it
for all
> of our clients. We set it back if we ever part ways with a client, but
> that hasn't happened in my seven years with this company.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
>> I have a brand-new install of Debian 8 without systemd and a
>> freshly-built Samba 4 install with issues. I created this as a
>> standalone AD DC, setup group policies, etc and then took it to the
>> client location. Now nothing works. I keep getting "RPC server
>> unavailable" on Windows machines and trying to list shares on the
DC
>> itself results in NT_STATUS_INVALID_SID. I am lost as there are not
many
>> results for this in Google, so I am here.
>>
>> Configuration:
>> ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
>> --enable-fhs
>>
>> Beyond that, nothing else was done differently.
>>
>> My smb.conf:
>> # Global parameters
>> [global]
>>          netbios name = DC01
>>          realm = MEDARTS.LAN
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          workgroup = MEDARTS
>>          server role = active directory domain controller
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config *:backend = tdb
>>          idmap config *:range = 2000-9999
>>          idmap config MEDARTS:backend = ad
>>          idmap config MEDARTS:schema_mode = rfc2307
>>          idmap config MEDARTS:range = 10000-99999
>>          winbind nss info = rfc2307
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/medarts.lan/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> Note that the SIDs are out of my specified range below:
>> ldbsearch -H /var/lib/samba/private/idmap.ldb
>> # record 1
>> dn: CN=S-1-1-0
>> cn: S-1-1-0
>> objectClass: sidMap
>> objectSid: S-1-1-0
>> type: ID_TYPE_BOTH
>> xidNumber: 3000013
>> distinguishedName: CN=S-1-1-0
>>
>> # record 2
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
>> cn: S-1-5-21-1106274642-2786564146-798650368-501
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-501
>> type: ID_TYPE_BOTH
>> xidNumber: 3000011
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
>>
>> # record 3
>> dn: CN=CONFIG
>> cn: CONFIG
>> lowerBound: 3000000
>> upperBound: 4000000
>> xidNumber: 3000019
>> distinguishedName: CN=CONFIG
>>
>> # record 4
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
>> cn: S-1-5-21-1106274642-2786564146-798650368-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
>>
>> # record 5
>> dn: CN=S-1-5-11
>> cn: S-1-5-11
>> objectClass: sidMap
>> objectSid: S-1-5-11
>> type: ID_TYPE_BOTH
>> xidNumber: 3000003
>> distinguishedName: CN=S-1-5-11
>>
>> # record 6
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
>> cn: S-1-5-21-1106274642-2786564146-798650368-572
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-572
>> type: ID_TYPE_BOTH
>> xidNumber: 3000005
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
>>
>> # record 7
>> dn: CN=S-1-5-9
>> cn: S-1-5-9
>> objectClass: sidMap
>> objectSid: S-1-5-9
>> type: ID_TYPE_BOTH
>> xidNumber: 3000010
>> distinguishedName: CN=S-1-5-9
>>
>> # record 8
>> dn: CN=S-1-5-7
>> cn: S-1-5-7
>> objectClass: sidMap
>> objectSid: S-1-5-7
>> type: ID_TYPE_UID
>> xidNumber: 65534
>> distinguishedName: CN=S-1-5-7
>>
>> # record 9
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>> cn: S-1-5-21-1106274642-2786564146-798650368-1104
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
>> type: ID_TYPE_BOTH
>> xidNumber: 3000017
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>>
>> # record 10
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
>> cn: S-1-5-21-1106274642-2786564146-798650368-520
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-520
>> type: ID_TYPE_BOTH
>> xidNumber: 3000004
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
>>
>> # record 11
>> dn: CN=S-1-5-32-554
>> cn: S-1-5-32-554
>> objectClass: sidMap
>> objectSid: S-1-5-32-554
>> type: ID_TYPE_BOTH
>> xidNumber: 3000016
>> distinguishedName: CN=S-1-5-32-554
>>
>> # record 12
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
>> cn: S-1-5-21-1106274642-2786564146-798650368-519
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-519
>> type: ID_TYPE_BOTH
>> xidNumber: 3000006
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
>>
>> # record 13
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
>> cn: S-1-5-21-1106274642-2786564146-798650368-514
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-514
>> type: ID_TYPE_BOTH
>> xidNumber: 3000012
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
>>
>> # record 14
>> dn: CN=S-1-5-32-545
>> cn: S-1-5-32-545
>> objectClass: sidMap
>> objectSid: S-1-5-32-545
>> type: ID_TYPE_BOTH
>> xidNumber: 3000009
>> distinguishedName: CN=S-1-5-32-545
>>
>> # record 15
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> # record 16
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
>> cn: S-1-5-21-1106274642-2786564146-798650368-518
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-518
>> type: ID_TYPE_BOTH
>> xidNumber: 3000007
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
>>
>> # record 17
>> dn: CN=S-1-5-32-549
>> cn: S-1-5-32-549
>> objectClass: sidMap
>> objectSid: S-1-5-32-549
>> type: ID_TYPE_BOTH
>> xidNumber: 3000001
>> distinguishedName: CN=S-1-5-32-549
>>
>> # record 18
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
>> cn: S-1-5-21-1106274642-2786564146-798650368-513
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-513
>> type: ID_TYPE_GID
>> xidNumber: 100
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
>>
>> # record 19
>> dn: CN=S-1-5-18
>> cn: S-1-5-18
>> objectClass: sidMap
>> objectSid: S-1-5-18
>> type: ID_TYPE_BOTH
>> xidNumber: 3000002
>> distinguishedName: CN=S-1-5-18
>>
>> # record 20
>> dn: CN=S-1-5-2
>> cn: S-1-5-2
>> objectClass: sidMap
>> objectSid: S-1-5-2
>> type: ID_TYPE_BOTH
>> xidNumber: 3000014
>> distinguishedName: CN=S-1-5-2
>>
>> # record 21
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
>> cn: S-1-5-21-1106274642-2786564146-798650368-512
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-512
>> type: ID_TYPE_BOTH
>> xidNumber: 3000008
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
>>
>> # record 22
>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
>> cn: S-1-5-21-1106274642-2786564146-798650368-515
>> objectClass: sidMap
>> objectSid: S-1-5-21-1106274642-2786564146-798650368-515
>> type: ID_TYPE_BOTH
>> xidNumber: 3000018
>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
>>
>> # record 23
>> dn: CN=S-1-5-32-546
>> cn: S-1-5-32-546
>> objectClass: sidMap
>> objectSid: S-1-5-32-546
>> type: ID_TYPE_BOTH
>> xidNumber: 3000015
>> distinguishedName: CN=S-1-5-32-546
>>
>> # returned 23 records
>> # 23 entries
>> # 0 referrals
>>
>> My max allowed was 99999 but I see SIDs over 300k! This is what I
>> believe my issue is. This is Samba v4.5, stable. Thanks in advance for
>> any help.
>>

This e-mail and any attachments may contain CONFIDENTIAL information, including
PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or
disclosure of this information is STRICTLY PROHIBITED; you are requested to
delete this e-mail and any attachments, notify the sender immediately, and
notify the Mediture Privacy Officer at privacyofficer at mediture.com.

On Wed, 26 Oct 2016 17:27:37 -0400
Ryan Ashley via samba <samba at lists.samba.org> wrote:
> I guess I should note that it seems like the high SIDs will resolve,
> except for 300000. Below is an example.
> 
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
> total 16
> drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
> drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
> total 16
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
> 
> Also, the issue I am having with RPC:
> 
> root at dc01:~# smbclient -L \\localhost -U reachfp
> Enter reachfp's password:
> session setup failed: NT_STATUS_INVALID_SID
> 
> I am calling it a day. I can remote in but I need this up quickly, if
> possible. This is for a client who lost her entire business in
> Hurricane Matthew. There was mud on the ceiling tiles of the
> building. Flooding was BAD here. She is trying to get going and we
> need her domain up. If this is a major issue I can blow a day
> creating a new domain if need-be. Thank you for your time and help.
> 
> PS: "reachfp" is the domain administrator account. We rename it
for
> all of our clients. We set it back if we ever part ways with a
> client, but that hasn't happened in my seven years with this company.
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
> > I have a brand-new install of Debian 8 without systemd and a
> > freshly-built Samba 4 install with issues. I created this as a
> > standalone AD DC, setup group policies, etc and then took it to the
> > client location. Now nothing works. I keep getting "RPC server
> > unavailable" on Windows machines and trying to list shares on the
DC
> > itself results in NT_STATUS_INVALID_SID. I am lost as there are not
> > many results for this in Google, so I am here.
> > 
> > Configuration:
> > ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
> > --enable-fhs
> > 
> > Beyond that, nothing else was done differently.
> > 
> > My smb.conf:
> > # Global parameters
> > [global]
> >         netbios name = DC01
> >         realm = MEDARTS.LAN
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = MEDARTS
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         idmap config *:backend = tdb
> >         idmap config *:range = 2000-9999
> >         idmap config MEDARTS:backend = ad
> >         idmap config MEDARTS:schema_mode = rfc2307
> >         idmap config MEDARTS:range = 10000-99999
> >         winbind nss info = rfc2307
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/medarts.lan/scripts
> >         read only = No
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > Note that the SIDs are out of my specified range below:
> > ldbsearch -H /var/lib/samba/private/idmap.ldb
> > # record 1
> > dn: CN=S-1-1-0
> > cn: S-1-1-0
> > objectClass: sidMap
> > objectSid: S-1-1-0
> > type: ID_TYPE_BOTH
> > xidNumber: 3000013
> > distinguishedName: CN=S-1-1-0
> > 
> > # record 2
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
> > cn: S-1-5-21-1106274642-2786564146-798650368-501
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-501
> > type: ID_TYPE_BOTH
> > xidNumber: 3000011
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
> > 
> > # record 3
> > dn: CN=CONFIG
> > cn: CONFIG
> > lowerBound: 3000000
> > upperBound: 4000000
> > xidNumber: 3000019
> > distinguishedName: CN=CONFIG
> > 
> > # record 4
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
> > cn: S-1-5-21-1106274642-2786564146-798650368-500
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-500
> > type: ID_TYPE_UID
> > xidNumber: 0
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
> > 
> > # record 5
> > dn: CN=S-1-5-11
> > cn: S-1-5-11
> > objectClass: sidMap
> > objectSid: S-1-5-11
> > type: ID_TYPE_BOTH
> > xidNumber: 3000003
> > distinguishedName: CN=S-1-5-11
> > 
> > # record 6
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
> > cn: S-1-5-21-1106274642-2786564146-798650368-572
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-572
> > type: ID_TYPE_BOTH
> > xidNumber: 3000005
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
> > 
> > # record 7
> > dn: CN=S-1-5-9
> > cn: S-1-5-9
> > objectClass: sidMap
> > objectSid: S-1-5-9
> > type: ID_TYPE_BOTH
> > xidNumber: 3000010
> > distinguishedName: CN=S-1-5-9
> > 
> > # record 8
> > dn: CN=S-1-5-7
> > cn: S-1-5-7
> > objectClass: sidMap
> > objectSid: S-1-5-7
> > type: ID_TYPE_UID
> > xidNumber: 65534
> > distinguishedName: CN=S-1-5-7
> > 
> > # record 9
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> > cn: S-1-5-21-1106274642-2786564146-798650368-1104
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
> > type: ID_TYPE_BOTH
> > xidNumber: 3000017
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> > 
> > # record 10
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
> > cn: S-1-5-21-1106274642-2786564146-798650368-520
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-520
> > type: ID_TYPE_BOTH
> > xidNumber: 3000004
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
> > 
> > # record 11
> > dn: CN=S-1-5-32-554
> > cn: S-1-5-32-554
> > objectClass: sidMap
> > objectSid: S-1-5-32-554
> > type: ID_TYPE_BOTH
> > xidNumber: 3000016
> > distinguishedName: CN=S-1-5-32-554
> > 
> > # record 12
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
> > cn: S-1-5-21-1106274642-2786564146-798650368-519
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-519
> > type: ID_TYPE_BOTH
> > xidNumber: 3000006
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
> > 
> > # record 13
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
> > cn: S-1-5-21-1106274642-2786564146-798650368-514
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-514
> > type: ID_TYPE_BOTH
> > xidNumber: 3000012
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
> > 
> > # record 14
> > dn: CN=S-1-5-32-545
> > cn: S-1-5-32-545
> > objectClass: sidMap
> > objectSid: S-1-5-32-545
> > type: ID_TYPE_BOTH
> > xidNumber: 3000009
> > distinguishedName: CN=S-1-5-32-545
> > 
> > # record 15
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_BOTH
> > xidNumber: 3000000
> > distinguishedName: CN=S-1-5-32-544
> > 
> > # record 16
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
> > cn: S-1-5-21-1106274642-2786564146-798650368-518
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-518
> > type: ID_TYPE_BOTH
> > xidNumber: 3000007
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
> > 
> > # record 17
> > dn: CN=S-1-5-32-549
> > cn: S-1-5-32-549
> > objectClass: sidMap
> > objectSid: S-1-5-32-549
> > type: ID_TYPE_BOTH
> > xidNumber: 3000001
> > distinguishedName: CN=S-1-5-32-549
> > 
> > # record 18
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
> > cn: S-1-5-21-1106274642-2786564146-798650368-513
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-513
> > type: ID_TYPE_GID
> > xidNumber: 100
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
> > 
> > # record 19
> > dn: CN=S-1-5-18
> > cn: S-1-5-18
> > objectClass: sidMap
> > objectSid: S-1-5-18
> > type: ID_TYPE_BOTH
> > xidNumber: 3000002
> > distinguishedName: CN=S-1-5-18
> > 
> > # record 20
> > dn: CN=S-1-5-2
> > cn: S-1-5-2
> > objectClass: sidMap
> > objectSid: S-1-5-2
> > type: ID_TYPE_BOTH
> > xidNumber: 3000014
> > distinguishedName: CN=S-1-5-2
> > 
> > # record 21
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
> > cn: S-1-5-21-1106274642-2786564146-798650368-512
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-512
> > type: ID_TYPE_BOTH
> > xidNumber: 3000008
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
> > 
> > # record 22
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
> > cn: S-1-5-21-1106274642-2786564146-798650368-515
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-515
> > type: ID_TYPE_BOTH
> > xidNumber: 3000018
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
> > 
> > # record 23
> > dn: CN=S-1-5-32-546
> > cn: S-1-5-32-546
> > objectClass: sidMap
> > objectSid: S-1-5-32-546
> > type: ID_TYPE_BOTH
> > xidNumber: 3000015
> > distinguishedName: CN=S-1-5-32-546
> > 
> > # returned 23 records
> > # 23 entries
> > # 0 referrals
> > 
> > My max allowed was 99999 but I see SIDs over 300k! This is what I
> > believe my issue is. This is Samba v4.5, stable. Thanks in advance
> > for any help.
> > 
> 
Lets get the SIDs (actually RIDs) not being what you have set them to
be, out of the way. They will not be set that way on a DC, the idmap
lines you have added are ignored on a DC and they are only meant to be
used on a domain member. If you want to use different IDs on a DC, you
will have to add uidNumber attributes to the users and a gidNumber to
the Domain Users group.

You say you 'created this as a standalone AD DC' , what do you mean by
this? did you provision with '--server-role=standalone' ?

Rowland