samba - Oct 2016 - NT_STATUS_INVALID_SID

On Wed, 26 Oct 2016 17:27:37 -0400
Ryan Ashley via samba <samba at lists.samba.org> wrote:
> I guess I should note that it seems like the high SIDs will resolve,
> except for 300000. Below is an example.
> 
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
> total 16
> drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
> drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
> total 16
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
> 
> Also, the issue I am having with RPC:
> 
> root at dc01:~# smbclient -L \\localhost -U reachfp
> Enter reachfp's password:
> session setup failed: NT_STATUS_INVALID_SID
> 
> I am calling it a day. I can remote in but I need this up quickly, if
> possible. This is for a client who lost her entire business in
> Hurricane Matthew. There was mud on the ceiling tiles of the
> building. Flooding was BAD here. She is trying to get going and we
> need her domain up. If this is a major issue I can blow a day
> creating a new domain if need-be. Thank you for your time and help.
> 
> PS: "reachfp" is the domain administrator account. We rename it
for
> all of our clients. We set it back if we ever part ways with a
> client, but that hasn't happened in my seven years with this company.
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
> > I have a brand-new install of Debian 8 without systemd and a
> > freshly-built Samba 4 install with issues. I created this as a
> > standalone AD DC, setup group policies, etc and then took it to the
> > client location. Now nothing works. I keep getting "RPC server
> > unavailable" on Windows machines and trying to list shares on the
DC
> > itself results in NT_STATUS_INVALID_SID. I am lost as there are not
> > many results for this in Google, so I am here.
> > 
> > Configuration:
> > ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
> > --enable-fhs
> > 
> > Beyond that, nothing else was done differently.
> > 
> > My smb.conf:
> > # Global parameters
> > [global]
> >         netbios name = DC01
> >         realm = MEDARTS.LAN
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = MEDARTS
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         idmap config *:backend = tdb
> >         idmap config *:range = 2000-9999
> >         idmap config MEDARTS:backend = ad
> >         idmap config MEDARTS:schema_mode = rfc2307
> >         idmap config MEDARTS:range = 10000-99999
> >         winbind nss info = rfc2307
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/medarts.lan/scripts
> >         read only = No
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > Note that the SIDs are out of my specified range below:
> > ldbsearch -H /var/lib/samba/private/idmap.ldb
> > # record 1
> > dn: CN=S-1-1-0
> > cn: S-1-1-0
> > objectClass: sidMap
> > objectSid: S-1-1-0
> > type: ID_TYPE_BOTH
> > xidNumber: 3000013
> > distinguishedName: CN=S-1-1-0
> > 
> > # record 2
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
> > cn: S-1-5-21-1106274642-2786564146-798650368-501
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-501
> > type: ID_TYPE_BOTH
> > xidNumber: 3000011
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
> > 
> > # record 3
> > dn: CN=CONFIG
> > cn: CONFIG
> > lowerBound: 3000000
> > upperBound: 4000000
> > xidNumber: 3000019
> > distinguishedName: CN=CONFIG
> > 
> > # record 4
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
> > cn: S-1-5-21-1106274642-2786564146-798650368-500
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-500
> > type: ID_TYPE_UID
> > xidNumber: 0
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
> > 
> > # record 5
> > dn: CN=S-1-5-11
> > cn: S-1-5-11
> > objectClass: sidMap
> > objectSid: S-1-5-11
> > type: ID_TYPE_BOTH
> > xidNumber: 3000003
> > distinguishedName: CN=S-1-5-11
> > 
> > # record 6
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
> > cn: S-1-5-21-1106274642-2786564146-798650368-572
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-572
> > type: ID_TYPE_BOTH
> > xidNumber: 3000005
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
> > 
> > # record 7
> > dn: CN=S-1-5-9
> > cn: S-1-5-9
> > objectClass: sidMap
> > objectSid: S-1-5-9
> > type: ID_TYPE_BOTH
> > xidNumber: 3000010
> > distinguishedName: CN=S-1-5-9
> > 
> > # record 8
> > dn: CN=S-1-5-7
> > cn: S-1-5-7
> > objectClass: sidMap
> > objectSid: S-1-5-7
> > type: ID_TYPE_UID
> > xidNumber: 65534
> > distinguishedName: CN=S-1-5-7
> > 
> > # record 9
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> > cn: S-1-5-21-1106274642-2786564146-798650368-1104
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
> > type: ID_TYPE_BOTH
> > xidNumber: 3000017
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
> > 
> > # record 10
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
> > cn: S-1-5-21-1106274642-2786564146-798650368-520
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-520
> > type: ID_TYPE_BOTH
> > xidNumber: 3000004
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
> > 
> > # record 11
> > dn: CN=S-1-5-32-554
> > cn: S-1-5-32-554
> > objectClass: sidMap
> > objectSid: S-1-5-32-554
> > type: ID_TYPE_BOTH
> > xidNumber: 3000016
> > distinguishedName: CN=S-1-5-32-554
> > 
> > # record 12
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
> > cn: S-1-5-21-1106274642-2786564146-798650368-519
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-519
> > type: ID_TYPE_BOTH
> > xidNumber: 3000006
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
> > 
> > # record 13
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
> > cn: S-1-5-21-1106274642-2786564146-798650368-514
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-514
> > type: ID_TYPE_BOTH
> > xidNumber: 3000012
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
> > 
> > # record 14
> > dn: CN=S-1-5-32-545
> > cn: S-1-5-32-545
> > objectClass: sidMap
> > objectSid: S-1-5-32-545
> > type: ID_TYPE_BOTH
> > xidNumber: 3000009
> > distinguishedName: CN=S-1-5-32-545
> > 
> > # record 15
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_BOTH
> > xidNumber: 3000000
> > distinguishedName: CN=S-1-5-32-544
> > 
> > # record 16
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
> > cn: S-1-5-21-1106274642-2786564146-798650368-518
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-518
> > type: ID_TYPE_BOTH
> > xidNumber: 3000007
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
> > 
> > # record 17
> > dn: CN=S-1-5-32-549
> > cn: S-1-5-32-549
> > objectClass: sidMap
> > objectSid: S-1-5-32-549
> > type: ID_TYPE_BOTH
> > xidNumber: 3000001
> > distinguishedName: CN=S-1-5-32-549
> > 
> > # record 18
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
> > cn: S-1-5-21-1106274642-2786564146-798650368-513
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-513
> > type: ID_TYPE_GID
> > xidNumber: 100
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
> > 
> > # record 19
> > dn: CN=S-1-5-18
> > cn: S-1-5-18
> > objectClass: sidMap
> > objectSid: S-1-5-18
> > type: ID_TYPE_BOTH
> > xidNumber: 3000002
> > distinguishedName: CN=S-1-5-18
> > 
> > # record 20
> > dn: CN=S-1-5-2
> > cn: S-1-5-2
> > objectClass: sidMap
> > objectSid: S-1-5-2
> > type: ID_TYPE_BOTH
> > xidNumber: 3000014
> > distinguishedName: CN=S-1-5-2
> > 
> > # record 21
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
> > cn: S-1-5-21-1106274642-2786564146-798650368-512
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-512
> > type: ID_TYPE_BOTH
> > xidNumber: 3000008
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
> > 
> > # record 22
> > dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
> > cn: S-1-5-21-1106274642-2786564146-798650368-515
> > objectClass: sidMap
> > objectSid: S-1-5-21-1106274642-2786564146-798650368-515
> > type: ID_TYPE_BOTH
> > xidNumber: 3000018
> > distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
> > 
> > # record 23
> > dn: CN=S-1-5-32-546
> > cn: S-1-5-32-546
> > objectClass: sidMap
> > objectSid: S-1-5-32-546
> > type: ID_TYPE_BOTH
> > xidNumber: 3000015
> > distinguishedName: CN=S-1-5-32-546
> > 
> > # returned 23 records
> > # 23 entries
> > # 0 referrals
> > 
> > My max allowed was 99999 but I see SIDs over 300k! This is what I
> > believe my issue is. This is Samba v4.5, stable. Thanks in advance
> > for any help.
> > 
> 
Lets get the SIDs (actually RIDs) not being what you have set them to
be, out of the way. They will not be set that way on a DC, the idmap
lines you have added are ignored on a DC and they are only meant to be
used on a domain member. If you want to use different IDs on a DC, you
will have to add uidNumber attributes to the users and a gidNumber to
the Domain Users group.

You say you 'created this as a standalone AD DC' , what do you mean by
this? did you provision with '--server-role=standalone' ?

Rowland

Wait, now I'm confused. Idmap lines do not need to be set up on the DCs?
Then how does
windows figure's out the ids in the Unix Attributes tab?  I thought you
needed both
rfc2307 and idmap on the DC and the members.



Em 27/10/2016 05:39, Rowland Penny via samba escreveu:
> On Wed, 26 Oct 2016 17:27:37 -0400
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>
>> I guess I should note that it seems like the high SIDs will resolve,
>> except for 300000. Below is an example.
>>
>> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/
>> total 16
>> drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies
>> drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts
>> root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies
>> total 16
>> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:05
>> {31B2F340-016D-11D2-945F-00C04FB984F9}
>> drwxrws---+ 5 MEDARTS\reachfp MEDARTS\domain admins 4096 Oct 19 14:18
>> {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>
>> Also, the issue I am having with RPC:
>>
>> root at dc01:~# smbclient -L \\localhost -U reachfp
>> Enter reachfp's password:
>> session setup failed: NT_STATUS_INVALID_SID
>>
>> I am calling it a day. I can remote in but I need this up quickly, if
>> possible. This is for a client who lost her entire business in
>> Hurricane Matthew. There was mud on the ceiling tiles of the
>> building. Flooding was BAD here. She is trying to get going and we
>> need her domain up. If this is a major issue I can blow a day
>> creating a new domain if need-be. Thank you for your time and help.
>>
>> PS: "reachfp" is the domain administrator account. We rename
it for
>> all of our clients. We set it back if we ever part ways with a
>> client, but that hasn't happened in my seven years with this
company.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 10/26/2016 04:43 PM, Ryan Ashley via samba wrote:
>>> I have a brand-new install of Debian 8 without systemd and a
>>> freshly-built Samba 4 install with issues. I created this as a
>>> standalone AD DC, setup group policies, etc and then took it to the
>>> client location. Now nothing works. I keep getting "RPC server
>>> unavailable" on Windows machines and trying to list shares on
the DC
>>> itself results in NT_STATUS_INVALID_SID. I am lost as there are not
>>> many results for this in Google, so I am here.
>>>
>>> Configuration:
>>> ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
>>> --enable-fhs
>>>
>>> Beyond that, nothing else was done differently.
>>>
>>> My smb.conf:
>>> # Global parameters
>>> [global]
>>>          netbios name = DC01
>>>          realm = MEDARTS.LAN
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>          workgroup = MEDARTS
>>>          server role = active directory domain controller
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config *:backend = tdb
>>>          idmap config *:range = 2000-9999
>>>          idmap config MEDARTS:backend = ad
>>>          idmap config MEDARTS:schema_mode = rfc2307
>>>          idmap config MEDARTS:range = 10000-99999
>>>          winbind nss info = rfc2307
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/medarts.lan/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>>
>>> Note that the SIDs are out of my specified range below:
>>> ldbsearch -H /var/lib/samba/private/idmap.ldb
>>> # record 1
>>> dn: CN=S-1-1-0
>>> cn: S-1-1-0
>>> objectClass: sidMap
>>> objectSid: S-1-1-0
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000013
>>> distinguishedName: CN=S-1-1-0
>>>
>>> # record 2
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-501
>>> cn: S-1-5-21-1106274642-2786564146-798650368-501
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-501
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000011
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-501
>>>
>>> # record 3
>>> dn: CN=CONFIG
>>> cn: CONFIG
>>> lowerBound: 3000000
>>> upperBound: 4000000
>>> xidNumber: 3000019
>>> distinguishedName: CN=CONFIG
>>>
>>> # record 4
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-500
>>> cn: S-1-5-21-1106274642-2786564146-798650368-500
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-500
>>> type: ID_TYPE_UID
>>> xidNumber: 0
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-500
>>>
>>> # record 5
>>> dn: CN=S-1-5-11
>>> cn: S-1-5-11
>>> objectClass: sidMap
>>> objectSid: S-1-5-11
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000003
>>> distinguishedName: CN=S-1-5-11
>>>
>>> # record 6
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-572
>>> cn: S-1-5-21-1106274642-2786564146-798650368-572
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-572
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000005
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-572
>>>
>>> # record 7
>>> dn: CN=S-1-5-9
>>> cn: S-1-5-9
>>> objectClass: sidMap
>>> objectSid: S-1-5-9
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000010
>>> distinguishedName: CN=S-1-5-9
>>>
>>> # record 8
>>> dn: CN=S-1-5-7
>>> cn: S-1-5-7
>>> objectClass: sidMap
>>> objectSid: S-1-5-7
>>> type: ID_TYPE_UID
>>> xidNumber: 65534
>>> distinguishedName: CN=S-1-5-7
>>>
>>> # record 9
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>>> cn: S-1-5-21-1106274642-2786564146-798650368-1104
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-1104
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000017
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-1104
>>>
>>> # record 10
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-520
>>> cn: S-1-5-21-1106274642-2786564146-798650368-520
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-520
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000004
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-520
>>>
>>> # record 11
>>> dn: CN=S-1-5-32-554
>>> cn: S-1-5-32-554
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-554
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000016
>>> distinguishedName: CN=S-1-5-32-554
>>>
>>> # record 12
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-519
>>> cn: S-1-5-21-1106274642-2786564146-798650368-519
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-519
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000006
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-519
>>>
>>> # record 13
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-514
>>> cn: S-1-5-21-1106274642-2786564146-798650368-514
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-514
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000012
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-514
>>>
>>> # record 14
>>> dn: CN=S-1-5-32-545
>>> cn: S-1-5-32-545
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-545
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000009
>>> distinguishedName: CN=S-1-5-32-545
>>>
>>> # record 15
>>> dn: CN=S-1-5-32-544
>>> cn: S-1-5-32-544
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-544
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000000
>>> distinguishedName: CN=S-1-5-32-544
>>>
>>> # record 16
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-518
>>> cn: S-1-5-21-1106274642-2786564146-798650368-518
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-518
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000007
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-518
>>>
>>> # record 17
>>> dn: CN=S-1-5-32-549
>>> cn: S-1-5-32-549
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-549
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000001
>>> distinguishedName: CN=S-1-5-32-549
>>>
>>> # record 18
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-513
>>> cn: S-1-5-21-1106274642-2786564146-798650368-513
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-513
>>> type: ID_TYPE_GID
>>> xidNumber: 100
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-513
>>>
>>> # record 19
>>> dn: CN=S-1-5-18
>>> cn: S-1-5-18
>>> objectClass: sidMap
>>> objectSid: S-1-5-18
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000002
>>> distinguishedName: CN=S-1-5-18
>>>
>>> # record 20
>>> dn: CN=S-1-5-2
>>> cn: S-1-5-2
>>> objectClass: sidMap
>>> objectSid: S-1-5-2
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000014
>>> distinguishedName: CN=S-1-5-2
>>>
>>> # record 21
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-512
>>> cn: S-1-5-21-1106274642-2786564146-798650368-512
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-512
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000008
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-512
>>>
>>> # record 22
>>> dn: CN=S-1-5-21-1106274642-2786564146-798650368-515
>>> cn: S-1-5-21-1106274642-2786564146-798650368-515
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-1106274642-2786564146-798650368-515
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000018
>>> distinguishedName: CN=S-1-5-21-1106274642-2786564146-798650368-515
>>>
>>> # record 23
>>> dn: CN=S-1-5-32-546
>>> cn: S-1-5-32-546
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-546
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000015
>>> distinguishedName: CN=S-1-5-32-546
>>>
>>> # returned 23 records
>>> # 23 entries
>>> # 0 referrals
>>>
>>> My max allowed was 99999 but I see SIDs over 300k! This is what I
>>> believe my issue is. This is Samba v4.5, stable. Thanks in advance
>>> for any help.
>>>
> Lets get the SIDs (actually RIDs) not being what you have set them to
> be, out of the way. They will not be set that way on a DC, the idmap
> lines you have added are ignored on a DC and they are only meant to be
> used on a domain member. If you want to use different IDs on a DC, you
> will have to add uidNumber attributes to the users and a gidNumber to
> the Domain Users group.
>
> You say you 'created this as a standalone AD DC' , what do you mean
by
> this? did you provision with '--server-role=standalone' ?
>
> Rowland
>
-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.

On Thu, 27 Oct 2016 10:51:08 -0200
Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
> Wait, now I'm confused. Idmap lines do not need to be set up on the
> DCs? Then how does windows figure's out the ids in the Unix
> Attributes tab?  I thought you needed both rfc2307 and idmap on the
> DC and the members.
> 
> 
> 
The DCs have idmap.ldb, this maps users and groups to xidNumbers in the
'3000000' range, the only way to change these numbers on a DC, is to
give your users & groups uidNumber & gidNumber attributes.

I repeat, adding the 'idmap config' lines that are used on a domain
member, to a DC, will not work.

They do nothing, zilch, they are ignored, so do not add them.

The 'Unix Attributes' tab uses the 'uidNumber' and
'gidNumber'
attributes and these override the 'xidNumber' attributes that the DC
uses by default.

Rowland

Rowland, I am on my mobile phone right now so please forgive the data not
being available. When I get back to her location today I will be happy to
get you that information. How should I get it for you? Both getent and
wbinfo work on the server, if that matters.
> Lets get the SIDs (actually RIDs) not being what you have set them to
> be, out of the way. They will not be set that way on a DC, the idmap lines
> you have added are ignored on a DC and they are only meant to be used on a
> domain member. If you want to use different IDs on a DC, you will have to
> add uidNumber attributes to the users and a gidNumber to the Domain Users
> group.
>
> You say you 'created this as a standalone AD DC' , what do you mean
by
> this? did you provision with '--server-role=standalone' ?
>
> Rowland

On Thu, 27 Oct 2016 09:20:34 -0400
Ryan Ashley via samba <samba at lists.samba.org> wrote:
> Rowland, I am on my mobile phone right now so please forgive the data
> not being available. When I get back to her location today I will be
> happy to get you that information. How should I get it for you? Both
> getent and wbinfo work on the server, if that matters.
> 
> > Lets get the SIDs (actually RIDs) not being what you have set them
> > to be, out of the way. They will not be set that way on a DC, the
> > idmap lines you have added are ignored on a DC and they are only
> > meant to be used on a domain member. If you want to use different
> > IDs on a DC, you will have to add uidNumber attributes to the users
> > and a gidNumber to the Domain Users group.
> >
> > You say you 'created this as a standalone AD DC' , what do you
mean
> > by this? did you provision with '--server-role=standalone' ?
> >
> > Rowland
> 
> 
> 
> 
I will try again (as I didn't ask for any ID numbers)

How did you provision the 'standalone AD DC' ????

Rowland