samba - Jan 2017 - Corrupted idmap...

Rowland, no domain user can authenticate on any system and running
sysvolreset followed by sysvolcheck results in a crash. If the sysvol
permissions are correct, sysvolcheck does not crash. If I attempt to
join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
Researching these symptoms turns up a thread about a corrupt idmap.ldb
where a group SID and user SID may be the same or something like that.

They've been down for two days now. They do not have a backup DC. They
did, but it was truck by lightning (it got the battery backup and all)
and they chose not to replace it, against my recommendation. Either way,
no backup DC to recover with.

Finally, which logs would you like to see? My winbindd-idmap log has
nothing but segfaults logged. What log should I check? The only thing
which stood out was the smbd log, which I pasted part of below.

[2017/01/10 13:00:45.581992,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-7) in user token to a UID.
Conversion was returned as type 0, full token:
[2017/01/10 13:00:45.659202,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (3):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
   Privileges (0x               0):
   Rights (0x               0):
[2017/01/10 13:00:46.378251,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID
(S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
 Conversion was returned as type 0, full token:
[2017/01/10 13:00:46.425549,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (7):
    SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
    SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-554
    SID[  6]: S-1-5-32-545
   Privileges (0x          800000):
    Privilege[  0]: SeChangeNotifyPrivilege
   Rights (0x             400):
    Right[  0]: SeRemoteInteractiveLogonRight
[2017/01/10 13:00:47.052039,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID
(S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
 Conversion was returned as type 0, full token:
[2017/01/10 13:00:47.133721,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (7):
    SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
    SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-554
    SID[  6]: S-1-5-32-545
   Privileges (0x          800000):
    Privilege[  0]: SeChangeNotifyPrivilege
   Rights (0x             400):
    Right[  0]: SeRemoteInteractiveLogonRight
[2017/01/10 13:00:47.698611,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-7) in user token to a UID.
Conversion was returned as type 0, full token:
[2017/01/10 13:00:47.775770,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (3):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
   Privileges (0x               0):
   Rights (0x               0):
[2017/01/10 13:00:48.394629,  0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
  Unable to convert first SID
(S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
 Conversion was returned as type 0, full token:
[2017/01/10 13:00:48.409271,  0]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (7):
    SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
    SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-554
    SID[  6]: S-1-5-32-545
   Privileges (0x          800000):
   Rights (0x             400):
root at dc01:~# samba -b
Samba version: 4.5.0
Build environment:
   Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
GNU/Linux
Paths:
   BINDIR: /usr/bin
   SBINDIR: /usr/sbin
   CONFIGFILE: /etc/samba/smb.conf
   NCALRPCDIR: /var/run/samba/ncalrpc
   LOGFILEBASE: /var/log/samba
   LMHOSTSFILE: /etc/samba/lmhosts
   DATADIR: /usr/share
   MODULESDIR: /usr/lib/samba
   LOCKDIR: /var/lock/samba
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/cache/samba
   PIDDIR: /var/run/samba
   PRIVATE_DIR: /var/lib/samba/private
   CODEPAGEDIR: /usr/share/samba/codepages
   SETUPDIR: /usr/share/samba/setup
   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
root at dc01:~#

That looks like my issue, but I am not sure.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>> I started getting NT_STATUS_INVALID at a client location recently and
>> now everything has stopped working. Upon a day of searching and
testing,
>> I realized that my idmap.ldb is likely corrupt. How can I recover from
>> this, shy of creating a new domain from scratch? The NAS devices no
>> longer authenticate users so files are inaccessible, computers cannot
>> access the sysvol, and sysvolreset/sysvolcheck both fail. Thanks in
>> advance for any help in this matter.
>>
> 
> If you have a secondary DC that has a good idmap.ldb, transfer the FSMO
> roles and remove the corrupt DC. Second option is to restore from
> backups. Otherwise you can try and manually recover by posting your
> error logs from Samba and your smb.conf.
>

On Wed, 11 Jan 2017 12:14:32 -0500
Ryan Ashley via samba <samba at lists.samba.org> wrote:
> Rowland, no domain user can authenticate on any system and running
> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
> permissions are correct, sysvolcheck does not crash. If I attempt to
> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
> Researching these symptoms turns up a thread about a corrupt idmap.ldb
> where a group SID and user SID may be the same or something like that.
> 
> They've been down for two days now. They do not have a backup DC. They
> did, but it was truck by lightning (it got the battery backup and all)
> and they chose not to replace it, against my recommendation. Either
> way, no backup DC to recover with.
> 
> Finally, which logs would you like to see? My winbindd-idmap log has
> nothing but segfaults logged. What log should I check? The only thing
> which stood out was the smbd log, which I pasted part of below.
> 
> [2017/01/10 13:00:45.581992,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:45.659202,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (3):
>     SID[  0]: S-1-5-7
>     SID[  1]: S-1-1-0
>     SID[  2]: S-1-5-2
>    Privileges (0x               0):
>    Rights (0x               0):
> [2017/01/10 13:00:46.378251,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
> UID. Conversion was returned as type 0, full token:
> [2017/01/10 13:00:46.425549,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (7):
>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-5-32-554
>     SID[  6]: S-1-5-32-545
>    Privileges (0x          800000):
>     Privilege[  0]: SeChangeNotifyPrivilege
>    Rights (0x             400):
>     Right[  0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.052039,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
> UID. Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.133721,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (7):
>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-5-32-554
>     SID[  6]: S-1-5-32-545
>    Privileges (0x          800000):
>     Privilege[  0]: SeChangeNotifyPrivilege
>    Rights (0x             400):
>     Right[  0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.698611,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.775770,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (3):
>     SID[  0]: S-1-5-7
>     SID[  1]: S-1-1-0
>     SID[  2]: S-1-5-2
>    Privileges (0x               0):
>    Rights (0x               0):
> [2017/01/10 13:00:48.394629,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>   Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
> UID. Conversion was returned as type 0, full token:
> [2017/01/10 13:00:48.409271,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (7):
>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-5-32-554
>     SID[  6]: S-1-5-32-545
>    Privileges (0x          800000):
>    Rights (0x             400):
> root at dc01:~# samba -b
> Samba version: 4.5.0
> Build environment:
>    Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
> GNU/Linux
> Paths:
>    BINDIR: /usr/bin
>    SBINDIR: /usr/sbin
>    CONFIGFILE: /etc/samba/smb.conf
>    NCALRPCDIR: /var/run/samba/ncalrpc
>    LOGFILEBASE: /var/log/samba
>    LMHOSTSFILE: /etc/samba/lmhosts
>    DATADIR: /usr/share
>    MODULESDIR: /usr/lib/samba
>    LOCKDIR: /var/lock/samba
>    STATEDIR: /var/lib/samba
>    CACHEDIR: /var/cache/samba
>    PIDDIR: /var/run/samba
>    PRIVATE_DIR: /var/lib/samba/private
>    CODEPAGEDIR: /usr/share/samba/codepages
>    SETUPDIR: /usr/share/samba/setup
>    WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>    WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> root at dc01:~#
> 
> That looks like my issue, but I am not sure.
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
> > On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
> >> I started getting NT_STATUS_INVALID at a client location recently
> >> and now everything has stopped working. Upon a day of searching
> >> and testing, I realized that my idmap.ldb is likely corrupt. How
> >> can I recover from this, shy of creating a new domain from
> >> scratch? The NAS devices no longer authenticate users so files are
> >> inaccessible, computers cannot access the sysvol, and
> >> sysvolreset/sysvolcheck both fail. Thanks in advance for any help
> >> in this matter.
> >>
> > 
> > If you have a secondary DC that has a good idmap.ldb, transfer the
> > FSMO roles and remove the corrupt DC. Second option is to restore
> > from backups. Otherwise you can try and manually recover by posting
> > your error logs from Samba and your smb.conf.
> > 
> 
You could try examining idmap.ldb:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 

It should contain records like these:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
cn: S-1-5-21-1768301897-3342589593-1064908849-502
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
type: ID_TYPE_BOTH
xidNumber: 3000045
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
cn: S-1-5-21-1768301897-3342589593-1064908849-500
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
cn: S-1-5-21-1768301897-3342589593-1064908849-2101
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-2101
type: ID_TYPE_BOTH
xidNumber: 3000046
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-2101

Check for duplicate 'xidNumbers'
Also, as you say the other DC died (or is that fried ?), check the FSMO
roles and ensure there is no mention of the dead DC in sam.ldb (you may
have to use '--cross-ncs' & -show-binary' with ldbsearch or
ldbedit)

Rowland

On 1/11/2017 12:14 PM, Ryan Ashley via samba wrote:
> Rowland, no domain user can authenticate on any system and running
> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
> permissions are correct, sysvolcheck does not crash. If I attempt to
> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
> Researching these symptoms turns up a thread about a corrupt idmap.ldb
> where a group SID and user SID may be the same or something like that.
>
> They've been down for two days now. They do not have a backup DC. They
> did, but it was truck by lightning (it got the battery backup and all)
> and they chose not to replace it, against my recommendation. Either way,
> no backup DC to recover with.
>
> Finally, which logs would you like to see? My winbindd-idmap log has
> nothing but segfaults logged. What log should I check? The only thing
> which stood out was the smbd log, which I pasted part of below.
>
> [2017/01/10 13:00:45.581992,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>    Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:45.659202,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (3):
>      SID[  0]: S-1-5-7
>      SID[  1]: S-1-1-0
>      SID[  2]: S-1-5-2
>     Privileges (0x               0):
>     Rights (0x               0):
> [2017/01/10 13:00:46.378251,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>    Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
>   Conversion was returned as type 0, full token:
> [2017/01/10 13:00:46.425549,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (7):
>      SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>      SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>      SID[  2]: S-1-1-0
>      SID[  3]: S-1-5-2
>      SID[  4]: S-1-5-11
>      SID[  5]: S-1-5-32-554
>      SID[  6]: S-1-5-32-545
>     Privileges (0x          800000):
>      Privilege[  0]: SeChangeNotifyPrivilege
>     Rights (0x             400):
>      Right[  0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.052039,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>    Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
>   Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.133721,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (7):
>      SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>      SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>      SID[  2]: S-1-1-0
>      SID[  3]: S-1-5-2
>      SID[  4]: S-1-5-11
>      SID[  5]: S-1-5-32-554
>      SID[  6]: S-1-5-32-545
>     Privileges (0x          800000):
>      Privilege[  0]: SeChangeNotifyPrivilege
>     Rights (0x             400):
>      Right[  0]: SeRemoteInteractiveLogonRight
> [2017/01/10 13:00:47.698611,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>    Unable to convert first SID (S-1-5-7) in user token to a UID.
> Conversion was returned as type 0, full token:
> [2017/01/10 13:00:47.775770,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (3):
>      SID[  0]: S-1-5-7
>      SID[  1]: S-1-1-0
>      SID[  2]: S-1-5-2
>     Privileges (0x               0):
>     Rights (0x               0):
> [2017/01/10 13:00:48.394629,  0]
> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>    Unable to convert first SID
> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a UID.
>   Conversion was returned as type 0, full token:
> [2017/01/10 13:00:48.409271,  0]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (7):
>      SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>      SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>      SID[  2]: S-1-1-0
>      SID[  3]: S-1-5-2
>      SID[  4]: S-1-5-11
>      SID[  5]: S-1-5-32-554
>      SID[  6]: S-1-5-32-545
>     Privileges (0x          800000):
>     Rights (0x             400):
> root at dc01:~# samba -b
> Samba version: 4.5.0
> Build environment:
>     Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
> GNU/Linux
> Paths:
>     BINDIR: /usr/bin
>     SBINDIR: /usr/sbin
>     CONFIGFILE: /etc/samba/smb.conf
>     NCALRPCDIR: /var/run/samba/ncalrpc
>     LOGFILEBASE: /var/log/samba
>     LMHOSTSFILE: /etc/samba/lmhosts
>     DATADIR: /usr/share
>     MODULESDIR: /usr/lib/samba
>     LOCKDIR: /var/lock/samba
>     STATEDIR: /var/lib/samba
>     CACHEDIR: /var/cache/samba
>     PIDDIR: /var/run/samba
>     PRIVATE_DIR: /var/lib/samba/private
>     CODEPAGEDIR: /usr/share/samba/codepages
>     SETUPDIR: /usr/share/samba/setup
>     WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>     WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>     NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> root at dc01:~#
>
> That looks like my issue, but I am not sure.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
>> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>>> I started getting NT_STATUS_INVALID at a client location recently
and
>>> now everything has stopped working. Upon a day of searching and
testing,
>>> I realized that my idmap.ldb is likely corrupt. How can I recover
from
>>> this, shy of creating a new domain from scratch? The NAS devices no
>>> longer authenticate users so files are inaccessible, computers
cannot
>>> access the sysvol, and sysvolreset/sysvolcheck both fail. Thanks in
>>> advance for any help in this matter.
>>>
>> If you have a secondary DC that has a good idmap.ldb, transfer the FSMO
>> roles and remove the corrupt DC. Second option is to restore from
>> backups. Otherwise you can try and manually recover by posting your
>> error logs from Samba and your smb.conf.
>>
I'm reminded of this bug 
https://bugzilla.samba.org/show_bug.cgi?id=12410 with regards to your 
issue. You didn't post your smb.conf, so can't say for sure.

-- 
- James

Rowland, the secondary DC died, this is the primary, and yes it was
fried. Smelled like somebody was cooking smores made of electrical wires
and circuit boards in that room!

Is there a way to have ldbedit output that data so I can grep xidNumber?
There is a lot in there and keeping up with all of those numbers is a pain.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/11/2017 12:33 PM, Rowland Penny via samba wrote:
> On Wed, 11 Jan 2017 12:14:32 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> Rowland, no domain user can authenticate on any system and running
>> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
>> permissions are correct, sysvolcheck does not crash. If I attempt to
>> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
>> Researching these symptoms turns up a thread about a corrupt idmap.ldb
>> where a group SID and user SID may be the same or something like that.
>>
>> They've been down for two days now. They do not have a backup DC.
They
>> did, but it was truck by lightning (it got the battery backup and all)
>> and they chose not to replace it, against my recommendation. Either
>> way, no backup DC to recover with.
>>
>> Finally, which logs would you like to see? My winbindd-idmap log has
>> nothing but segfaults logged. What log should I check? The only thing
>> which stood out was the smbd log, which I pasted part of below.
>>
>> [2017/01/10 13:00:45.581992,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:45.659202,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:46.378251,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:46.425549,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.052039,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.133721,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.698611,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.775770,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:48.394629,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:48.409271,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>    Rights (0x             400):
>> root at dc01:~# samba -b
>> Samba version: 4.5.0
>> Build environment:
>>    Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
>> GNU/Linux
>> Paths:
>>    BINDIR: /usr/bin
>>    SBINDIR: /usr/sbin
>>    CONFIGFILE: /etc/samba/smb.conf
>>    NCALRPCDIR: /var/run/samba/ncalrpc
>>    LOGFILEBASE: /var/log/samba
>>    LMHOSTSFILE: /etc/samba/lmhosts
>>    DATADIR: /usr/share
>>    MODULESDIR: /usr/lib/samba
>>    LOCKDIR: /var/lock/samba
>>    STATEDIR: /var/lib/samba
>>    CACHEDIR: /var/cache/samba
>>    PIDDIR: /var/run/samba
>>    PRIVATE_DIR: /var/lib/samba/private
>>    CODEPAGEDIR: /usr/share/samba/codepages
>>    SETUPDIR: /usr/share/samba/setup
>>    WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>> root at dc01:~#
>>
>> That looks like my issue, but I am not sure.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
>>> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>>>> I started getting NT_STATUS_INVALID at a client location
recently
>>>> and now everything has stopped working. Upon a day of searching
>>>> and testing, I realized that my idmap.ldb is likely corrupt.
How
>>>> can I recover from this, shy of creating a new domain from
>>>> scratch? The NAS devices no longer authenticate users so files
are
>>>> inaccessible, computers cannot access the sysvol, and
>>>> sysvolreset/sysvolcheck both fail. Thanks in advance for any
help
>>>> in this matter.
>>>>
>>>
>>> If you have a secondary DC that has a good idmap.ldb, transfer the
>>> FSMO roles and remove the corrupt DC. Second option is to restore
>>> from backups. Otherwise you can try and manually recover by posting
>>> your error logs from Samba and your smb.conf.
>>>
>>
> 
> You could try examining idmap.ldb:
> 
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 
> 
> It should contain records like these:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> type: ID_TYPE_BOTH
> xidNumber: 3000045
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> cn: S-1-5-21-1768301897-3342589593-1064908849-500
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> cn: S-1-5-21-1768301897-3342589593-1064908849-2101
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-2101
> type: ID_TYPE_BOTH
> xidNumber: 3000046
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> 
> Check for duplicate 'xidNumbers'
> Also, as you say the other DC died (or is that fried ?), check the FSMO
> roles and ensure there is no mention of the dead DC in sam.ldb (you may
> have to use '--cross-ncs' & -show-binary' with ldbsearch or
ldbedit)
> 
> Rowland
>

I forgot about ldbsearch. Here is a dump of xid numbers.

root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber
xidNumber: 3000028
xidNumber: 3000013
xidNumber: 3000033
xidNumber: 3000003
xidNumber: 3000032
xidNumber: 3000023
xidNumber: 3000019
xidNumber: 3000010
xidNumber: 65534
xidNumber: 3000031
xidNumber: 3000022
xidNumber: 3000026
xidNumber: 3000017
xidNumber: 3000027
xidNumber: 3000016
xidNumber: 3000030
xidNumber: 3000021
xidNumber: 3000004
xidNumber: 100
xidNumber: 3000008
xidNumber: 3000011
xidNumber: 0
xidNumber: 3000009
xidNumber: 3000025
xidNumber: 3000000
xidNumber: 3000001
xidNumber: 3000002
xidNumber: 3000014
xidNumber: 3000029
xidNumber: 3000020
xidNumber: 3000005
xidNumber: 3000006
xidNumber: 3000007
xidNumber: 3000018
xidNumber: 3000012
xidNumber: 3000024
xidNumber: 3000015

Is an xid number supposed to go all the way down to 0?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/11/2017 12:33 PM, Rowland Penny via samba wrote:
> On Wed, 11 Jan 2017 12:14:32 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> Rowland, no domain user can authenticate on any system and running
>> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
>> permissions are correct, sysvolcheck does not crash. If I attempt to
>> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
>> Researching these symptoms turns up a thread about a corrupt idmap.ldb
>> where a group SID and user SID may be the same or something like that.
>>
>> They've been down for two days now. They do not have a backup DC.
They
>> did, but it was truck by lightning (it got the battery backup and all)
>> and they chose not to replace it, against my recommendation. Either
>> way, no backup DC to recover with.
>>
>> Finally, which logs would you like to see? My winbindd-idmap log has
>> nothing but segfaults logged. What log should I check? The only thing
>> which stood out was the smbd log, which I pasted part of below.
>>
>> [2017/01/10 13:00:45.581992,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:45.659202,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:46.378251,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:46.425549,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.052039,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.133721,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.698611,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.775770,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:48.394629,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:48.409271,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>    Rights (0x             400):
>> root at dc01:~# samba -b
>> Samba version: 4.5.0
>> Build environment:
>>    Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
>> GNU/Linux
>> Paths:
>>    BINDIR: /usr/bin
>>    SBINDIR: /usr/sbin
>>    CONFIGFILE: /etc/samba/smb.conf
>>    NCALRPCDIR: /var/run/samba/ncalrpc
>>    LOGFILEBASE: /var/log/samba
>>    LMHOSTSFILE: /etc/samba/lmhosts
>>    DATADIR: /usr/share
>>    MODULESDIR: /usr/lib/samba
>>    LOCKDIR: /var/lock/samba
>>    STATEDIR: /var/lib/samba
>>    CACHEDIR: /var/cache/samba
>>    PIDDIR: /var/run/samba
>>    PRIVATE_DIR: /var/lib/samba/private
>>    CODEPAGEDIR: /usr/share/samba/codepages
>>    SETUPDIR: /usr/share/samba/setup
>>    WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>> root at dc01:~#
>>
>> That looks like my issue, but I am not sure.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
>>> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>>>> I started getting NT_STATUS_INVALID at a client location
recently
>>>> and now everything has stopped working. Upon a day of searching
>>>> and testing, I realized that my idmap.ldb is likely corrupt.
How
>>>> can I recover from this, shy of creating a new domain from
>>>> scratch? The NAS devices no longer authenticate users so files
are
>>>> inaccessible, computers cannot access the sysvol, and
>>>> sysvolreset/sysvolcheck both fail. Thanks in advance for any
help
>>>> in this matter.
>>>>
>>>
>>> If you have a secondary DC that has a good idmap.ldb, transfer the
>>> FSMO roles and remove the corrupt DC. Second option is to restore
>>> from backups. Otherwise you can try and manually recover by posting
>>> your error logs from Samba and your smb.conf.
>>>
>>
> 
> You could try examining idmap.ldb:
> 
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 
> 
> It should contain records like these:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> type: ID_TYPE_BOTH
> xidNumber: 3000045
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> cn: S-1-5-21-1768301897-3342589593-1064908849-500
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> cn: S-1-5-21-1768301897-3342589593-1064908849-2101
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-2101
> type: ID_TYPE_BOTH
> xidNumber: 3000046
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> 
> Check for duplicate 'xidNumbers'
> Also, as you say the other DC died (or is that fried ?), check the FSMO
> roles and ensure there is no mention of the dead DC in sam.ldb (you may
> have to use '--cross-ncs' & -show-binary' with ldbsearch or
ldbedit)
> 
> Rowland
>