samba - Jan 2017 - Corrupted idmap...

I forgot about ldbsearch. Here is a dump of xid numbers.

root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber
xidNumber: 3000028
xidNumber: 3000013
xidNumber: 3000033
xidNumber: 3000003
xidNumber: 3000032
xidNumber: 3000023
xidNumber: 3000019
xidNumber: 3000010
xidNumber: 65534
xidNumber: 3000031
xidNumber: 3000022
xidNumber: 3000026
xidNumber: 3000017
xidNumber: 3000027
xidNumber: 3000016
xidNumber: 3000030
xidNumber: 3000021
xidNumber: 3000004
xidNumber: 100
xidNumber: 3000008
xidNumber: 3000011
xidNumber: 0
xidNumber: 3000009
xidNumber: 3000025
xidNumber: 3000000
xidNumber: 3000001
xidNumber: 3000002
xidNumber: 3000014
xidNumber: 3000029
xidNumber: 3000020
xidNumber: 3000005
xidNumber: 3000006
xidNumber: 3000007
xidNumber: 3000018
xidNumber: 3000012
xidNumber: 3000024
xidNumber: 3000015

Is an xid number supposed to go all the way down to 0?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/11/2017 12:33 PM, Rowland Penny via samba wrote:
> On Wed, 11 Jan 2017 12:14:32 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> Rowland, no domain user can authenticate on any system and running
>> sysvolreset followed by sysvolcheck results in a crash. If the sysvol
>> permissions are correct, sysvolcheck does not crash. If I attempt to
>> join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID.
>> Researching these symptoms turns up a thread about a corrupt idmap.ldb
>> where a group SID and user SID may be the same or something like that.
>>
>> They've been down for two days now. They do not have a backup DC.
They
>> did, but it was truck by lightning (it got the battery backup and all)
>> and they chose not to replace it, against my recommendation. Either
>> way, no backup DC to recover with.
>>
>> Finally, which logs would you like to see? My winbindd-idmap log has
>> nothing but segfaults logged. What log should I check? The only thing
>> which stood out was the smbd log, which I pasted part of below.
>>
>> [2017/01/10 13:00:45.581992,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:45.659202,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:46.378251,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:46.425549,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.052039,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.133721,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>     Privilege[  0]: SeChangeNotifyPrivilege
>>    Rights (0x             400):
>>     Right[  0]: SeRemoteInteractiveLogonRight
>> [2017/01/10 13:00:47.698611,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID (S-1-5-7) in user token to a UID.
>> Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:47.775770,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (3):
>>     SID[  0]: S-1-5-7
>>     SID[  1]: S-1-1-0
>>     SID[  2]: S-1-5-2
>>    Privileges (0x               0):
>>    Rights (0x               0):
>> [2017/01/10 13:00:48.394629,  0]
>> ../source4/auth/unix_token.c:79(security_token_to_unix_token)
>>   Unable to convert first SID
>> (S-1-5-21-2812428577-3463248684-2415680475-1105) in user token to a
>> UID. Conversion was returned as type 0, full token:
>> [2017/01/10 13:00:48.409271,  0]
>> ../libcli/security/security_token.c:63(security_token_debug)
>>   Security token SIDs (7):
>>     SID[  0]: S-1-5-21-2812428577-3463248684-2415680475-1105
>>     SID[  1]: S-1-5-21-2812428577-3463248684-2415680475-515
>>     SID[  2]: S-1-1-0
>>     SID[  3]: S-1-5-2
>>     SID[  4]: S-1-5-11
>>     SID[  5]: S-1-5-32-554
>>     SID[  6]: S-1-5-32-545
>>    Privileges (0x          800000):
>>    Rights (0x             400):
>> root at dc01:~# samba -b
>> Samba version: 4.5.0
>> Build environment:
>>    Build host:  Linux dc01 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
>> GNU/Linux
>> Paths:
>>    BINDIR: /usr/bin
>>    SBINDIR: /usr/sbin
>>    CONFIGFILE: /etc/samba/smb.conf
>>    NCALRPCDIR: /var/run/samba/ncalrpc
>>    LOGFILEBASE: /var/log/samba
>>    LMHOSTSFILE: /etc/samba/lmhosts
>>    DATADIR: /usr/share
>>    MODULESDIR: /usr/lib/samba
>>    LOCKDIR: /var/lock/samba
>>    STATEDIR: /var/lib/samba
>>    CACHEDIR: /var/cache/samba
>>    PIDDIR: /var/run/samba
>>    PRIVATE_DIR: /var/lib/samba/private
>>    CODEPAGEDIR: /usr/share/samba/codepages
>>    SETUPDIR: /usr/share/samba/setup
>>    WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>> root at dc01:~#
>>
>> That looks like my issue, but I am not sure.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 01/11/2017 11:05 AM, lingpanda101 via samba wrote:
>>> On 1/11/2017 9:23 AM, Ryan Ashley via samba wrote:
>>>> I started getting NT_STATUS_INVALID at a client location
recently
>>>> and now everything has stopped working. Upon a day of searching
>>>> and testing, I realized that my idmap.ldb is likely corrupt.
How
>>>> can I recover from this, shy of creating a new domain from
>>>> scratch? The NAS devices no longer authenticate users so files
are
>>>> inaccessible, computers cannot access the sysvol, and
>>>> sysvolreset/sysvolcheck both fail. Thanks in advance for any
help
>>>> in this matter.
>>>>
>>>
>>> If you have a secondary DC that has a good idmap.ldb, transfer the
>>> FSMO roles and remove the corrupt DC. Second option is to restore
>>> from backups. Otherwise you can try and manually recover by posting
>>> your error logs from Samba and your smb.conf.
>>>
>>
> 
> You could try examining idmap.ldb:
> 
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb 
> 
> It should contain records like these:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
> type: ID_TYPE_BOTH
> xidNumber: 3000045
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> cn: S-1-5-21-1768301897-3342589593-1064908849-500
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> cn: S-1-5-21-1768301897-3342589593-1064908849-2101
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-2101
> type: ID_TYPE_BOTH
> xidNumber: 3000046
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-2101
> 
> Check for duplicate 'xidNumbers'
> Also, as you say the other DC died (or is that fried ?), check the FSMO
> roles and ensure there is no mention of the dead DC in sam.ldb (you may
> have to use '--cross-ncs' & -show-binary' with ldbsearch or
ldbedit)
> 
> Rowland
>

On Thu, 12 Jan 2017 10:32:59 -0500
Ryan Ashley via samba <samba at lists.samba.org> wrote:
> I forgot about ldbsearch. Here is a dump of xid numbers.
> 
> root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep
> xidNumber xidNumber: 3000028
> xidNumber: 3000013
> xidNumber: 3000033
> xidNumber: 3000003
> xidNumber: 3000032
> xidNumber: 3000023
> xidNumber: 3000019
> xidNumber: 3000010
> xidNumber: 65534
> xidNumber: 3000031
> xidNumber: 3000022
> xidNumber: 3000026
> xidNumber: 3000017
> xidNumber: 3000027
> xidNumber: 3000016
> xidNumber: 3000030
> xidNumber: 3000021
> xidNumber: 3000004
> xidNumber: 100
> xidNumber: 3000008
> xidNumber: 3000011
> xidNumber: 0
> xidNumber: 3000009
> xidNumber: 3000025
> xidNumber: 3000000
> xidNumber: 3000001
> xidNumber: 3000002
> xidNumber: 3000014
> xidNumber: 3000029
> xidNumber: 3000020
> xidNumber: 3000005
> xidNumber: 3000006
> xidNumber: 3000007
> xidNumber: 3000018
> xidNumber: 3000012
> xidNumber: 3000024
> xidNumber: 3000015
> 
> Is an xid number supposed to go all the way down to 0?
> 
Yes, '0' is administrator (and also root)
'100' is the users group and '65534' is the user
'nobody'

Only problem I can see, you do not have any duplicate xidNumbers, but
that doesn't mean you don't have any SIDs with more than one xidNumber

Rowland

OK, I noticed that also, but why does everything return
NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U
adminnamehere" on the DC itself, I get the error. At this point we are
looking at erasing every workstation, wiping the DC, and starting from
scratch. It has been a week and not even rolling back to 4.4 fixed it.
What should my next steps be? I attached the server configuration file
for reference. Note that it has run this way for a year without a hitch
and nothing has been changed since day 1.

# Global parameters
[global]
        workgroup = TRUEVINE
        realm = TRUEVINE.LAN
        netbios name = DC01
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        idmap config *:backend = tdb
        idmap config *:range = 2001-10000
        idmap config TRUEVINE:backend = ad
        idmap config TRUEVINE:schema_mode = rfc2307
        idmap config TRUEVINE:range = 10001-20000
        domain master = yes
        local master = yes
        preferred master = yes
        os level = 255

[netlogon]
        path = /var/lib/samba/sysvol/truevine.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/12/2017 10:54 AM, Rowland Penny via samba wrote:
> On Thu, 12 Jan 2017 10:32:59 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> I forgot about ldbsearch. Here is a dump of xid numbers.
>>
>> root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep
>> xidNumber xidNumber: 3000028
>> xidNumber: 3000013
>> xidNumber: 3000033
>> xidNumber: 3000003
>> xidNumber: 3000032
>> xidNumber: 3000023
>> xidNumber: 3000019
>> xidNumber: 3000010
>> xidNumber: 65534
>> xidNumber: 3000031
>> xidNumber: 3000022
>> xidNumber: 3000026
>> xidNumber: 3000017
>> xidNumber: 3000027
>> xidNumber: 3000016
>> xidNumber: 3000030
>> xidNumber: 3000021
>> xidNumber: 3000004
>> xidNumber: 100
>> xidNumber: 3000008
>> xidNumber: 3000011
>> xidNumber: 0
>> xidNumber: 3000009
>> xidNumber: 3000025
>> xidNumber: 3000000
>> xidNumber: 3000001
>> xidNumber: 3000002
>> xidNumber: 3000014
>> xidNumber: 3000029
>> xidNumber: 3000020
>> xidNumber: 3000005
>> xidNumber: 3000006
>> xidNumber: 3000007
>> xidNumber: 3000018
>> xidNumber: 3000012
>> xidNumber: 3000024
>> xidNumber: 3000015
>>
>> Is an xid number supposed to go all the way down to 0?
>>
> 
> Yes, '0' is administrator (and also root)
> '100' is the users group and '65534' is the user
'nobody'
> 
> Only problem I can see, you do not have any duplicate xidNumbers, but
> that doesn't mean you don't have any SIDs with more than one
xidNumber
> 
> Rowland
>