OK, I noticed that also, but why does everything return
NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U
adminnamehere" on the DC itself, I get the error. At this point we are
looking at erasing every workstation, wiping the DC, and starting from
scratch. It has been a week and not even rolling back to 4.4 fixed it.
What should my next steps be? I attached the server configuration file
for reference. Note that it has run this way for a year without a hitch
and nothing has been changed since day 1.
# Global parameters
[global]
workgroup = TRUEVINE
realm = TRUEVINE.LAN
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 2001-10000
idmap config TRUEVINE:backend = ad
idmap config TRUEVINE:schema_mode = rfc2307
idmap config TRUEVINE:range = 10001-20000
domain master = yes
local master = yes
preferred master = yes
os level = 255
[netlogon]
path = /var/lib/samba/sysvol/truevine.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Lead IT/IS Specialist
Reach Technology FP, Inc
On 01/12/2017 10:54 AM, Rowland Penny via samba wrote:> On Thu, 12 Jan 2017 10:32:59 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>
>> I forgot about ldbsearch. Here is a dump of xid numbers.
>>
>> root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep
>> xidNumber xidNumber: 3000028
>> xidNumber: 3000013
>> xidNumber: 3000033
>> xidNumber: 3000003
>> xidNumber: 3000032
>> xidNumber: 3000023
>> xidNumber: 3000019
>> xidNumber: 3000010
>> xidNumber: 65534
>> xidNumber: 3000031
>> xidNumber: 3000022
>> xidNumber: 3000026
>> xidNumber: 3000017
>> xidNumber: 3000027
>> xidNumber: 3000016
>> xidNumber: 3000030
>> xidNumber: 3000021
>> xidNumber: 3000004
>> xidNumber: 100
>> xidNumber: 3000008
>> xidNumber: 3000011
>> xidNumber: 0
>> xidNumber: 3000009
>> xidNumber: 3000025
>> xidNumber: 3000000
>> xidNumber: 3000001
>> xidNumber: 3000002
>> xidNumber: 3000014
>> xidNumber: 3000029
>> xidNumber: 3000020
>> xidNumber: 3000005
>> xidNumber: 3000006
>> xidNumber: 3000007
>> xidNumber: 3000018
>> xidNumber: 3000012
>> xidNumber: 3000024
>> xidNumber: 3000015
>>
>> Is an xid number supposed to go all the way down to 0?
>>
>
> Yes, '0' is administrator (and also root)
> '100' is the users group and '65534' is the user
'nobody'
>
> Only problem I can see, you do not have any duplicate xidNumbers, but
> that doesn't mean you don't have any SIDs with more than one
xidNumber
>
> Rowland
>
On Fri, 13 Jan 2017 12:46:27 -0500 Ryan Ashley via samba <samba at lists.samba.org> wrote:> OK, I noticed that also, but why does everything return > NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U > adminnamehere" on the DC itself, I get the error. At this point we are > looking at erasing every workstation, wiping the DC, and starting from > scratch. It has been a week and not even rolling back to 4.4 fixed it. > What should my next steps be? I attached the server configuration file > for reference. Note that it has run this way for a year without a > hitch and nothing has been changed since day 1. > > # Global parameters > [global] > workgroup = TRUEVINE > realm = TRUEVINE.LAN > netbios name = DC01 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > idmap config *:backend = tdb > idmap config *:range = 2001-10000 > idmap config TRUEVINE:backend = ad > idmap config TRUEVINE:schema_mode = rfc2307 > idmap config TRUEVINE:range = 10001-20000 > domain master = yes > local master = yes > preferred master = yes > os level = 255 > > [netlogon] > path = /var/lib/samba/sysvol/truevine.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No >Now I have seen your smb.conf, I think I can tell you why you are getting 'NT_STATUS_INVALID_SID' You have 'idmap config' lines, these do nothing on a DC, or rather they did nothing until 4.5.0, now they cause errors, so I would remove them. I would also remove the 'master' lines and the 'os' line. When 4.6.0 comes out, it is my understanding that you will not have this problem, Samba will flat out refuse to start if you have the idmap lines in smb.conf ;-) Rowland
Rowland, I commented out what you asked me to, no change.
# Global parameters
[global]
workgroup = TRUEVINE
realm = TRUEVINE.LAN
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbi$
# idmap_ldb:use rfc2307 = yes
# idmap config *:backend = tdb
# idmap config *:range = 2001-10000
# idmap config TRUEVINE:backend = ad
# idmap config TRUEVINE:schema_mode = rfc2307
# idmap config TRUEVINE:range = 10001-20000
# domain master = yes
# local master = yes
# preferred master = yes
# os level = 255
[netlogon]
path = /var/lib/samba/sysvol/truevine.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Results:
root at dc01:~# nano -w /etc/samba/smb.conf
root at dc01:~# service samba4 stop
[ ok ] Stopping Samba AD DC daemon: samba.
root at dc01:~# service samba4 start
[ ok ] Starting Samba AD DC daemon: samba.
root at dc01:~# smbclient -L \\localhost -U administrator
Enter administrator's password:
session setup failed: NT_STATUS_INVALID_SID
root at dc01:~#
Lead IT/IS Specialist
Reach Technology FP, Inc
On 01/13/2017 01:07 PM, Rowland Penny via samba wrote:> On Fri, 13 Jan 2017 12:46:27 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>
>> OK, I noticed that also, but why does everything return
>> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U
>> adminnamehere" on the DC itself, I get the error. At this point we
are
>> looking at erasing every workstation, wiping the DC, and starting from
>> scratch. It has been a week and not even rolling back to 4.4 fixed it.
>> What should my next steps be? I attached the server configuration file
>> for reference. Note that it has run this way for a year without a
>> hitch and nothing has been changed since day 1.
>>
>> # Global parameters
>> [global]
>> workgroup = TRUEVINE
>> realm = TRUEVINE.LAN
>> netbios name = DC01
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> idmap config *:backend = tdb
>> idmap config *:range = 2001-10000
>> idmap config TRUEVINE:backend = ad
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap config TRUEVINE:range = 10001-20000
>> domain master = yes
>> local master = yes
>> preferred master = yes
>> os level = 255
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/truevine.lan/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>
> Now I have seen your smb.conf, I think I can tell you why you are
> getting 'NT_STATUS_INVALID_SID'
>
> You have 'idmap config' lines, these do nothing on a DC, or rather
they
> did nothing until 4.5.0, now they cause errors, so I would remove them.
> I would also remove the 'master' lines and the 'os' line.
>
> When 4.6.0 comes out, it is my understanding that you will not have this
> problem, Samba will flat out refuse to start if you have the idmap
> lines in smb.conf ;-)
>
> Rowland
>
>