Andreas Gaiser
2018-Apr-03 14:49 UTC
[Samba] Issues with RPC, SID resolving; cannot use RSAT
seems removing idmap settings from smb.conf on both DCs having them has fixed it. smbclient and ADUC work as expected, now. Thank you!> I'm running a setup with 3 DCs, all Samba 4.5.12, Debian Stretch (is > patched for CVE-2018-1057, "samba_CVE-2018-1057_helper" been used). > > Probably unrelated to the upgrade and patch for CVE-2018-1057, there's > a new problem coming up. > > RSAT fails to start/connect, complaining about RPC-Server > unavailablility. On the DCs I've tried with smbclient and get the > following: > > root at vts5:/etc/samba# smbclient -L localhost -U Administrator > Enter Administrator's password: > session setup failed: NT_STATUS_INVALID_SID > > This is also consistent with log entries like this: > > [2018/04/03 11:37:48.411748, 0] > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > Unable to convert first SID > (S-1-5-21-1449862128-1716478392-3139764938-1176) in user token to a UID. > Conversion was returned as type 0, full token: > [2018/04/03 11:37:48.411820, 0] > ../libcli/security/security_token.c:63(security_token_debug) > Security token SIDs (7): > SID[ 0]: S-1-5-21-1449862128-1716478392-3139764938-1176 > SID[ 1]: S-1-5-21-1449862128-1716478392-3139764938-515 > SID[ 2]: S-1-1-0 > SID[ 3]: S-1-5-2 > SID[ 4]: S-1-5-11 > SID[ 5]: S-1-5-32-554 > SID[ 6]: S-1-5-32-545 > > It is not like only one specific SID is affected. I find this for many > different ones, including S-1-1-0. > > net cache list is showing me funny stuff like this: > > Key: IDMAP/GID2SID/3000017 Timeout: 11:23:09 Value: - (expired) > Key: IDMAP/SID2XID/S-1-5-32-545 Timeout: 11:40:46 Value: -1:N > > ... > > Key: IDMAP/SID2XID/S-1-5-21-1449862128-1716478392-3139764938-3708 > Timeout: 11:41:17 Value: -1:N > > ... > > Key: IDMAP/SID2XID/S-1-5-21-1449862128-1716478392-3139764938-3680 > Timeout: 11:38:37 Value: -1:N (expired) > > At the moment I'm blocked making any changes to the Domain, so I > appreciate any help solving this issue.-- *Raus aus der Massentierhaltung!* wegewerk unterstützt BUND im Kampagnenbereich: www.klasse-statt-masse.net <http://www.klasse-statt-masse.net/> *Andreas Gaiser* network systems t +49 30 213087-61 andreas.gaiser at wegewerk.com <mailto:ags at wegewerk.com> | PGP <https://pgp.mit.edu/pks/lookup?op=get&search=0xC488840940C32AD4> *wegewerk gmbh* brauerei königstadt | haus a saarbrücker straße 24 | 10405 berlin | germany t +49 30 213087-0 | f +49 30 213087-17 berlin, hrb 76336, ag berlin-charlottenburg geschäftsführung: juri maier
Seemingly Similar Threads
Wisdom of the Ancients
