samba - Nov 2021 - Samba DC: Unable to convert first SID / NT_STATUS_INVALID_SID

I recently added a second domain controller to my environment, running Samba
4.14.18 (Fedora 34).  I have had a single domain controller running Samba 4.9.4
(Fedora 29) for a few years, and it has been working quite well.

Frequently, member servers (winbind) report a "no logon servers" error
and fail to authenticate users.  When this happens, I see errors like this in
the Samba log on the new DC:

```
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]: Unable to convert first SID
(S-1-5-21-3156550515-2802089874-1331173653-1152) in user token to a UID. 
Conversion was returned as type 0, full token:
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]: Security token SIDs (7):
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  0]:
S-1-5-21-3156550515-2802089874-1331173653-1152
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  1]:
S-1-5-21-3156550515-2802089874-1331173653-515
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  2]: S-1-1-0
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  3]: S-1-5-2
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  4]: S-1-5-11
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  5]: S-1-5-32-545
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   SID[  6]: S-1-5-32-554
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:  Privileges (0x         
800000):
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   Privilege[  0]:
SeChangeNotifyPrivilege
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:  Rights (0x            
400):
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]:   Right[  0]:
SeRemoteInteractiveLogonRight
Nov 07 03:45:01 dc2.pyrocufflink.blue smbd[117614]: smbd_smb2_request_error_ex:
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_SID] || at
../../source3/smbd/smb2_sesssetup.c:146
```

The mentioned SID belongs to a computer account.

Is this expected behavior now?  Do computer accounts need a uidNumber attribute
now?  I never had to assign them before.

Anyway, I tried assigning a uidNumber to one of the computer accounts that was
having a problem, and then a similar error occurred, referring to the
"Domain Computers" group.  I assigned a gidNumber to it, but that just
led to this:

```
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]: Unable to convert SID
(S-1-1-0) at index 2 in user token to a GID.  Conversion was returned as type 0,
full token:
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]: Security token SIDs (7):
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  0]:
S-1-5-21-3156550515-2802089874-1331173653-1109
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  1]:
S-1-5-21-3156550515-2802089874-1331173653-515
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  2]: S-1-1-0
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  3]: S-1-5-2
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  4]: S-1-5-11
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  5]: S-1-5-32-545
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   SID[  6]: S-1-5-32-554
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:  Privileges (0x         
800000):
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   Privilege[  0]:
SeChangeNotifyPrivilege
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:  Rights (0x            
400):
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]:   Right[  0]:
SeRemoteInteractiveLogonRight
Nov 07 03:54:28 dc2.pyrocufflink.blue smbd[117819]: smbd_smb2_request_error_ex:
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_SID] || at
../../source3/smbd/smb2_sesssetup.c:146
```

My smb.conf is as follows (identical on both DCs, except the netbios name of
course):

```
[global]
	netbios name = DC2
	realm = PYROCUFFLINK.BLUE
	server role = active directory domain controller
	workgroup = PYROCUFFLINK

	timestamp logs = no
	logging = systemd file at 0
	log level = 3
	log file = /dev/null

	idmap_ldb:use rfc2307 = yes

	template homedir = /home/%U
	template shell = /bin/bash

	tls enabled = yes
	tls keyfile = /etc/pki/tls/private/samba.key
	tls certfile = /etc/pki/tls/certs/samba.cer
	tls cafile = /etc/pki/tls/certs/samba-ca.crt

[netlogon]
	path = /var/lib/samba/sysvol/pyrocufflink.blue/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No
```

I am not sure where to look next.  Everything works well as long as clients
communicate with the original DC.  LDAP and Kerberos work well on both DCs; it
seems to be only Windows RPC that is a problem.

Any assistance would be most appreciated.

Dustin

On Sun, 2021-11-07 at 04:31 +0000, Gyrfalcon via samba
wrote:
> I recently added a second domain controller to my environment,
> running Samba 4.14.18 (Fedora 34).  I have had a single domain
> controller running Samba 4.9.4 (Fedora 29) for a few years, and it
> has been working quite well.
Are you using the standard Fedora Samba packages ?

If so, are you aware that, because they use MIT kerberos, they are
marked as experimental ?

Rowland