Sebastian Arcus
2022-Apr-11 09:02 UTC
[Samba] Unable to convert SID at index 2 in user token to a GID
I have a Samba 4.12.0 setup as AD DC with file sharing which has been
working fine for about 2 years. Last week, while testing a GPO on the
server and having to restart Samba a few times, it stopped allowing
users to access network shares. When I try to access network shares from
the Windows clients, I get the following:
"The security ID structure is invalid"
The following lines show up in the log in the Samba server:
[2022/04/11 09:46:45.560164, 0]
../../source4/auth/unix_token.c:123(security_token_to_unix_token)
Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-1115)
at index 2 in user token to a GID. Conversion was returned as type 0,
full token:
[2022/04/11 09:46:45.560319, 0]
../../libcli/security/security_token.c:56(security_token_debug)
Security token SIDs (9):
SID[ 0]: S-1-5-21-138851786-1502048827-544947111-1007
SID[ 1]: S-1-5-21-138851786-1502048827-544947111-513
SID[ 2]: S-1-5-21-138851786-1502048827-544947111-1115
SID[ 3]: S-1-5-21-138851786-1502048827-544947111-1117
SID[ 4]: S-1-1-0
SID[ 5]: S-1-5-2
SID[ 6]: S-1-5-11
SID[ 7]: S-1-5-32-545
SID[ 8]: S-1-5-32-554
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
I'm a little out of my depth here, as I don't quite understand what is
going on. I am assuming it is not the GPO I was working on, as I removed
it on the server and checked the registry settings on Windows clients
have been reverted - so that side seems to be working fine. Any hints
where to dig further would be much appreciated.
Below is my smb.conf:
[global]
bind interfaces only = Yes
interfaces = lo eth1 tun0
netbios name = SRV-01-AIRWISE
realm = AIRWISEPNEUMATICS.LAN
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AIRWISE
idmap_ldb:use rfc2307 = yes
# act as a NTP/time server
time server = yes
####################################
# Misc options
mangling method = hash2
mangle prefix = 6
# reset a file lock if a new connection comes from the same IP
reset on zero vc = yes
# disconnect inactive clients after so many minutes
deadtime = 10
####################################
# Printing options
# automatically share all printers on the server
load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
[printers]
path = /var/spool/samba
printable = yes
printing = cups
cups options = raw
[print$]
path = /srv/samba/printer_drivers
read only = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/airwisepneumatics.lan/scripts
read only = No
Sebastian Arcus
2022-Apr-11 10:10 UTC
[Samba] Unable to convert SID at index 2 in user token to a GID
On 11/04/2022 10:02, Sebastian Arcus via samba wrote:> I have a Samba 4.12.0 setup as AD DC with file sharing which has been > working fine for about 2 years. Last week, while testing a GPO on the > server and having to restart Samba a few times, it stopped allowing > users to access network shares. When I try to access network shares from > the Windows clients, I get the following: > > "The security ID structure is invalid" > > The following lines show up in the log in the Samba server: > > [2022/04/11 09:46:45.560164,? 0] > ../../source4/auth/unix_token.c:123(security_token_to_unix_token) > ? Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-1115) > at index 2 in user token to a GID.? Conversion was returned as type 0, > full token: > [2022/04/11 09:46:45.560319,? 0] > ../../libcli/security/security_token.c:56(security_token_debug) > ? Security token SIDs (9): > ??? SID[? 0]: S-1-5-21-138851786-1502048827-544947111-1007 > ??? SID[? 1]: S-1-5-21-138851786-1502048827-544947111-513 > ??? SID[? 2]: S-1-5-21-138851786-1502048827-544947111-1115 > ??? SID[? 3]: S-1-5-21-138851786-1502048827-544947111-1117 > ??? SID[? 4]: S-1-1-0 > ??? SID[? 5]: S-1-5-2 > ??? SID[? 6]: S-1-5-11 > ??? SID[? 7]: S-1-5-32-545 > ??? SID[? 8]: S-1-5-32-554 > ?? Privileges (0x????????? 800000): > ??? Privilege[? 0]: SeChangeNotifyPrivilege > ?? Rights (0x???????????? 400): > ??? Right[? 0]: SeRemoteInteractiveLogonRightSome further info, which I assume is connected somehow. If I lookup a user on the command line with 'id', it only shows as being part of "Domain Users" group. But if I look it up through RSAT on Windows, it shows the additional groups it is part of. If I try to add it again to the groups it is supposed to be part of, using samba-tool, I get the following error: ERROR: Failed to add members ['alan'] to group "ap-shares" - (68, 'Attribute member already exists for target GUID d37dcc81-314c-46d9-885c-1d200879e746')