samba - Apr 2022 - Unable to convert SID at index 2 in user token to a GID

On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba
wrote:
> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
> > I have a Samba 4.12.0 setup as AD DC with file sharing which has
> > been 
> > working fine for about 2 years. Last week, while testing a GPO on
> > the 
> > server and having to restart Samba a few times, it stopped
> > allowing 
> > users to access network shares. When I try to access network shares
> > from 
> > the Windows clients, I get the following:
> > 
> > "The security ID structure is invalid"
> > 
> > The following lines show up in the log in the Samba server:
> > 
> > [2022/04/11 09:46:45.560164,  0] 
> > ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
> >    Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
> > 1115) 
> > at index 2 in user token to a GID.  Conversion was returned as type
> > 0, 
> > full token:
> > [2022/04/11 09:46:45.560319,  0] 
> > ../../libcli/security/security_token.c:56(security_token_debug)
> >    Security token SIDs (9):
> >      SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
> >      SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
> >      SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
> >      SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
> >      SID[  4]: S-1-1-0
> >      SID[  5]: S-1-5-2
> >      SID[  6]: S-1-5-11
> >      SID[  7]: S-1-5-32-545
> >      SID[  8]: S-1-5-32-554
> >     Privileges (0x          800000):
> >      Privilege[  0]: SeChangeNotifyPrivilege
> >     Rights (0x             400):
> >      Right[  0]: SeRemoteInteractiveLogonRight
> 
> Some further info, which I assume is connected somehow. If I lookup
> a 
> user on the command line with 'id', it only shows as being part of 
> "Domain Users" group. But if I look it up through RSAT on
Windows,
> it 
> shows the additional groups it is part of. If I try to add it again
> to 
> the groups it is supposed to be part of, using samba-tool, I get the 
> following error:
> 
> ERROR: Failed to add members ['alan'] to group
"ap-shares" - (68,
> 'Attribute member already exists for target GUID 
> d37dcc81-314c-46d9-885c-1d200879e746')
This looks like a problem with user & group mapping, what are you using
for authentication, nslcd, sssd or winbind.

Also 4.12.x is EOL as far as Samba is concerned, is there any way you
can upgrade Samba ?

Rowland

On 11/04/2022 11:51, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba wrote:
>> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
>>> I have a Samba 4.12.0 setup as AD DC with file sharing which has
>>> been
>>> working fine for about 2 years. Last week, while testing a GPO on
>>> the
>>> server and having to restart Samba a few times, it stopped
>>> allowing
>>> users to access network shares. When I try to access network shares
>>> from
>>> the Windows clients, I get the following:
>>>
>>> "The security ID structure is invalid"
>>>
>>> The following lines show up in the log in the Samba server:
>>>
>>> [2022/04/11 09:46:45.560164,  0]
>>> ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
>>>     Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
>>> 1115)
>>> at index 2 in user token to a GID.  Conversion was returned as type
>>> 0,
>>> full token:
>>> [2022/04/11 09:46:45.560319,  0]
>>> ../../libcli/security/security_token.c:56(security_token_debug)
>>>     Security token SIDs (9):
>>>       SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
>>>       SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
>>>       SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
>>>       SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
>>>       SID[  4]: S-1-1-0
>>>       SID[  5]: S-1-5-2
>>>       SID[  6]: S-1-5-11
>>>       SID[  7]: S-1-5-32-545
>>>       SID[  8]: S-1-5-32-554
>>>      Privileges (0x          800000):
>>>       Privilege[  0]: SeChangeNotifyPrivilege
>>>      Rights (0x             400):
>>>       Right[  0]: SeRemoteInteractiveLogonRight
>>
>> Some further info, which I assume is connected somehow. If I lookup
>> a
>> user on the command line with 'id', it only shows as being part
of
>> "Domain Users" group. But if I look it up through RSAT on
Windows,
>> it
>> shows the additional groups it is part of. If I try to add it again
>> to
>> the groups it is supposed to be part of, using samba-tool, I get the
>> following error:
>>
>> ERROR: Failed to add members ['alan'] to group
"ap-shares" - (68,
>> 'Attribute member already exists for target GUID
>> d37dcc81-314c-46d9-885c-1d200879e746')
> 
> This looks like a problem with user & group mapping, what are you using
> for authentication, nslcd, sssd or winbind.

Thank you for the quick reply. I will guess I am using winbind, as the 
other two don't sound remotely familiar from the time I've setup Samba 
on this server using classic upgrade. If it helps, I am using the 
following in /etc/nsswitch.conf

passwd:     compat winbind
group:      compat winbind
> Also 4.12.x is EOL as far as Samba is concerned, is there any way you
> can upgrade Samba ?
Right at this moment upgrading this server would be a headache, as there 
is other software running on it which would need upgrading at the same 
time. If there is no other option, I could look into upgrading it, but 
if I could figure out what is happening first would be preferable.

On 11/04/2022 11:51, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba wrote:
>> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
>>> I have a Samba 4.12.0 setup as AD DC with file sharing which has
>>> been
>>> working fine for about 2 years. Last week, while testing a GPO on
>>> the
>>> server and having to restart Samba a few times, it stopped
>>> allowing
>>> users to access network shares. When I try to access network shares
>>> from
>>> the Windows clients, I get the following:
>>>
>>> "The security ID structure is invalid"
>>>
>>> The following lines show up in the log in the Samba server:
>>>
>>> [2022/04/11 09:46:45.560164,  0]
>>> ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
>>>     Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
>>> 1115)
>>> at index 2 in user token to a GID.  Conversion was returned as type
>>> 0,
>>> full token:
>>> [2022/04/11 09:46:45.560319,  0]
>>> ../../libcli/security/security_token.c:56(security_token_debug)
>>>     Security token SIDs (9):
>>>       SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
>>>       SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
>>>       SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
>>>       SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
>>>       SID[  4]: S-1-1-0
>>>       SID[  5]: S-1-5-2
>>>       SID[  6]: S-1-5-11
>>>       SID[  7]: S-1-5-32-545
>>>       SID[  8]: S-1-5-32-554
>>>      Privileges (0x          800000):
>>>       Privilege[  0]: SeChangeNotifyPrivilege
>>>      Rights (0x             400):
>>>       Right[  0]: SeRemoteInteractiveLogonRight
>>
>> Some further info, which I assume is connected somehow. If I lookup
>> a
>> user on the command line with 'id', it only shows as being part
of
>> "Domain Users" group. But if I look it up through RSAT on
Windows,
>> it
>> shows the additional groups it is part of. If I try to add it again
>> to
>> the groups it is supposed to be part of, using samba-tool, I get the
>> following error:
>>
>> ERROR: Failed to add members ['alan'] to group
"ap-shares" - (68,
>> 'Attribute member already exists for target GUID
>> d37dcc81-314c-46d9-885c-1d200879e746')
> 
> This looks like a problem with user & group mapping, what are you using
> for authentication, nslcd, sssd or winbind.
Is the user & group mapping stored in a particular file - is it possible 
to delete it and will it be rebuilt automatically? Or maybe restore it 
from a backup - I have nightly backups of the entire /var/lib/samba, if 
that helps

On 11/04/2022 11:51, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 11:10 +0100, Sebastian Arcus via samba wrote:
>> On 11/04/2022 10:02, Sebastian Arcus via samba wrote:
>>> I have a Samba 4.12.0 setup as AD DC with file sharing which has
>>> been
>>> working fine for about 2 years. Last week, while testing a GPO on
>>> the
>>> server and having to restart Samba a few times, it stopped
>>> allowing
>>> users to access network shares. When I try to access network shares
>>> from
>>> the Windows clients, I get the following:
>>>
>>> "The security ID structure is invalid"
>>>
>>> The following lines show up in the log in the Samba server:
>>>
>>> [2022/04/11 09:46:45.560164,  0]
>>> ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
>>>     Unable to convert SID (S-1-5-21-138851786-1502048827-544947111-
>>> 1115)
>>> at index 2 in user token to a GID.  Conversion was returned as type
>>> 0,
>>> full token:
>>> [2022/04/11 09:46:45.560319,  0]
>>> ../../libcli/security/security_token.c:56(security_token_debug)
>>>     Security token SIDs (9):
>>>       SID[  0]: S-1-5-21-138851786-1502048827-544947111-1007
>>>       SID[  1]: S-1-5-21-138851786-1502048827-544947111-513
>>>       SID[  2]: S-1-5-21-138851786-1502048827-544947111-1115
>>>       SID[  3]: S-1-5-21-138851786-1502048827-544947111-1117
>>>       SID[  4]: S-1-1-0
>>>       SID[  5]: S-1-5-2
>>>       SID[  6]: S-1-5-11
>>>       SID[  7]: S-1-5-32-545
>>>       SID[  8]: S-1-5-32-554
>>>      Privileges (0x          800000):
>>>       Privilege[  0]: SeChangeNotifyPrivilege
>>>      Rights (0x             400):
>>>       Right[  0]: SeRemoteInteractiveLogonRight
>>
>> Some further info, which I assume is connected somehow. If I lookup
>> a
>> user on the command line with 'id', it only shows as being part
of
>> "Domain Users" group. But if I look it up through RSAT on
Windows,
>> it
>> shows the additional groups it is part of. If I try to add it again
>> to
>> the groups it is supposed to be part of, using samba-tool, I get the
>> following error:
>>
>> ERROR: Failed to add members ['alan'] to group
"ap-shares" - (68,
>> 'Attribute member already exists for target GUID
>> d37dcc81-314c-46d9-885c-1d200879e746')
> 
> This looks like a problem with user & group mapping, what are you using
> for authentication, nslcd, sssd or winbind.
Just an update on this. It turns out I broke this while trying to fix 
another initial problem. I replaced the file 
/var/lib/samba/private/idmap.ldb with one from a previous backup - which 
broke user & group mapping. I have restored the proper file and this 
particular error message has gone away. Sorry for the noise and thank 
you for the helpful hints.