thr3ads.net - samba - [Samba] can login to new dc [Aug 2023]

If this information is useful, please help other people find it:
Share via:

basti

2023-Aug-03 11:03 UTC

[Samba] can login to new dc

Hello,
i have install a new DC on debian bookworm (samba 4.17.9+dfsg-0+deb12u3)
all seems to work fine but I cant list shares.


root at dc1:/var/log/samba# wbinfo -u
NET\administrator
NET\guest
NET\krbtgt
NET\dns-dc1

root at dc1:/var/log/samba# wbinfo --ping-dc
checking the NETLOGON for domain[NET] dc connection to 
"dc1.net.example.com" succeeded
root at dc1:/var/log/samba#

root at dc1:/var/log/samba# net getdomainsid
SID for domain NET is: S-1-5-21-3026428385-3353875275-5460633
root at dc1:/var/log/samba#


root at dc1:/var/log/samba# smbclient -L localhost -U%
session setup failed: NT_STATUS_INVALID_SID
root at dc1:/var/log/samba#

root at dc1:/var/log/samba# smbclient //localhost/netlogon -UAdministrator 
-c 'ls'
Password for [NET\Administrator]:
session setup failed: NT_STATUS_INVALID_SID
root at dc1:/var/log/samba#


I the logs I can see:

[2023/08/03 12:59:41.215865,  0] 
../../source4/auth/unix_token.c:123(security_token_to_unix_token)
   Unable to convert SID (S-1-5-64-10) at index 3 in user token to a 
GID.  Conversion was returned as type 0, full token:
[2023/08/03 12:59:41.215907,  0] 
../../libcli/security/security_token.c:51(security_token_debug)
   Security token SIDs (4):
     SID[  0]: S-1-5-7
     SID[  1]: S-1-1-0
     SID[  2]: S-1-5-2
     SID[  3]: S-1-5-64-10
    Privileges (0x               0):
    Rights (0x               0):
[2023/08/03 13:00:39.684728,  0] 
../../source4/auth/unix_token.c:95(security_token_to_unix_token)

or

[2023/08/03 13:00:39.684728,  0] 
../../source4/auth/unix_token.c:95(security_token_to_unix_token)
   Unable to convert first SID 
(S-1-5-21-3026428385-3353875275-5460633-500) in user token to a UID. 
Conversion was returned as type 0, full token:
[2023/08/03 13:00:39.684765,  0] 
../../libcli/security/security_token.c:51(security_token_debug)
   Security token SIDs (14):
     SID[  0]: S-1-5-21-3026428385-3353875275-5460633-500
     SID[  1]: S-1-5-21-3026428385-3353875275-5460633-513
     SID[  2]: S-1-5-21-3026428385-3353875275-5460633-512
     SID[  3]: S-1-5-21-3026428385-3353875275-5460633-572
     SID[  4]: S-1-5-21-3026428385-3353875275-5460633-518
     SID[  5]: S-1-5-21-3026428385-3353875275-5460633-519
     SID[  6]: S-1-5-21-3026428385-3353875275-5460633-520
     SID[  7]: S-1-1-0
     SID[  8]: S-1-5-2
     SID[  9]: S-1-5-11
     SID[ 10]: S-1-5-64-10
     SID[ 11]: S-1-5-32-544
     SID[ 12]: S-1-5-32-545
     SID[ 13]: S-1-5-32-554
    Privileges (0x        1FFFFF00):
     Privilege[  0]: SeTakeOwnershipPrivilege
     Privilege[  1]: SeBackupPrivilege
     Privilege[  2]: SeRestorePrivilege
     Privilege[  3]: SeRemoteShutdownPrivilege
     Privilege[  4]: SeSecurityPrivilege
     Privilege[  5]: SeSystemtimePrivilege
     Privilege[  6]: SeShutdownPrivilege
     Privilege[  7]: SeDebugPrivilege
     Privilege[  8]: SeSystemEnvironmentPrivilege
     Privilege[  9]: SeSystemProfilePrivilege
     Privilege[ 10]: SeProfileSingleProcessPrivilege
     Privilege[ 11]: SeIncreaseBasePriorityPrivilege
     Privilege[ 12]: SeLoadDriverPrivilege
     Privilege[ 13]: SeCreatePagefilePrivilege
     Privilege[ 14]: SeIncreaseQuotaPrivilege
     Privilege[ 15]: SeChangeNotifyPrivilege
     Privilege[ 16]: SeUndockPrivilege
     Privilege[ 17]: SeManageVolumePrivilege
     Privilege[ 18]: SeImpersonatePrivilege
     Privilege[ 19]: SeCreateGlobalPrivilege
     Privilege[ 20]: SeEnableDelegationPrivilege
    Rights (0x             403):
     Right[  0]: SeInteractiveLogonRight
     Right[  1]: SeNetworkLogonRight
     Right[  2]: SeRemoteInteractiveLogonRight

Christian Naumer

2023-Aug-03 11:43 UTC

head link

[Samba] can login to new dc

Have you tried:

min domain uid = 0

in smb.conf?


On 03.08.23 13:03, basti via samba wrote:> Hello,
> i have install a new DC on debian bookworm (samba 4.17.9+dfsg-0+deb12u3)
> all seems to work fine but I cant list shares.
> 
> 
> root at dc1:/var/log/samba# wbinfo -u
> NET\administrator
> NET\guest
> NET\krbtgt
> NET\dns-dc1
> 
> root at dc1:/var/log/samba# wbinfo --ping-dc
> checking the NETLOGON for domain[NET] dc connection to 
> "dc1.net.example.com" succeeded
> root at dc1:/var/log/samba#
> 
> root at dc1:/var/log/samba# net getdomainsid
> SID for domain NET is: S-1-5-21-3026428385-3353875275-5460633
> root at dc1:/var/log/samba#
> 
> 
> root at dc1:/var/log/samba# smbclient -L localhost -U%
> session setup failed: NT_STATUS_INVALID_SID
> root at dc1:/var/log/samba#
> 
> root at dc1:/var/log/samba# smbclient //localhost/netlogon -UAdministrator 
> -c 'ls'
> Password for [NET\Administrator]:
> session setup failed: NT_STATUS_INVALID_SID
> root at dc1:/var/log/samba#
> 
> 
> I the logs I can see:
> 
> [2023/08/03 12:59:41.215865,? 0] 
> ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
>  ? Unable to convert SID (S-1-5-64-10) at index 3 in user token to a 
> GID.? Conversion was returned as type 0, full token:
> [2023/08/03 12:59:41.215907,? 0] 
> ../../libcli/security/security_token.c:51(security_token_debug)
>  ? Security token SIDs (4):
>  ??? SID[? 0]: S-1-5-7
>  ??? SID[? 1]: S-1-1-0
>  ??? SID[? 2]: S-1-5-2
>  ??? SID[? 3]: S-1-5-64-10
>  ?? Privileges (0x?????????????? 0):
>  ?? Rights (0x?????????????? 0):
> [2023/08/03 13:00:39.684728,? 0] 
> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
> 
> or
> 
> [2023/08/03 13:00:39.684728,? 0] 
> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
>  ? Unable to convert first SID 
> (S-1-5-21-3026428385-3353875275-5460633-500) in user token to a UID. 
> Conversion was returned as type 0, full token:
> [2023/08/03 13:00:39.684765,? 0] 
> ../../libcli/security/security_token.c:51(security_token_debug)
>  ? Security token SIDs (14):
>  ??? SID[? 0]: S-1-5-21-3026428385-3353875275-5460633-500
>  ??? SID[? 1]: S-1-5-21-3026428385-3353875275-5460633-513
>  ??? SID[? 2]: S-1-5-21-3026428385-3353875275-5460633-512
>  ??? SID[? 3]: S-1-5-21-3026428385-3353875275-5460633-572
>  ??? SID[? 4]: S-1-5-21-3026428385-3353875275-5460633-518
>  ??? SID[? 5]: S-1-5-21-3026428385-3353875275-5460633-519
>  ??? SID[? 6]: S-1-5-21-3026428385-3353875275-5460633-520
>  ??? SID[? 7]: S-1-1-0
>  ??? SID[? 8]: S-1-5-2
>  ??? SID[? 9]: S-1-5-11
>  ??? SID[ 10]: S-1-5-64-10
>  ??? SID[ 11]: S-1-5-32-544
>  ??? SID[ 12]: S-1-5-32-545
>  ??? SID[ 13]: S-1-5-32-554
>  ?? Privileges (0x??????? 1FFFFF00):
>  ??? Privilege[? 0]: SeTakeOwnershipPrivilege
>  ??? Privilege[? 1]: SeBackupPrivilege
>  ??? Privilege[? 2]: SeRestorePrivilege
>  ??? Privilege[? 3]: SeRemoteShutdownPrivilege
>  ??? Privilege[? 4]: SeSecurityPrivilege
>  ??? Privilege[? 5]: SeSystemtimePrivilege
>  ??? Privilege[? 6]: SeShutdownPrivilege
>  ??? Privilege[? 7]: SeDebugPrivilege
>  ??? Privilege[? 8]: SeSystemEnvironmentPrivilege
>  ??? Privilege[? 9]: SeSystemProfilePrivilege
>  ??? Privilege[ 10]: SeProfileSingleProcessPrivilege
>  ??? Privilege[ 11]: SeIncreaseBasePriorityPrivilege
>  ??? Privilege[ 12]: SeLoadDriverPrivilege
>  ??? Privilege[ 13]: SeCreatePagefilePrivilege
>  ??? Privilege[ 14]: SeIncreaseQuotaPrivilege
>  ??? Privilege[ 15]: SeChangeNotifyPrivilege
>  ??? Privilege[ 16]: SeUndockPrivilege
>  ??? Privilege[ 17]: SeManageVolumePrivilege
>  ??? Privilege[ 18]: SeImpersonatePrivilege
>  ??? Privilege[ 19]: SeCreateGlobalPrivilege
>  ??? Privilege[ 20]: SeEnableDelegationPrivilege
>  ?? Rights (0x???????????? 403):
>  ??? Right[? 0]: SeInteractiveLogonRight
>  ??? Right[? 1]: SeNetworkLogonRight
>  ??? Right[? 2]: SeRemoteInteractiveLogonRight
> 
> 
> 
>

samba - Aug 2023 - can login to new dc

[Samba] can login to new dc

[Samba] can login to new dc