Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] The security id structure is invalid

1,333 views
Skip to first unread message

Ron García-Vidal via samba

unread,
Oct 4, 2016, 2:30:03 PM10/4/16
to
I recently upgraded Samba on my DC from a working 4.3 installation to
4.5.0. Once done, I followed the instructions here:

https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes

and ran:

samba-tool dbcheck --cross-ncs --fix --yes

After that, I can no longer access the shares on this machine. I get the
"Security ID structure is invalid" error above. In addition, the RSAT
can't speak to the DC, and other linux boxes (running sssd) are saying
"Authentication server cannot be found"

I am able to access the server using an ldap browser and am trying to
piece my way to fixing this, but am coming up empty handed. This is my
home server and only has three users, so I could technically wipe and
rebuild the server, but since I have many clients who use Samba, I would
like to figure out how to fix this in case it comes up again.

The syslog is giving the following errors:

ct 4 13:56:15 harleyquinn smbd[17702]: Unable to convert SID
(S-1-5-11) at index 5 in user token to a GID. Conversion was returned
as type 0, full token:
Oct 4 13:56:15 harleyquinn smbd[17702]: [2016/10/04 13:56:15.283772,
0] ../libcli/security/security_token.c:63(security_token_debug)
Oct 4 13:56:15 harleyquinn smbd[17702]: Security token SIDs (8):
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1105
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 2]:
S-1-5-21-1319907214-2951884047-2640289736-513
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 3]: S-1-1-0
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 4]: S-1-5-2
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 5]: S-1-5-11
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 6]: S-1-5-32-545
Oct 4 13:56:15 harleyquinn smbd[17702]: SID[ 7]: S-1-5-32-554
Oct 4 13:56:15 harleyquinn smbd[17702]: Privileges (0x 800000):
Oct 4 13:56:15 harleyquinn smbd[17702]: Privilege[ 0]:
SeChangeNotifyPrivilege
Oct 4 13:56:15 harleyquinn smbd[17702]: Rights (0x 400):
Oct 4 13:56:15 harleyquinn smbd[17702]: Right[ 0]:
SeRemoteInteractiveLogonRight
Oct 4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367502,
0] ../source4/auth/unix_token.c:107(security_token_to_unix_token)
Oct 4 13:56:15 harleyquinn smbd[17703]: Unable to convert SID
(S-1-5-11) at index 5 in user token to a GID. Conversion was returned
as type 0, full token:
Oct 4 13:56:15 harleyquinn smbd[17703]: [2016/10/04 13:56:15.367835,
0] ../libcli/security/security_token.c:63(security_token_debug)
Oct 4 13:56:15 harleyquinn smbd[17703]: Security token SIDs (8):
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1105
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 2]:
S-1-5-21-1319907214-2951884047-2640289736-513
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 3]: S-1-1-0
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 4]: S-1-5-2
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 5]: S-1-5-11
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 6]: S-1-5-32-545
Oct 4 13:56:15 harleyquinn smbd[17703]: SID[ 7]: S-1-5-32-554
Oct 4 13:56:15 harleyquinn smbd[17703]: Privileges (0x 800000):
Oct 4 13:56:15 harleyquinn smbd[17703]: Privilege[ 0]:
SeChangeNotifyPrivilege
Oct 4 13:56:15 harleyquinn smbd[17703]: Rights (0x 400):
Oct 4 13:56:15 harleyquinn smbd[17703]: Right[ 0]:
SeRemoteInteractiveLogonRight

These are repeated for various SIDs.

Also, the samba-tool dbcheck is unable to fix the following:

ERROR: incorrect GUID component for member in object CN=Domain
Admins,CN=Users,DC=dc1,DC=evilgenius,DC=net -
<GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net

Change DN to
<GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
ERROR: Failed to fix incorrect GUID on attribute member : (53,
'Attribute member already deleted for target GUID
a8e1e07a-cab8-4222-a024-97d59084268b')

I'm not even sure where to start fixing this and am not finding anything
similar via google.

-Ron

--

Riomar Group <http://www.riomargroup.com>*Ron García-Vidal | President |
Riomar Group
(A NYC, NYS & PANYNJ Certified MBE & DBE)*
1315 Prospect Ave., First Floor | Brooklyn, NY 11218
7400 SW 50th Street, Unit 304 | Miami, FL 33155
(347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
r...@riomargroup.com <mailto:r...@riomargroup.com>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

unread,
Oct 4, 2016, 2:50:03 PM10/4/16
to

It looks like you have a dangling link for a member of Domain Admins
that has been deleted.

Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117'
and if it doesn't exist, see if you can identify the user in the Domain
Admins object and delete that.
Back everything up first.

Rowland

Ron García-Vidal via samba

unread,
Oct 4, 2016, 5:10:03 PM10/4/16
to

On 10/4/16 2:40 PM, Rowland Penny via samba wrote:
> On Tue, 4 Oct 2016 14:00:02 -0400
> Ron García-Vidal via samba <sa...@lists.samba.org> wrote:
>
>> ERROR: incorrect GUID component for member in object CN=Domain
>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -

>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>
>> Change DN to
>> <GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<SID=S-1-5-21-1319907214-2951884047-2640289736-1117>;CN=LDAP
>> User,CN=Users,DC=dc1,DC=mydomain,DC=net? [YES]
>> ERROR: Failed to fix incorrect GUID on attribute member : (53,
>> 'Attribute member already deleted for target GUID
>> a8e1e07a-cab8-4222-a024-97d59084268b')
>>
>> I'm not even sure where to start fixing this and am not finding
>> anything similar via google.
>>
>> -Ron
>>
>>
>>
> It looks like you have a dangling link for a member of Domain Admins
> that has been deleted.
>
> Try searching AD for 'S-1-5-21-1319907214-2951884047-2640289736-1117'
> and if it doesn't exist, see if you can identify the user in the Domain
> Admins object and delete that.
> Back everything up first.
>
>
The DN indicated is a user called LDAP User that I created to interact
with the LDAP. And that user's SID is the one ending in 1117. The thing
is, that user isn't in "members" of the Domain Admins. The only users in
that group are Administrator and my user account. I tried adding LDAP
User to the Domain Admins group and removing it, the problem still persists.

To add to this, when I run the samba-tool dbcheck without the --fix
option, I get two additional entries:

ERROR: incorrect GUID component for member in object CN=Domain

Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -

<GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net

Not fixing incorrect GUID
ERROR: incorrect DN SID component for member in object CN=Schema
Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
<GUID=6ac4027a-0250-4019-a2a8-12cc03497f7f>;<RMD_ADDTIME=130335204740000000>;<RMD_CHANGETIME=130335284920000000>;<RMD_FLAGS=1>;<RMD_INVOCID=bf3306c6-bbc7-40c7-b63f-9b2c6f6ffe2a>;<RMD_LOCAL_USN=6243>;<RMD_ORIGINATING_USN=6243>;<RMD_VERSION=3>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing SID component mismatch
ERROR: incorrect DN SID component for member in object CN=Domain
Users,CN=Users,DC=dc1,DC=mydomain,DC=net -
<GUID=7a02c46a50021940a2a812cc03497f7f>;<RMD_ADDTIME=130335204750000000>;<RMD_CHANGETIME=130335204750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6230>;<RMD_ORIGINATING_USN=6230>;<RMD_VERSION=1>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net
Not fixing SID component mismatch

In all three cases, the CN is LDAP User, but 1) LDAP User is not in any
of these three groups and 2) the GUID component listed is different
(what does the GUID refer to. I'm not seeing it in LDAP. I am seeing an
objectGUID, is that the same thing?)

-Ron

Ron García-Vidal via samba

unread,
Oct 5, 2016, 10:50:03 AM10/5/16
to
Here is some more information that could be helpful. This is the entry
for LDAP User in ldbedit:

# record 253
dn: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: LDAP User
sn: User
givenName: LDAP
instanceType: 4
whenCreated: 20140106220805.0Z
displayName: LDAP User
uSNCreated: 6218
name: LDAP User
objectGUID: 6ac4027a-0250-4019-a2a8-12cc03497f7f
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-1319907214-2951884047-2640289736-1117
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: LDAPUser
sAMAccountType: 805306368
userPrincipalName: LDAP...@dc1.mydomain.net
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
pwdLastSet: 130335199430000000
lockoutTime: 0
userAccountControl: 66048
msDS-SupportedEncryptionTypes: 0
primaryGroupID: 514
whenChanged: 20140107003451.0Z
uSNChanged: 6241
distinguishedName: CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net

Here is the entry for Domain Admins:

# record 70
dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
instanceType: 4
whenCreated: 20131130221548.0Z
uSNCreated: 3549
name: Domain Admins
objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
adminCount: 1
sAMAccountName: Domain Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Denied RODC Password Replication
Group,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net
whenChanged: 20161004204939.0Z
uSNChanged: 49368
distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net

I'm not really understanding where the dbcheck errors are coming from.
Please let me know if further log info would be helpful.

-Ron

Rowland Penny via samba

unread,
Oct 5, 2016, 11:30:04 AM10/5/16
to

I don't know if this is part of your problem, but why is the
primaryGroupID of LDAPUser 'Domain Guests' ??
Try changing it to 513 (Domain Users)

Rowland

Ron García-Vidal via samba

unread,
Oct 5, 2016, 11:40:03 AM10/5/16
to
I get the following error from both ldbedit and from ldapadmin:

failed to modify CN=LDAP User,CN=Users,DC=dc1,DC=mydomain,DC=net - error
in module samldb: Unwilling to perform during LDB_MODIFY

Ron García-Vidal via samba

unread,
Oct 6, 2016, 12:40:03 PM10/6/16
to
In trying to sort through this myself, I seems to be missing something.
Can anyone shed light on why samba-tool dbcheck gives me this message?

ERROR: incorrect GUID component for member in object CN=Domain
Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
<GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
User,CN=Users,DC=dc1,DC=mydomain,DC=net

The GUID that it's giving doesn't show up anywhere when I ldbedit my
sam.db. I'm trying to figure out how I can manually correct the GUID
component that it's screaming about, but I can't find anything in the
sam.db that mentions GUID other than objectGUID. Any hints?

-Ron

lingpanda101--- via samba

unread,
Oct 6, 2016, 1:00:05 PM10/6/16
to

Ron I haven't read through this whole thread but is user 'LDAP User' a
deleted object? if so it's harmless. A fix at some point will come to
remove these from 'dbcheck'. I had similar issues. See my thread

http://samba.2283325.n4.nabble.com/replPropertyMetaData-amp-KCC-issues-after-updating-to-Samba-4-5-0-td4707962.html#a4708208

--
-James

Rowland Penny via samba

unread,
Oct 6, 2016, 1:10:03 PM10/6/16
to
On Thu, 6 Oct 2016 12:35:54 -0400

If you examine the 'Domain Admins' object in AD, you should find lines
like these:

objectGUID: 0dc3c303-b37f-4830-a1c2-d8cb7434f5d5
member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com

The first is the GUID and every object in AD has one, so try searching
for your GUID in this format:

7ae0e1a8-b8ca-2242-a024-97d59084268b

If you find it, the object it is in should have a 'memberof' attribute
that contains the Domain Admins DN.

'member' and 'memberof' are linked, deleting the 'member' attribute
should delete the 'memberof' attribute, but I do not know if the
reverse works in the same way.

Rowland

Ron García-Vidal via samba

unread,
Oct 6, 2016, 1:50:03 PM10/6/16
to
Thanks for this clarification. I have even searched for the string 7ae0,
because I thought the GUID would be hyphenated, and that string does not
exit in the ldb. Above I pasted the ldb entry for "LDAP User" and here's
the relevant lines from the "Domain Admins" group:

dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
cn: Domain Admins
objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net


memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Denied RODC Password Replication
Group,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net

So that's why the error I'm getting from the dbcheck isn't making sense.

Also, I'm assuming that this is the source of my "Security id structure
is invalid" error, but I don't actually know that. Am I barking up the
right tree?

-Ron

Ron García-Vidal via samba

unread,
Oct 6, 2016, 2:00:03 PM10/6/16
to
Thanks for pointing me there. LDAP User is not a deleted object. Above
is the actual sam.db entry for LDAP User. From your thread, I'm
gathering that the error I'm getting shouldn't be fatal regardless, so
I'm wondering if I'm tracking down the wrong path to fix the "Security
ID structure is invalid" error.

-Ron

Rowland Penny via samba

unread,
Oct 6, 2016, 2:10:02 PM10/6/16
to
On Thu, 6 Oct 2016 13:46:11 -0400

Does 'myuser' exist and if so, does it have a 'memberof' attribute
containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ?

Rowland

Ron García-Vidal via samba

unread,
Oct 6, 2016, 2:20:02 PM10/6/16
to
On 10/6/16 2:02 PM, Rowland Penny via samba wrote:
>
> Does 'myuser' exist and if so, does it have a 'memberof' attribute
> containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ?
>
Yes to both of these.

Rowland Penny via samba

unread,
Oct 6, 2016, 2:30:02 PM10/6/16
to
On Thu, 6 Oct 2016 14:09:20 -0400

Ron García-Vidal via samba <sa...@lists.samba.org> wrote:

> On 10/6/16 2:02 PM, Rowland Penny via samba wrote:
> >
> > Does 'myuser' exist and if so, does it have a 'memberof' attribute
> > containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ?
> >
> Yes to both of these.
>

have you tried expanding your ldbsearch by adding '--cross-ncs' and
'--show-deleted'

Rowland

Ron García-Vidal via samba

unread,
Oct 6, 2016, 3:50:03 PM10/6/16
to
On 10/6/16 2:19 PM, Rowland Penny via samba wrote:
> On Thu, 6 Oct 2016 14:09:20 -0400
> Ron García-Vidal via samba <sa...@lists.samba.org> wrote:
>
>> On 10/6/16 2:02 PM, Rowland Penny via samba wrote:
>>> Does 'myuser' exist and if so, does it have a 'memberof' attribute
>>> containing 'CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net' ?
>>>
>> Yes to both of these.
>>
> have you tried expanding your ldbsearch by adding '--cross-ncs' and
> '--show-deleted'
>
I hadn't. I didn't know about these. But using those, I still can't find
the pattern 7ae0.

-Ron

Ron García-Vidal via samba

unread,
Oct 7, 2016, 9:00:03 AM10/7/16
to
On 10/6/16 1:54 PM, Ron García-Vidal via samba wrote:
> On 10/6/16 12:50 PM, lingpanda101--- via samba wrote:
>> On 10/6/2016 12:35 PM, Ron García-Vidal via samba wrote:
>>> On 10/5/16 11:37 AM, Ron García-Vidal via samba wrote:
>>>> On 10/5/16 11:17 AM, Rowland Penny via samba wrote:
>>>>> On Wed, 5 Oct 2016 10:37:51 -0400
>>>>> Ron García-Vidal via samba <sa...@lists.samba.org> wrote:
>>>>> In trying to sort through this myself, I seems to be missing
>>>>> something. Can anyone shed light on why samba-tool dbcheck gives
>>>>> me this message?
>>>
>>> ERROR: incorrect GUID component for member in object CN=Domain
>>> Admins,CN=Users,DC=dc1,DC=mydomain,DC=net -
>>> <GUID=7ae0e1a8b8ca2242a02497d59084268b>;<RMD_ADDTIME=130335192420000000>;<RMD_CHANGETIME=130335196040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c60633bfc7bbc740b63f9b2c6f6ffe2a>;<RMD_LOCAL_USN=6216>;<RMD_ORIGINATING_USN=6216>;<RMD_VERSION=1>;<SID=0105000000000005150000008e2fac4e0f2df2afc89f5f9d5c040000>;CN=LDAP
>>> User,CN=Users,DC=dc1,DC=mydomain,DC=net
>>>
>>> The GUID that it's giving doesn't show up anywhere when I ldbedit my
>>> sam.db. I'm trying to figure out how I can manually correct the GUID
>>> component that it's screaming about, but I can't find anything in
>>> the sam.db that mentions GUID other than objectGUID. Any hints?

Resorting to a simple grep, I have found the entry that's causing the
issue in the file
/usr/local/samba/private/sam.ldb.d/DC=DC1,DC=MYDOMAIN,DC=NET.ldb

How does this file relate to the sam.db file? Is it safe to edit this
file directly to remove the offending GUID?

lingpanda101--- via samba

unread,
Oct 7, 2016, 9:30:02 AM10/7/16
to

See if this thread is helpful.
https://lists.samba.org/archive/samba/2015-February/189634.html

--
-James

Ron García-Vidal via samba

unread,
Oct 7, 2016, 9:30:02 AM10/7/16
to

Looks like I have been barking up the wrong tree on this. I copied the
ldb mentioned above to a backup and manually removed the entries that
the testdb was complaining about. Testdb now comes back clean, but the
Invalid security ID structure error continues. The logs are showing
multiple instances of:


Unable to convert SID (S-1-5-11) at index 5 in user token to a GID.
Conversion was returned as type 0, full token:

I have a 74k log file that records me starting up the smbd and trying to
access a share. Is adding this as an attachment the best way to send it?

Rowland Penny via samba

unread,
Oct 7, 2016, 9:40:03 AM10/7/16
to
On Fri, 7 Oct 2016 08:51:42 -0400

sam.ldb is the pathway into the files in sam.ldb.d and you shouldn't
directly modify the .ldb files in sam.ldb.d

Rowland

Ron García-Vidal via samba

unread,
Oct 7, 2016, 9:40:03 AM10/7/16
to
It does explain what that file is, thanks. But it doesn't explain why I
could see the entry that testdb was complaining about there, but not
through sam.db. I guess this is just the dangling entry cleanup you
mentioned previously?

In any event, even after manually cleaning this up, the invalid ID
structure message continues. I've posted separately about that.

-Ron

Ron García-Vidal via samba

unread,
Oct 7, 2016, 10:50:04 AM10/7/16
to
I've restored the original DBs as it seems the dbcheck error I was
focusing on was a red herring. I'm now trying to look at the "Unable to
convert SID" messages, as these are the only other errors I've seen. A
reminder that this started after I ran "samba-tool dbcheck --cross-ncs
--fix --yes" after upgrading to 4.5 as per this article:
https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes

I'm hoping to find a way to manually fix the db or hoping for a repair
tool. I'm not sure what to make of these errors.

Ron García-Vidal via samba

unread,
Oct 7, 2016, 3:10:04 PM10/7/16
to
On 10/7/16 10:39 AM, Ron García-Vidal via samba wrote:
> I've restored the original DBs as it seems the dbcheck error I was
> focusing on was a red herring. I'm now trying to look at the "Unable
> to convert SID" messages, as these are the only other errors I've
> seen. A reminder that this started after I ran "samba-tool dbcheck
> --cross-ncs --fix --yes" after upgrading to 4.5 as per this article:
> https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes
>
>
> I'm hoping to find a way to manually fix the db or hoping for a repair
> tool. I'm not sure what to make of these errors.
Picking up on my new thread, I've been investigating the log errors I'm
seeing, here is one example:

Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856473, 0]
../source4/auth/unix_token.c:79(se
curity_token_to_unix_token)
Oct 7 09:16:27 sambaserver smbd[7612]: Unable to convert first SID
(S-1-5-21-1319907214-2951884047-26402
89736-1111) in user token to a UID. Conversion was returned as type 0,
full token:
Oct 7 09:16:27 sambaserver smbd[7612]: [2016/10/07 09:16:27.856685, 0]
../libcli/security/security_token.
c:63(security_token_debug)
Oct 7 09:16:27 sambaserver smbd[7612]: Security token SIDs (7):
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1111
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-515
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 2]: S-1-1-0
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 3]: S-1-5-2
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 4]: S-1-5-11
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 5]: S-1-5-32-554
Oct 7 09:16:27 sambaserver smbd[7612]: SID[ 6]: S-1-5-32-545
Oct 7 09:16:27 sambaserver smbd[7612]: Privileges (0x 800000):
Oct 7 09:16:27 sambaserver smbd[7612]: Privilege[ 0]:
SeChangeNotifyPrivilege
Oct 7 09:16:27 sambaserver smbd[7612]: Rights (0x 400):
Oct 7 09:16:27 sambaserver smbd[7612]: Right[ 0]:
SeRemoteInteractiveLogonRight

Here is what the SID looks like in the idmap.ldb:
dn: CN=S-1-5-21-1319907214-2951884047-2640289736-1111
cn: S-1-5-21-1319907214-2951884047-2640289736-1111
objectClass: sidMap
objectSid: S-1-5-21-1319907214-2951884047-2640289736-1111
type: ID_TYPE_BOTH
xidNumber: 3000033
distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-1111

This SID doesn't show up in the sam.ldb. Is this something that I
manually have to hunt down the mismatched or is there a way to repair
the idmap.ldb?

Rowland Penny via samba

unread,
Oct 7, 2016, 3:40:02 PM10/7/16
to
On Fri, 7 Oct 2016 14:58:24 -0400

Ron García-Vidal via samba <sa...@lists.samba.org> wrote:

idmap.ldb is very easy to repair, just open it in ldbedit, find the sid
and delete the entire object, close and save.

If the user/group does exist in sam.ldb, it will be recreated in
idmap.ldb, but with a different ID number.

Rowland

Ron García-Vidal via samba

unread,
Oct 7, 2016, 4:00:02 PM10/7/16
to
On 10/7/16 3:30 PM, Rowland Penny via samba wrote:
> idmap.ldb is very easy to repair, just open it in ldbedit, find the sid
> and delete the entire object, close and save.
>
> If the user/group does exist in sam.ldb, it will be recreated in
> idmap.ldb, but with a different ID number.
>
Ok, I fixed the issue with the SID ending in 1111, but this one remains
(and the "Security ID structure is invalid" message continues):

Oct 7 15:39:05 sambaserver smbd[8087]: Unable to convert SID
(S-1-5-21-1319907214-2951884047-2640289736-
512) at index 2 in user token to a GID. Conversion was returned as type
0, full token:
Oct 7 15:39:05 sambaserver smbd[8087]: [2016/10/07 15:39:05.688406, 0]
../libcli/security/security_token.
c:63(security_token_debug)
Oct 7 15:39:05 sambaserver smbd[8087]: Security token SIDs (14):
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 0]:
S-1-5-21-1319907214-2951884047-2640289736-1104
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 1]:
S-1-5-21-1319907214-2951884047-2640289736-1107
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 2]:
S-1-5-21-1319907214-2951884047-2640289736-512
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 3]:
S-1-5-21-1319907214-2951884047-2640289736-572
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 4]:
S-1-5-21-1319907214-2951884047-2640289736-520
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 5]:
S-1-5-21-1319907214-2951884047-2640289736-513
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 6]: S-1-1-0
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 7]: S-1-5-2
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 8]: S-1-5-11
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 9]: S-1-5-32-544
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 10]: S-1-5-32-550
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 11]: S-1-5-32-551
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 12]: S-1-5-32-545
Oct 7 15:39:05 sambaserver smbd[8087]: SID[ 13]: S-1-5-32-554
Oct 7 15:39:05 sambaserver smbd[8087]: Privileges (0x 1FFFFF80):
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 0]:
SeTakeOwnershipPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 1]:
SeBackupPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 2]:
SeRestorePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 3]:
SeRemoteShutdownPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 4]:
SeDiskOperatorPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 5]:
SeSecurityPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 6]:
SeSystemtimePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 7]:
SeShutdownPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 8]: SeDebugPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 9]:
SeSystemEnvironmentPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 10]:
SeSystemProfilePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 11]:
SeProfileSingleProcessPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 12]:
SeIncreaseBasePriorityPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 13]:
SeLoadDriverPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 14]:
SeCreatePagefilePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 15]:
SeIncreaseQuotaPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 16]:
SeChangeNotifyPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 17]:
SeUndockPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 18]:
SeManageVolumePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 19]:
SeImpersonatePrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 20]:
SeCreateGlobalPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Privilege[ 21]:
SeEnableDelegationPrivilege
Oct 7 15:39:05 sambaserver smbd[8087]: Rights (0x 403):
Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 0]:
SeInteractiveLogonRight
Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 1]: SeNetworkLogonRight
Oct 7 15:39:05 sambaserver smbd[8087]: Right[ 2]:
SeRemoteInteractiveLogonRight

The SID ending is 512 is the Domain Admins group. Here's what it looks
like in sam.ldb:

dn: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
instanceType: 4
whenCreated: 20131130221548.0Z
uSNCreated: 3549

name: Domain Admins
objectGUID: 25f47625-a8b0-4a1e-b769-9be7069efcdd
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512


adminCount: 1
sAMAccountName: Domain Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=dc1,DC=mydomain,DC=net
isCriticalSystemObject: TRUE

memberOf: CN=Administrators,CN=Builtin,DC=dc1,DC=mydomain,DC=net
memberOf: CN=Denied RODC Password Replication
Group,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=Administrator,CN=Users,DC=dc1,DC=mydomain,DC=net
member: CN=myuser,CN=Users,DC=dc1,DC=mydomain,DC=net

whenChanged: 20161004204939.0Z
uSNChanged: 49368
distinguishedName: CN=Domain Admins,CN=Users,DC=dc1,DC=mydomain,DC=net

And here's what it looks like in idmap.ldb:

dn: CN=S-1-5-21-1319907214-2951884047-2640289736-512
cn: S-1-5-21-1319907214-2951884047-2640289736-512
objectClass: sidMap
objectSid: S-1-5-21-1319907214-2951884047-2640289736-512
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-1319907214-2951884047-2640289736-512

Rowland Penny via samba

unread,
Oct 8, 2016, 4:10:03 AM10/8/16
to
On Fri, 7 Oct 2016 15:58:06 -0400

Ron García-Vidal via samba <sa...@lists.samba.org> wrote:

Try running this on the DC:

wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512

Rowland

Ron García-Vidal via samba

unread,
Oct 8, 2016, 10:00:02 AM10/8/16
to
On 10/8/16 3:55 AM, Rowland Penny via samba wrote:
> Try running this on the DC:
> wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512
>
Winbind is not running on the DC, it's only using sssd. I get: failed to
call wbcSidToGid: WBC_ERR_WINBIND_NOT_AVAILABLE

This was also the case before the 4.3 to 4.5 upgrade.

-Ron

Rowland Penny via samba

unread,
Oct 8, 2016, 10:40:02 AM10/8/16
to
On Sat, 8 Oct 2016 09:58:10 -0400

Ron García-Vidal via samba <sa...@lists.samba.org> wrote:

> On 10/8/16 3:55 AM, Rowland Penny via samba wrote:
> > Try running this on the DC:
> > wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512
> >
> Winbind is not running on the DC, it's only using sssd. I get: failed
> to call wbcSidToGid: WBC_ERR_WINBIND_NOT_AVAILABLE
>
> This was also the case before the 4.3 to 4.5 upgrade.
>
> -Ron
>

Please post your smb.conf from the DC, the 'samba' deamon should start
winbind, if you run 'ps ax | grep winbind', you should get something
like this:

1846 ? Ss 48:07 /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground 1887 ? S
135:14 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground 1909 ? S
0:10 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground 1911 ? S
24:12 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground 1917 ? S
1:58 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground

Rowland

Ron García-Vidal via samba

unread,
Oct 8, 2016, 1:10:02 PM10/8/16
to
On 10/8/16 10:32 AM, Rowland Penny via samba wrote:
> Please post your smb.conf from the DC, the 'samba' deamon should start
> winbind, if you run 'ps ax | grep winbind', you should get something
> like this:
Sorry, Samba wasn't running when I tried that command. Here's the output:

wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-1319907214-2951884047-2640289736-512 to gid

Here is my smb.conf:

# Global parameters
[global]
workgroup = MYDOMAIN
realm = DC1.MYDOMAIN.NET
netbios name = SAMBASERVER
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
time server = yes
ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd/
idmap_ldb:use rfc2307 = yes
# debug level = 9

# Winbind settings
idmap config * : backend = tdb
idmap config * : range = 30000-40000

idmap config MYDOMAIN : default = yes
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 0-200000

template shell = /bin/bash
template homedir = /home/%ACCOUNTNAME%
winbind separator = +
winbind use default domain = Yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
winbind offline logon = Yes

#======================= Share Definitions =======================
[netlogon]
path = /usr/local/samba/var/locks/sysvol/dc1.evilgenius.net/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

;[homes]
; comment = Home Directories
; browseable = no

Rowland Penny via samba

unread,
Oct 8, 2016, 1:20:03 PM10/8/16
to

See inline comments:

On Sat, 8 Oct 2016 13:00:22 -0400


Ron García-Vidal via samba <sa...@lists.samba.org> wrote:

You might as well remove the next 7 lines, they do nothing on a DC

> # Winbind settings
> idmap config * : backend = tdb
> idmap config * : range = 30000-40000
>
> idmap config MYDOMAIN : default = yes
> idmap config MYDOMAIN : backend = ad
> idmap config MYDOMAIN : schema_mode = rfc2307
> idmap config MYDOMAIN : range = 0-200000
>
> template shell = /bin/bash

Replace %ACCOUNTNAME% with %U

> template homedir = /home/%ACCOUNTNAME%

I would also remove the next block of lines, except possibly for the
'enum' ones

> winbind separator = +
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = Yes
> winbind offline logon = Yes
>
>
>
> #======================= Share Definitions =======================
> [netlogon]
> path
> = /usr/local/samba/var/locks/sysvol/dc1.evilgenius.net/scripts read
> only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> ;[homes]
> ; comment = Home Directories
> ; browseable = no
>
>

Can I also suggest replacing 'winbind' in the 'server services' line
with 'winbindd'

Do any of your users log into the DC ?

Rowland

Ron García-Vidal via samba

unread,
Oct 8, 2016, 2:00:03 PM10/8/16
to
Made all of these changes and it resolved the issue. I'm not sure which
one made the difference?

Yes there are a few users who log into the DC via ssh.

Thanks for your help.

-Ron

0 new messages