[Samba] NT_STATUS_INVALID_SID in a SDC

[Kasandra Padisha]

Hi All

I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have
backported Samba 4.3.18 and is working well.

I have installed a SDC (if I may use that name) on a different network,
the same version of Samba but on a Debian Jessie on AMD64. I followed
every instruction in
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory.
So every test worked fine.

But now when i try to login, to view a share or to join the domain I get
NT_STATUS_INVALID_SID or " The security id structure is invalid".
Not only with the administrator but with any user.

root@parmenides2:~# smbclient -L localhost -UAdministrator
Enter Administrator's password:
session setup failed: NT_STATUS_INVALID_SID

I am really out of arguments


What I have already done:

1. The mirror is OK

#> samba-tool drs showrepl

Is OK

#> samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
--filter=whenChanged

I have ran this from both PDCs and get SUCCESS


2. I have read all similar messages

I have found some similar cases but none with a solution. And I have
read ALL literally


3. My smb.conf

I have installed my main controller following
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
and it was generated automatically. I added "idmap_ldb:use" and "log level"


# Global parameters
[global]
workgroup = EXAMPLE-W10
realm = EXAMPLE.COM
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.10.7
idmap_ldb:use rfc2307 = yes
log level = 1

[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


On DC2 changes the netbios name and dns forwarder .. but everything else
is the same.



4. ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator

dn: CN=Administrator,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20160505021322.0Z
uSNCreated: 3223
name: Administrator
objectGUID: 8426ff4b-4bc4-43da-8de2-bc5808544933
codePage: 0
countryCode: 0
pwdLastSet: 131068880020000000
primaryGroupID: 513
objectSid: S-1-5-21-508106755-2976483754-4106360514-500
adminCount: 1
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: TRUE
lastLogonTimestamp: 131068882546671530
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
accountExpires: 0
whenChanged: 20160510132605.0Z
uSNChanged: 3721
userAccountControl: 66048
lastLogon: 131073689683266740
distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com


5. ldbsearch -H /var/lib/samba/private/sam.ldb DC=example | grep objectSid

objectSid: S-1-5-21-508106755-2976483754-4106360514


I appreciate any help

Cheers

Kasandra

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland penny]

On 10/05/16 18:22, Kasandra Padisha wrote:
>
> Hi All
>
> I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have
> backported Samba 4.3.18 and is working well.

Hi, where did you get 4.3.18 from ??? or do you mean 4.3.8, if so, try
again with 4.3.9, this has some updates for regressions that 4.3.8
introduced.

Oh and a 'PDC' is something else entirely, you have a 'DC' :-)

>
> I have installed a SDC (if I may use that name)

No, you cannot :-D
It is just another DC :-)

Rowland

[Kasandra Padisha]

Hi

Thanks for you answer

1. Sorry It was a mistype: The version is samba_4.3.8+dfsg-1~bpo80+1.
I backported from stretch to jessie as I want to keep my Debian
environment clean.
I do not fancy to compile it from source. I am a bit old fashion :-) :-) :-)

2. I use PDC and SDC as a legacy from previous versions. I Undestand why
it is outdated but actually, even in Samba4, It is kind of true: DC2
knows who is DC1 all the time and there is a big trouble when DC1 is
broken: DC2 get kind of orphaned.

#> samba-tool fsmo show

SchemaMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

Nice topic ..but I does not help me.


2. Is there any other sugestions apart from Update ? I have already a
working installation on DC1 so I do not think upgrade may be a solution.


I appreciate a lead to follow in order to solve this little problem

Cheers


El 10/05/16 a las 13:31, Rowland penny escribió:

[Rowland penny]

On 10/05/16 20:36, Kasandra Padisha wrote:
>
> Hi
>
> Thanks for you answer
>
> 1. Sorry It was a mistype: The version is
> samba_4.3.8+dfsg-1~bpo80+1. I backported from stretch to jessie as I
> want to keep my Debian environment clean.
> I do not fancy to compile it from source. I am a bit old fashion :-)
> :-) :-)

OK, how about trying to backport 4.4.3 from SID ??, there are problems
with 4.3.8
As for compiling Samba yourself, well it is easy and you get to be in
control of when to update and can also run the latest stable version.

>
> 2. I use PDC and SDC as a legacy from previous versions. I Undestand
> why it is outdated but actually, even in Samba4, It is kind of true:
> DC2 knows who is DC1 all the time and there is a big trouble when DC1
> is broken: DC2 get kind of orphaned.

You only get this problem with the internal DNS server.

>
> #> samba-tool fsmo show
>
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> Nice topic ..but I does not help me.
>
>

That is just the FSMO role owners and you can transfer them.

> 2. Is there any other sugestions apart from Update ? I have already a
> working installation on DC1 so I do not think upgrade may be a solution.

Go here and read the release notes for 4.3.9 :
https://www.samba.org/samba/history/samba-4.3.9.html

>
>
> I appreciate a lead to follow in order to solve this little problem
>
> Cheers
>
>

[mathias dufresne]

Upgrading from 4.3.x to 4.3.x should not be an issue. That should not be
more an issue when upgrading from 4.3;x to 4.4.x. Here we tried almost all
versions keeping our domain and running during upgrades (DC by DC). 20 DC
involved, no real issue (nothing worthy to remember at least :)

[Kasandra Padisha]

Hi

Upgrading without knowing whats the problem I feel a bit like with
Windows or lots of comercial software: "The next version will solve all
your problems" and we all know that's never true.

I appreciate any help.

Cheers


-------- Mensaje reenviado --------
Asunto: NT_STATUS_INVALID_SID in a SDC
Fecha: Tue, 10 May 2016 12:22:25 -0500
De: Kasandra Padisha <kasandr...@hotmail.com>
Para: sa...@lists.samba.org

Hi All

I have a running SAMBA PDC on Debian Jessie on a PowerPC. I have
backported Samba 4.3.18 and is working well.

I have installed a SDC (if I may use that name) on a different network,

[Kasandra Padisha]

Hi

More info: The log.smbd shows the following lines when tryied to login
as Administrator

----------------------------------------------------------------------------------------------------------------
[2016/05/11 08:09:36.411968, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[netlogon]"
[2016/05/11 08:09:36.412108, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[sysvol]"
[2016/05/11 08:09:36.412743, 2]
../source3/lib/interface.c:341(add_interface)
added interface eth0 ip=192.168.0.18 bcast=192.168.0.255
netmask=255.255.255.0
[2016/05/11 08:09:36.418379, 2]
../lib/util/modules.c:196(do_smb_load_module)
Module 'samba4' loaded
[2016/05/11 08:09:36.444927, 0]
../source4/auth/unix_token.c:93(security_token_to_unix_token)
Unable to convert second SID
(S-1-5-21-508106755-2976483754-4106360514-513) in user token to a GID.
Conversion was returned as type 0, full token:
[2016/05/11 08:09:36.445462, 0]
../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (13):
SID[ 0]: S-1-5-21-508106755-2976483754-4106360514-500
SID[ 1]: S-1-5-21-508106755-2976483754-4106360514-513
SID[ 2]: S-1-5-21-508106755-2976483754-4106360514-512
SID[ 3]: S-1-5-21-508106755-2976483754-4106360514-572
SID[ 4]: S-1-5-21-508106755-2976483754-4106360514-520
SID[ 5]: S-1-5-21-508106755-2976483754-4106360514-519
SID[ 6]: S-1-5-21-508106755-2976483754-4106360514-518
SID[ 7]: S-1-1-0
SID[ 8]: S-1-5-2
SID[ 9]: S-1-5-11
SID[ 10]: S-1-5-32-544
SID[ 11]: S-1-5-32-545
SID[ 12]: S-1-5-32-554
Privileges (0x 1FFFFF00):
Privilege[ 0]: SeTakeOwnershipPrivilege
Privilege[ 1]: SeBackupPrivilege
Privilege[ 2]: SeRestorePrivilege
Privilege[ 3]: SeRemoteShutdownPrivilege
Privilege[ 4]: SeSecurityPrivilege
Privilege[ 5]: SeSystemtimePrivilege
Privilege[ 6]: SeShutdownPrivilege
Privilege[ 7]: SeDebugPrivilege
Privilege[ 8]: SeSystemEnvironmentPrivilege
Privilege[ 9]: SeSystemProfilePrivilege
Privilege[ 10]: SeProfileSingleProcessPrivilege
Privilege[ 11]: SeIncreaseBasePriorityPrivilege
Privilege[ 12]: SeLoadDriverPrivilege
Privilege[ 13]: SeCreatePagefilePrivilege
Privilege[ 14]: SeIncreaseQuotaPrivilege
Privilege[ 15]: SeChangeNotifyPrivilege
Privilege[ 16]: SeUndockPrivilege
Privilege[ 17]: SeManageVolumePrivilege
Privilege[ 18]: SeImpersonatePrivilege
Privilege[ 19]: SeCreateGlobalPrivilege
Privilege[ 20]: SeEnableDelegationPrivilege
Rights (0x 403):
Right[ 0]: SeInteractiveLogonRight
Right[ 1]: SeNetworkLogonRight
Right[ 2]: SeRemoteInteractiveLogonRight
[2016/05/11 08:09:36.450569, 1]
../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_INVALID_SID

----------------------------------------------------------------------------------------------------------------

Or when tryied to login as a common user
----------------------------------------------------------------------------------------------------------------
[2016/05/11 08:15:44.784439, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[netlogon]"
[2016/05/11 08:15:44.784710, 2]
../source3/param/loadparm.c:2686(lp_do_section)
Processing section "[sysvol]"
[2016/05/11 08:15:44.785399, 2]
../source3/lib/interface.c:341(add_interface)
added interface eth0 ip=192.168.0.18 bcast=192.168.0.255
netmask=255.255.255.0
[2016/05/11 08:15:44.790623, 2]
../lib/util/modules.c:196(do_smb_load_module)
Module 'samba4' loaded
[2016/05/11 08:15:44.812343, 0]
../source4/auth/unix_token.c:79(security_token_to_unix_token)
Unable to convert first SID
(S-1-5-21-508106755-2976483754-4106360514-1188) in user token to a UID.
Conversion was returned as type 0, full token:
[2016/05/11 08:15:44.812690, 0]
../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (7):
SID[ 0]: S-1-5-21-508106755-2976483754-4106360514-1188
SID[ 1]: S-1-5-21-508106755-2976483754-4106360514-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-32-545
SID[ 6]: S-1-5-32-554
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
[2016/05/11 08:15:44.814382, 1]
../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_INVALID_SID
[2016/05/11 08:16:53.830440, 2]
../source3/smbd/server.c:467(remove_child_pid)
Could not find child 20805 -- ignoring

----------------------------------------------------------------------------------------------------------------

Something similar was solved on 4.2
https://bugzilla.samba.org/show_bug.cgi?id=10720


Cheers

Kasandra


El 11/05/16 a las 07:12, Kasandra Padisha escribió:

[Kasandra Padisha]

Nevermind ... I just demote the SDC .. remove samba. Reinstalled,
rejoined the domain, and now is working ..

:-( I felt again as with windows .. .. Just reinstall ..

Thanks to all


El 11/05/16 a las 09:03, Kasandra Padisha escribió: