[Samba] Administrators SID is invalid.

[mots]

Hello,

I've got a samba 4.2 DC, which has worked well for about a month now. It
still works for all users except "Administrator".

If I login to a Windows box with the Administrator account, I can't
connect to any shares and clicking on a mapped drive returns the error
"The security ID structure is invalid".

Opening "Active Directory Users and Computers" on the Windows box
returns "The RPC server is unavailable".

Using "smbclient -L localhost -UAdministrator" on the GNU/Linux server
running samba I receife this error: "session setup failed:
NT_STATUS_INVALID_SID".

Is there a way to fix this without restoring the database from backup?

Kind regards,

mots
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

On 18/10/14 10:20, mots wrote:
> Hello,
>
> I've got a samba 4.2 DC, which has worked well for about a month now. It
> still works for all users except "Administrator".
>
> If I login to a Windows box with the Administrator account, I can't
> connect to any shares and clicking on a mapped drive returns the error
> "The security ID structure is invalid".
>
> Opening "Active Directory Users and Computers" on the Windows box
> returns "The RPC server is unavailable".
>
> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux server
> running samba I receife this error: "session setup failed:
> NT_STATUS_INVALID_SID".
>
> Is there a way to fix this without restoring the database from backup?
>
> Kind regards,
>
> mots

possibly, have you done anything to the Administrator account ?

Also can you post the (sanitized) result of:

ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator

You may have to alter '/var/lib/samba/private/sam.ldb' with the path to
your sam.ldb

Rowland

[mots]

No, not while it was working. Though I did change the password today
while trying to figure out what still works.

Also, I can still get Kerberos tickets with the account. (using kinit
and klist)

Here's the output:
root@samba:~# ldbsearch -H /usr/local/samba/private/sam.ldb cn=Administrator
# record 1
dn: CN=Administrator,CN=Users,DC=cluster,DC=domain,DC=ch
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20140912070407.0Z
uSNCreated: 3545
name: Administrator
objectGUID: 9d41ebd9-7c5a-48d0-b953-85eab1e55429
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=cluster,DC=domain,DC=ch
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=cluster,DC=domain,DC=ch
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=cluster,DC=domain,DC=ch
memberOf: CN=Enterprise Admins,CN=Users,DC=cluster,DC=domain,DC=ch
memberOf: CN=Schema Admins,CN=Users,DC=cluster,DC=domain,DC=ch
memberOf: CN=Domain Admins,CN=Users,DC=cluster,DC=domain,DC=ch
userAccountControl: 66048
msDS-SupportedEncryptionTypes: 0
pwdLastSet: 130580955130000000
whenChanged: 20141018084513.0Z
uSNChanged: 27862
distinguishedName: CN=Administrator,CN=Users,DC=cluster,DC=domain,DC=ch

# Referral
ref: ldap://cluster.domain.ch/CN=Configuration,DC=cluster,DC=domain,DC=ch

# Referral
ref: ldap://cluster.domain.ch/DC=DomainDnsZones,DC=cluster,DC=domain,DC=ch

# Referral
ref: ldap://cluster.domain.ch/DC=ForestDnsZones,DC=cluster,DC=domain,DC=ch

# returned 4 records
# 1 entries
# 3 referrals

mots

[Rowland Penny]

Hi, the Administrator account has expired:

accountExpires: 9223372036854775807 = Sat, 09 Oct 4523 21:52:49 GMT

The quick way out of this:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb cn=Administrator

Change:

accountExpires: 9223372036854775807

To:

accountExpires: 0

[mots]

Thanks, but that didn't work, I'm still getting the same error.

Also weird: If the account was expired, then I shouldn't have been able
to log in at all, right?

Kind regards,

mots

Am 18.10.2014 um 11:50 schrieb Rowland Penny:
> On 18/10/14 10:20, mots wrote:
>> Hello,
>>
>> I've got a samba 4.2 DC, which has worked well for about a month now. It
>> still works for all users except "Administrator".
>>
>> If I login to a Windows box with the Administrator account, I can't
>> connect to any shares and clicking on a mapped drive returns the error
>> "The security ID structure is invalid".
>>
>> Opening "Active Directory Users and Computers" on the Windows box
>> returns "The RPC server is unavailable".
>>
>> Using "smbclient -L localhost -UAdministrator" on the GNU/Linux server
>> running samba I receife this error: "session setup failed:
>> NT_STATUS_INVALID_SID".
>>
>> Is there a way to fix this without restoring the database from backup?
>>
>> Kind regards,
>>
>> mots
> possibly, have you done anything to the Administrator account ?
>
> Also can you post the (sanitized) result of:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb cn=Administrator
>
> You may have to alter '/var/lib/samba/private/sam.ldb' with the path
> to your sam.ldb
>
> Rowland
>

[Rowland Penny]

That was the only obvious problem, ok lets check if the Administrator
has the correct SID:

ldbsearch -H /var/lib/samba/private/sam.ldb DC=cluster | grep objectSid

does the result match what you posted earlier ?

objectSid: S-1-5-21-4290789724-2746532821-3856153555-500

Note: ignore the -500, this is the Administrator's RID and is always '500'

[mots]

Yes, the output maches the one from before.

objectSid: S-1-5-21-4290789724-2746532821-3856153555

[Rowland Penny]

On 18/10/14 12:06, mots wrote:
> Yes, the output maches the one from before.
>
> objectSid: S-1-5-21-4290789724-2746532821-3856153555
>
> Am 18.10.2014 um 12:56 schrieb Rowland Penny:

OK, everything about the Administrator account seems correct (even the
accountExpires attribute, concentrating on the expiry day & month, I
totally missed that it wouldn't expire until the year 4253 LOL ) so I am
at a bit of a loss now. Perhaps there is something in smb.conf that is
causing this, so could you post your smb.conf.

Rowland

[mots]

My smb.conf file is really basic. I've only added a few lines for the
print server and enabled schema updates so I could install the zarafa AD
integration. It hasn't been changed since 29.09.2014.

-rw-r--r-- 1 root staff 1116 Sep 29 13:18 /usr/local/samba/etc/smb.conf

# Global parameters
[global]
workgroup = CLUSTER
realm = CLUSTER.DOMAIN.CH
netbios name = SAMBA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
load printers = yes
spoolss: architecture = Windows x64
unix extensions = no
dsdb:schema update allowed = true
load printers = yes


[netlogon]
path = /usr/local/samba/var/locks/sysvol/cluster.domain.ch/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[printers]
path = /var/spool/samba
printable = yes
printing = CUPS

[print$]
path = /var/shares/Printer_drivers
comment = Printer Drivers
writeable = yes

[profile$]
path = /var/shares/profiles
read only = no

[doc$]
path = /var/shares/docs
read only = no

[Customer]
path = /var/shares/customer
read only = No
[Buspro]
path = /var/shares/buspro
read only = No

[Daten]
path = /var/shares/daten
read only = no

[Rowland Penny]

Hm, you said that you were using samba 4.2 and your smb.conf confirms
this (you are using the new(old) winbind 'winbindd') and I would have
thought that there would now be some of the familiar 'winbind' lines in
smb.conf. I would have thought the lines to map the builtin users would
be there:

idmap config * : backend = tdb
idmap config * : range = 2000-9999

But I suppose that idmap.ldb is still doing this.

This leads to what I think must be last thoughts on this, I wonder if
the Administrators SID is wrong in idmap.ldb:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

Search for -500 and check the SID to see if it matches what you found
earlier.

[mots]

dn: CN=S-1-5-21-4290789724-2746532821-3856153555-500
cn: S-1-5-21-4290789724-2746532821-3856153555-500
objectClass: sidMap
objectSid: S-1-5-21-4290789724-2746532821-3856153555-500
xidNumber: 0
type: ID_TYPE_UID
distinguishedName: CN=S-1-5-21-4290789724-2746532821-3856153555-500

The objectSid matches the one from before, though the two fields "dn"
and "distinguishedName" have different values. Is that normal?

[mots]

Nevermind that, I misread the output, dn and distinguishedName are also
the same.

[mots]

Alright, now it's getting weird.

I've restored the whole /usr/local/samba/private directory from a one
month old backup, yet I'm still getting the same error.

Does anyone have an idea where else the problem could be?

[mots]

I think I've made some progress:

It's not actually the user "Administrator" that's broken, it's the group
"Administrators".
Its SID in both sam.ldf and idmap.ldf is S-1-5-32-544, which looks kind
of short. Is there another place where the SID for groups is stored?

Kind regards,

mots

[Rowland Penny]

On 20/10/14 19:32, mots wrote:
> I think I've made some progress:
>
> It's not actually the user "Administrator" that's broken, it's the group
> "Administrators".
> Its SID in both sam.ldf and idmap.ldf is S-1-5-32-544, which looks kind
> of short.

No, that is the complete SID, have a look here:

http://support.microsoft.com/kb/243330#

Rowland