Bug 15079 - Domain Controller corruption issue with Samba on OpenSuse Leap 15.3
Summary: Domain Controller corruption issue with Samba on OpenSuse Leap 15.3
Status: CLOSED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-29 11:47 UTC by Zombie Ryushu
Modified: 2022-06-20 01:25 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2022-05-29 11:47:41 UTC
I have unable to process any Domain Logins of any type on OpenSuse Leap 15.3. I get an invalid SID error. 

added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.15.4-git.324.8332acf1a63150300.3.25.3-SUSE-oS15.0-x86_64).
tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/lock/gencache.tdb: Permission denied
resolve_hosts: Attempting host lookup for name olympia.pukey<0x20>
Connecting to 192.168.0.4 at port 445
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID

like this. System log errors below.
Comment 1 Zombie Ryushu 2022-05-29 11:47:58 UTC
[2022/05/28 08:52:15.774356,  0] ../../source4/auth/unix_token.c:97(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-7) in user token to a UID.  Conversion was returned as type 0, full token:
[2022/05/28 08:52:15.774483,  0] ../../libcli/security/security_token.c:52(security_token_debug)
  Security token SIDs (4):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
    SID[  3]: S-1-5-64-10
   Privileges (0x               0):
   Rights (0x               0):
[2022/05/28 08:52:34.664436,  0] ../../source4/auth/unix_token.c:97(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-21-2139989288-483860436-2398042574-2000) in user token to a UID.  Conversion was returned as type 0, full token:
[2022/05/28 08:52:34.664542,  0] ../../libcli/security/security_token.c:52(security_token_debug)
  Security token SIDs (13):
    SID[  0]: S-1-5-21-2139989288-483860436-2398042574-2000
    SID[  1]: S-1-5-21-2139989288-483860436-2398042574-513
    SID[  2]: S-1-5-21-2139989288-483860436-2398042574-512
    SID[  3]: S-1-5-21-2139989288-483860436-2398042574-572
    SID[  4]: S-1-5-21-2139989288-483860436-2398042574-41238
    SID[  5]: S-1-5-21-2139989288-483860436-2398042574-41742
    SID[  6]: S-1-5-21-2139989288-483860436-2398042574-41237
    SID[  7]: S-1-1-0
    SID[  8]: S-1-5-2
    SID[  9]: S-1-5-11
    SID[ 10]: S-1-5-32-545
    SID[ 11]: S-1-5-32-544
    SID[ 12]: S-1-5-32-554
   Privileges (0x        1FFFFF00):
    Privilege[  0]: SeTakeOwnershipPrivilege
    Privilege[  1]: SeBackupPrivilege
    Privilege[  2]: SeRestorePrivilege
    Privilege[  3]: SeRemoteShutdownPrivilege
    Privilege[  4]: SeSecurityPrivilege
    Privilege[  5]: SeSystemtimePrivilege
    Privilege[  6]: SeShutdownPrivilege
    Privilege[  7]: SeDebugPrivilege
    Privilege[  8]: SeSystemEnvironmentPrivilege
    Privilege[  9]: SeSystemProfilePrivilege
    Privilege[ 10]: SeProfileSingleProcessPrivilege
    Privilege[ 11]: SeIncreaseBasePriorityPrivilege
    Privilege[ 12]: SeLoadDriverPrivilege
    Privilege[ 13]: SeCreatePagefilePrivilege
    Privilege[ 14]: SeIncreaseQuotaPrivilege
    Privilege[ 15]: SeChangeNotifyPrivilege
    Privilege[ 16]: SeUndockPrivilege
    Privilege[ 17]: SeManageVolumePrivilege
    Privilege[ 18]: SeImpersonatePrivilege
    Privilege[ 19]: SeCreateGlobalPrivilege
    Privilege[ 20]: SeEnableDelegationPrivilege
   Rights (0x             403):
    Right[  0]: SeInteractiveLogonRight
    Right[  1]: SeNetworkLogonRight
    Right[  2]: SeRemoteInteractiveLogonRight
[2022/05/28 08:52:34.671510,  0] ../../source4/auth/unix_token.c:97(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-7) in user token to a UID.  Conversion was returned as type 0, full token:
[2022/05/28 08:52:34.671600,  0] ../../libcli/security/security_token.c:52(security_token_debug)
  Security token SIDs (4):
    SID[  0]: S-1-5-7
    SID[  1]: S-1-1-0
    SID[  2]: S-1-5-2
    SID[  3]: S-1-5-64-10
   Privileges (0x               0):
   Rights (0x               0):
Comment 2 Zombie Ryushu 2022-05-29 11:49:07 UTC
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:36ee0adb-1ebe-4b44-a1ae-eac0543ec12d,CN=OLYMPIA\0ADEL:0f7aca17-2fc8-4b3a-9f6b-1d495231080e,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=f80595a7-2c07-4826-a49e-8d18b6298222\0ADEL:754023d7-980a-4b87-8d0c-f356d700ce45,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:a35b2245-3340-4182-aaf8-dd344725805e,CN=KEFKA\0ADEL:8e3acfa5-fdfa-43e8-9a52-096a2ad480ab,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=KEFKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:6415fa95-17b6-491e-98d9-337de532c53d,CN=OLYMPIA\0ADEL:aec2c112-187c-4a5f-8dab-4bd9b85eb88c,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=306b7c01-f16d-4a26-855b-516dd5f12f33\0ADEL:27137e85-4bec-4dab-8cad-f0d773a68753,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=163a6f30-e1d3-4255-8b75-85fce23bb4c4\0ADEL:f5a4ed65-8c31-4195-85d9-b897dd9ea641,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=KEFKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:8fb823d7-3bcb-4922-a01c-10a6cce120c0,CN=OLYMPIA\0ADEL:ca5c4ee8-6d26-4e9a-8e5e-cc407a1fca2d,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=828f913e-3159-45ef-9fb7-886e571310e5\0ADEL:a918beaf-c90b-440d-9f95-260f29cc3118,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:50507d18-c8ee-4ef4-bbda-4d0d9bc31caa,CN=OLYMPIA\0ADEL:d6a87387-57cd-4f2d-8549-e3e8ec32b903,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:dc707574-f1ec-464e-890a-df531ccc93b4,CN=OLYMPIA\0ADEL:c415fa6a-9fd8-4594-ab32-458929db70b5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=a5e3223f-dfc1-47a9-9f66-416aa153e76c\0ADEL:abb70a79-8aec-4b5e-98c5-c3d8ee367258,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=KEFKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:e6cf93ea-829c-4891-9b9e-09eeb8ffaf1a,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:60118ec4-23da-4184-a958-d9c6366823a9,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:31791407-a8f7-4191-aa42-b7a93a6cdf85,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:989102b5-7c76-4f82-9aad-50fb207c500c,CN=Deleted Objects,DC=pukey - CN=KEFKA,OU=Domain Controllers,DC=pukey
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:906ca1de-438d-44c4-abc4-85b8b4a40b55,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey
Not fixing old string component
ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py", line 170, in run
    controls=controls, attrs=attrs)
  File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 255, in check_database
    error_count += self.check_object(object.dn, requested_attrs=attrs)
  File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 2601, in check_object
    expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
Comment 3 Rowland Penny 2022-05-30 17:31:20 UTC
(In reply to Zombie Ryushu from comment #2)
Can you please come and discuss this on the samba mailing list. In your first comment, you appear to be trying to do something as a normal user that requires the root user.

Your second comment could be caused by the lack of root and the third is mostly composed of deleted objects.

I recently set up Samba on leap15-3 and it works for me, though I have a slightly later Samba version (do you need to update ?)

So come to the samba mailing list and bring along the output of 'testpam -s'
Comment 4 Zombie Ryushu 2022-05-31 12:06:52 UTC
(In reply to Rowland Penny from comment #3)
I found out that my system was not processing updates the way it should, and corrected the updates. I have isolated this to one Domain Controller of three I have. 

After updating the Domain Controller, however, the problem has not resolved itself. There is still some Database level corruption present. 

Current installed version is:
samba-4.15.7+git.376.dd43aca9ab2-150300.3.32.1.x86_64
Comment 5 Zombie Ryushu 2022-05-31 12:07:50 UTC
# samba-tool dbcheck
Checking 321 objects
ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py", line 170, in run
    controls=controls, attrs=attrs)
  File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 255, in check_database
    error_count += self.check_object(object.dn, requested_attrs=attrs)
  File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 2601, in check_object
    expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
Comment 6 Rowland Penny 2022-06-01 10:26:14 UTC
Closing this, from a discussion on the samba mailing list, it seems this is being caused by human error.
Comment 7 Zombie Ryushu 2022-06-20 00:13:56 UTC
I am re-opening this because more information.

I have issues with what seems to be an entitrely non-functional Winbindd. This seems to be the source of my problem. Details below:

02:32:42 AM) Codebase: codebase@olympia:~> wbinfo -D PUKEY
failed to call wbcDomainInfo: WBC_ERR_NOT_IMPLEMENTED
Could not get domain info
codebase@olympia:~> wbinfo -P
checking the NETLOGON for domain[-not available-] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_NOT_IMPLEMENTED
codebase@olympia:~> wbinfo --all-domains
failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED
codebase@olympia:~> wbinfo --online-status
failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED
Could not show online-status
codebase@olympia:~> wbinfo --own-domain
-not available-
codebase@olympia:~> wbinfo --trusted-domains
failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED
Could not list trusted domains
(02:33:05 AM) Codebase: This is acting as if winbind isn't configured.
(02:33:23 AM) Codebase: (I.e. It claims not to be a part of a domain.)
(02:33:25 AM) masterz@olympia.pukey/Olympia: masterz@kefka:~> wbinfo --all-domains
BUILTIN
PUKEY-NT

(02:33:35 AM) Codebase: codebase@olympia:~> wbinfo --own-domain
-not available-
(02:33:45 AM) Codebase: codebase@olympia:~> wbinfo --all-domains
failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED
(02:33:58 AM) masterz@olympia.pukey/Olympia: masterz@kefka:~> wbinfo --own-domain
PUKEY-NT

(02:34:32 AM) Codebase: That's making me wonder if winbind's components are damaged.
(02:34:45 AM) masterz@olympia.pukey/Olympia: masterz@kefka:~> wbinfo --online-status
BUILTIN : active connection
PUKEY-NT : active connection
(02:36:13 AM) Codebase: There was a time when sssd overrode winbind's libraries. Instead of using the plugin mechanism that exists today. Most distros would use their alternatives mechisim (or package manager) to select between them.
(02:36:54 AM) Codebase: Could opensuse be doing something similar here?
(02:37:18 AM) Codebase: Replacing the winbind library with sssd's version?
(02:38:47 AM) Codebase: I ask because sssd's version was barebones. If that was the problem, we'd get unimplemented method errors.
(02:39:30 AM) masterz@olympia.pukey/Olympia: olympia:~ # rpm -q --verify samba-winbind-libs
olympia:~ # rpm -q --verify samba-winbind

(02:42:07 AM) Codebase: Do you have a working avahi server enabled on your network?
(02:42:38 AM) Codebase: Because this is in olympia's nsswitch.conf:
hosts: files mdns_minimal [NOTFOUND=return] dns
(02:42:54 AM) Codebase: It will never query DNS for a hostname.
(02:43:04 AM) Codebase: With that config.
(02:43:16 AM) masterz@olympia.pukey/Olympia: sudo service avahi-daemon status
***avahi-daemon.service - Avahi mDNS/DNS-SD Stack
    Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; enabled; vendor preset>
    Active: *active (running)*since Thu 2022-06-16 01:54:35 EDT; 48min ago


(02:43:50 AM) Codebase: I should also point out that it will not have the SRV records that samba needs for ADDC support.
(02:44:12 AM) Codebase: Which means that lookups for the DC and GC will fail.
(02:44:18 AM) masterz@olympia.pukey/Olympia: Bind DLZ Provides that.
(02:44:22 AM) Codebase: Yes.
(02:44:23 AM) masterz@olympia.pukey/Olympia: check.

How do I debug Winbindd's behavior?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Comment 8 Andrew Bartlett 2022-06-20 01:25:24 UTC
(In reply to Zombie Ryushu from comment #7)
Bugzilla is not a support mechanism.