I have unable to process any Domain Logins of any type on OpenSuse Leap 15.3. I get an invalid SID error. added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0 Client started (version 4.15.4-git.324.8332acf1a63150300.3.25.3-SUSE-oS15.0-x86_64). tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/lock/gencache.tdb: Permission denied resolve_hosts: Attempting host lookup for name olympia.pukey<0x20> Connecting to 192.168.0.4 at port 445 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered SPNEGO login failed: Indicates the SID structure is not valid. session setup failed: NT_STATUS_INVALID_SID like this. System log errors below.
[2022/05/28 08:52:15.774356, 0] ../../source4/auth/unix_token.c:97(security_token_to_unix_token) Unable to convert first SID (S-1-5-7) in user token to a UID. Conversion was returned as type 0, full token: [2022/05/28 08:52:15.774483, 0] ../../libcli/security/security_token.c:52(security_token_debug) Security token SIDs (4): SID[ 0]: S-1-5-7 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-64-10 Privileges (0x 0): Rights (0x 0): [2022/05/28 08:52:34.664436, 0] ../../source4/auth/unix_token.c:97(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2139989288-483860436-2398042574-2000) in user token to a UID. Conversion was returned as type 0, full token: [2022/05/28 08:52:34.664542, 0] ../../libcli/security/security_token.c:52(security_token_debug) Security token SIDs (13): SID[ 0]: S-1-5-21-2139989288-483860436-2398042574-2000 SID[ 1]: S-1-5-21-2139989288-483860436-2398042574-513 SID[ 2]: S-1-5-21-2139989288-483860436-2398042574-512 SID[ 3]: S-1-5-21-2139989288-483860436-2398042574-572 SID[ 4]: S-1-5-21-2139989288-483860436-2398042574-41238 SID[ 5]: S-1-5-21-2139989288-483860436-2398042574-41742 SID[ 6]: S-1-5-21-2139989288-483860436-2398042574-41237 SID[ 7]: S-1-1-0 SID[ 8]: S-1-5-2 SID[ 9]: S-1-5-11 SID[ 10]: S-1-5-32-545 SID[ 11]: S-1-5-32-544 SID[ 12]: S-1-5-32-554 Privileges (0x 1FFFFF00): Privilege[ 0]: SeTakeOwnershipPrivilege Privilege[ 1]: SeBackupPrivilege Privilege[ 2]: SeRestorePrivilege Privilege[ 3]: SeRemoteShutdownPrivilege Privilege[ 4]: SeSecurityPrivilege Privilege[ 5]: SeSystemtimePrivilege Privilege[ 6]: SeShutdownPrivilege Privilege[ 7]: SeDebugPrivilege Privilege[ 8]: SeSystemEnvironmentPrivilege Privilege[ 9]: SeSystemProfilePrivilege Privilege[ 10]: SeProfileSingleProcessPrivilege Privilege[ 11]: SeIncreaseBasePriorityPrivilege Privilege[ 12]: SeLoadDriverPrivilege Privilege[ 13]: SeCreatePagefilePrivilege Privilege[ 14]: SeIncreaseQuotaPrivilege Privilege[ 15]: SeChangeNotifyPrivilege Privilege[ 16]: SeUndockPrivilege Privilege[ 17]: SeManageVolumePrivilege Privilege[ 18]: SeImpersonatePrivilege Privilege[ 19]: SeCreateGlobalPrivilege Privilege[ 20]: SeEnableDelegationPrivilege Rights (0x 403): Right[ 0]: SeInteractiveLogonRight Right[ 1]: SeNetworkLogonRight Right[ 2]: SeRemoteInteractiveLogonRight [2022/05/28 08:52:34.671510, 0] ../../source4/auth/unix_token.c:97(security_token_to_unix_token) Unable to convert first SID (S-1-5-7) in user token to a UID. Conversion was returned as type 0, full token: [2022/05/28 08:52:34.671600, 0] ../../libcli/security/security_token.c:52(security_token_debug) Security token SIDs (4): SID[ 0]: S-1-5-7 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-64-10 Privileges (0x 0): Rights (0x 0):
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:36ee0adb-1ebe-4b44-a1ae-eac0543ec12d,CN=OLYMPIA\0ADEL:0f7aca17-2fc8-4b3a-9f6b-1d495231080e,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=f80595a7-2c07-4826-a49e-8d18b6298222\0ADEL:754023d7-980a-4b87-8d0c-f356d700ce45,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:a35b2245-3340-4182-aaf8-dd344725805e,CN=KEFKA\0ADEL:8e3acfa5-fdfa-43e8-9a52-096a2ad480ab,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=KEFKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:6415fa95-17b6-491e-98d9-337de532c53d,CN=OLYMPIA\0ADEL:aec2c112-187c-4a5f-8dab-4bd9b85eb88c,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=306b7c01-f16d-4a26-855b-516dd5f12f33\0ADEL:27137e85-4bec-4dab-8cad-f0d773a68753,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=163a6f30-e1d3-4255-8b75-85fce23bb4c4\0ADEL:f5a4ed65-8c31-4195-85d9-b897dd9ea641,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=KEFKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:8fb823d7-3bcb-4922-a01c-10a6cce120c0,CN=OLYMPIA\0ADEL:ca5c4ee8-6d26-4e9a-8e5e-cc407a1fca2d,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=828f913e-3159-45ef-9fb7-886e571310e5\0ADEL:a918beaf-c90b-440d-9f95-260f29cc3118,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:50507d18-c8ee-4ef4-bbda-4d0d9bc31caa,CN=OLYMPIA\0ADEL:d6a87387-57cd-4f2d-8549-e3e8ec32b903,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:dc707574-f1ec-464e-890a-df531ccc93b4,CN=OLYMPIA\0ADEL:c415fa6a-9fd8-4594-ab32-458929db70b5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey - CN=OLYMPIA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=a5e3223f-dfc1-47a9-9f66-416aa153e76c\0ADEL:abb70a79-8aec-4b5e-98c5-c3d8ee367258,CN=Deleted Objects,CN=Configuration,DC=pukey - CN=NTDS Settings,CN=KEFKA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:e6cf93ea-829c-4891-9b9e-09eeb8ffaf1a,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:60118ec4-23da-4184-a958-d9c6366823a9,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:31791407-a8f7-4191-aa42-b7a93a6cdf85,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:989102b5-7c76-4f82-9aad-50fb207c500c,CN=Deleted Objects,DC=pukey - CN=KEFKA,OU=Domain Controllers,DC=pukey Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:906ca1de-438d-44c4-abc4-85b8b4a40b55,CN=Deleted Objects,DC=pukey - CN=OLYMPIA,OU=Domain Controllers,DC=pukey Not fixing old string component ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py", line 170, in run controls=controls, attrs=attrs) File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 255, in check_database error_count += self.check_object(object.dn, requested_attrs=attrs) File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 2601, in check_object expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
(In reply to Zombie Ryushu from comment #2) Can you please come and discuss this on the samba mailing list. In your first comment, you appear to be trying to do something as a normal user that requires the root user. Your second comment could be caused by the lack of root and the third is mostly composed of deleted objects. I recently set up Samba on leap15-3 and it works for me, though I have a slightly later Samba version (do you need to update ?) So come to the samba mailing list and bring along the output of 'testpam -s'
(In reply to Rowland Penny from comment #3) I found out that my system was not processing updates the way it should, and corrected the updates. I have isolated this to one Domain Controller of three I have. After updating the Domain Controller, however, the problem has not resolved itself. There is still some Database level corruption present. Current installed version is: samba-4.15.7+git.376.dd43aca9ab2-150300.3.32.1.x86_64
# samba-tool dbcheck Checking 321 objects ERROR(<class 'ValueError'>): uncaught exception - unable to parse dn string File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/samba/netcmd/dbcheck.py", line 170, in run controls=controls, attrs=attrs) File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 255, in check_database error_count += self.check_object(object.dn, requested_attrs=attrs) File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py", line 2601, in check_object expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
Closing this, from a discussion on the samba mailing list, it seems this is being caused by human error.
I am re-opening this because more information. I have issues with what seems to be an entitrely non-functional Winbindd. This seems to be the source of my problem. Details below: 02:32:42 AM) Codebase: codebase@olympia:~> wbinfo -D PUKEY failed to call wbcDomainInfo: WBC_ERR_NOT_IMPLEMENTED Could not get domain info codebase@olympia:~> wbinfo -P checking the NETLOGON for domain[-not available-] dc connection to "" failed failed to call wbcPingDc: WBC_ERR_NOT_IMPLEMENTED codebase@olympia:~> wbinfo --all-domains failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED codebase@olympia:~> wbinfo --online-status failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED Could not show online-status codebase@olympia:~> wbinfo --own-domain -not available- codebase@olympia:~> wbinfo --trusted-domains failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED Could not list trusted domains (02:33:05 AM) Codebase: This is acting as if winbind isn't configured. (02:33:23 AM) Codebase: (I.e. It claims not to be a part of a domain.) (02:33:25 AM) masterz@olympia.pukey/Olympia: masterz@kefka:~> wbinfo --all-domains BUILTIN PUKEY-NT (02:33:35 AM) Codebase: codebase@olympia:~> wbinfo --own-domain -not available- (02:33:45 AM) Codebase: codebase@olympia:~> wbinfo --all-domains failed to call wbcListTrusts: WBC_ERR_NOT_IMPLEMENTED (02:33:58 AM) masterz@olympia.pukey/Olympia: masterz@kefka:~> wbinfo --own-domain PUKEY-NT (02:34:32 AM) Codebase: That's making me wonder if winbind's components are damaged. (02:34:45 AM) masterz@olympia.pukey/Olympia: masterz@kefka:~> wbinfo --online-status BUILTIN : active connection PUKEY-NT : active connection (02:36:13 AM) Codebase: There was a time when sssd overrode winbind's libraries. Instead of using the plugin mechanism that exists today. Most distros would use their alternatives mechisim (or package manager) to select between them. (02:36:54 AM) Codebase: Could opensuse be doing something similar here? (02:37:18 AM) Codebase: Replacing the winbind library with sssd's version? (02:38:47 AM) Codebase: I ask because sssd's version was barebones. If that was the problem, we'd get unimplemented method errors. (02:39:30 AM) masterz@olympia.pukey/Olympia: olympia:~ # rpm -q --verify samba-winbind-libs olympia:~ # rpm -q --verify samba-winbind (02:42:07 AM) Codebase: Do you have a working avahi server enabled on your network? (02:42:38 AM) Codebase: Because this is in olympia's nsswitch.conf: hosts: files mdns_minimal [NOTFOUND=return] dns (02:42:54 AM) Codebase: It will never query DNS for a hostname. (02:43:04 AM) Codebase: With that config. (02:43:16 AM) masterz@olympia.pukey/Olympia: sudo service avahi-daemon status ***avahi-daemon.service - Avahi mDNS/DNS-SD Stack Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; enabled; vendor preset> Active: *active (running)*since Thu 2022-06-16 01:54:35 EDT; 48min ago (02:43:50 AM) Codebase: I should also point out that it will not have the SRV records that samba needs for ADDC support. (02:44:12 AM) Codebase: Which means that lookups for the DC and GC will fail. (02:44:18 AM) masterz@olympia.pukey/Olympia: Bind DLZ Provides that. (02:44:22 AM) Codebase: Yes. (02:44:23 AM) masterz@olympia.pukey/Olympia: check. How do I debug Winbindd's behavior? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
(In reply to Zombie Ryushu from comment #7) Bugzilla is not a support mechanism.