"Die Sicherheitskennung ist unzulässig" - UCS 4.1-4 errata413

ucs-4-1
samba-ad
windows

#1

Hello community,

I installed a new Windows 10 VM (Version 16.07 Build 14393.1198). When I try to join this machine
to my UCS domain it says an error code “Sicherheitskennung unzulässig” (eventviewer error number 1337).

As i can see in some previous post, there was a samba bug in the UCS 4.0 Version, that should already be fixed.

The samba logs doesn’t contain any detailed information.

Thanks for your help in advance

  • LB

#2

Hello,

according to https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx, Error 1337 is

ERROR_INVALID_SID
1337 (0x539)
The security ID structure is invalid.

I like the english version better, because imho it’s not that obvious, that the german “Sicherheitskennung” actually means the SID. :wink:

I’m not sure which SID is found to be invalid, though. Could be the domain’s SID, the SID of the Administrator account you use to join or the SID of the machine account for the Windows 10 box.

Do the Samba logs (/var/log/samba/log.samba) say something like NT_STATUS_INVALID_SID?
Did the Windows system or one with the same name exist before (and was deleted or renamed?)
Does Kerberos authentication work for the account you use to join the Windows system (kinit Administrator && klist)


#4

Hello,

first of all thanks for your quick reply. :wink:
-) The samba logs doesn’t say anything like “NT_STATUS_INVALID_SID”
-) Actually not at all - A Windows 7 VM named “terminalsrv” is our current Terminalserver, the new one, the Windows 10 VM I mentioned above, has the name “termsrv”
-) Yes, the kerberos authentication works just fine


#5

Does this happen with every new client or only with this one Win 10 Client? Is it possible to remove every trace of it from the Samba4 and LDAP in the UCS, rename it and try to join it again?

Can you do an update of the win10 client to its latest version and try (after the above steps) the rejoin again?


#6

It happened only with Windows hosts.
We did a samba reprovisioning, Now I can join Windows hosts into my UCS domain.

Thanks in advance.