Problem: Unable to Access File Shares on Certain UCS Replica Servers After Upgrade to 5.2(-2)

Knowledge Base Community
, , ,
1

Problem

After upgrading to UCS 5.2(-2), some school replica servers experienced issues with file share listings, making file share access impossible through Windows Explorer.

Related bug report

The Samba log (log.smbd) shows the following error when attempting to list \\ucs-replica:

[2025/07/02 14:53:51.780825,  0, pid=1137277] ../../source4/auth/unix_token.c:123(security_token_to_unix_token)
  Unable to convert SID (S-1-5-21-0-0-0-497) at index 4 in user token to a GID. Conversion was returned as type 0, full token:
[2025/07/02 14:53:51.780877,  0, pid=1137277] ../../libcli/security/security_token.c:133(security_token_debug)
  Security token SIDs (10):
    SID[  0]: S-1-5-21-2258795110-56359529-1961293181-73274
    SID[  1]: S-1-5-21-2258795110-56359529-1961293181-515
    SID[  2]: S-1-5-21-2258795110-56359529-1961293181-11243
    SID[  3]: S-1-18-1
    SID[  4]: S-1-5-21-0-0-0-497
    SID[  5]: S-1-1-0
    SID[  6]: S-1-5-2
    SID[  7]: S-1-5-11
    SID[  8]: S-1-5-32-554
    SID[  9]: S-1-5-32-545

The problematic SID S-1-5-21-0-0-0-497 appears to be a claims_valid SID that cannot be resolved by Windows. Since Samba 4.21-1 (or 4.20), all SIDs in security tokens are strictly validated. If a SID cannot be resolved, file share access is completely blocked.

This issue was observed only on certain replica servers (5 out of 85). Other servers were unaffected because the required entry already existed in idmap.ldb.

Reference for the SID type: Microsoft Documentation

Solution

To restore file share access, the missing SID needs to be added to the Samba idmap.ldb database.

Steps:

  1. Create an LDIF file with the missing SID:
root@ucs-replica:~# cat > 497.ldif
dn: CN=S-1-5-21-0-0-0-497
cn: S-1-5-21-0-0-0-497
objectClass: sidMap
objectSid: S-1-5-21-0-0-0-497
type: ID_TYPE_BOTH
xidNumber: 3000577
distinguishedName: CN=S-1-5-21-0-0-0-497
  1. Add the LDIF entry to idmap.ldb:
root@ucs-replica:~# ldbadd -H /var/lib/samba/private/idmap.ldb 497.ldif
Added 1 records successfully
  1. Clear the Samba cache:
root@ucs-replica:~# net cache flush
  1. Restart Winbind:
root@ucs-replica:~# /etc/init.d/winbind restart

Important Note

The xidNumber in the LDIF file must be unique on each server. Before adding the entry:

  • Check if the xidNumber already exists in /var/lib/samba/private/idmap.ldb.
  • If it does, choose a different, unused xidNumber in the LDIF file.
  • Always verify that the SID is not already mapped to avoid conflicts.
3

This topic was automatically closed after 24 hours. New replies are no longer allowed.