Samba SID mismatch

UCS - Univention Corporate Server
, , ,
#1

I have a strange problem on an UCS 4.4.6 with samba UID mapping.

Some words about the environment. I have installed a UCS (backup) and joined it to an existing master. Then I installed the active directory domain controller which is not installed on the master. Installation and join was completed successful.

If I try to join a Windows client I get a strange error message. The log.smbd file gives the first hint.

[2020/12/16 01:24:58.628043,  0, pid=6421] ../../source4/auth/unix_token.c:125(security_token_to_unix_token)
  Unable to convert SID (S-1-5-21-1822457908-763037988-2153106441-1293) at index 9 in user token to a GID.  Conversion was returned as type 1, full token:
[2020/12/16 01:24:58.628115,  0, pid=6421] ../../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (19):
    SID[  0]: S-1-5-21-1822457908-763037988-2153106441-500
    SID[  1]: S-1-5-21-1822457908-763037988-2153106441-512
    SID[  2]: S-1-5-21-1822457908-763037988-2153106441-572
    SID[  3]: S-1-5-21-1822457908-763037988-2153106441-518
    SID[  4]: S-1-5-21-1822457908-763037988-2153106441-519
    SID[  5]: S-1-5-21-1822457908-763037988-2153106441-520
    SID[  6]: S-1-5-21-1822457908-763037988-2153106441-513
    SID[  7]: S-1-5-21-1822457908-763037988-2153106441-515
    SID[  8]: S-1-5-21-1822457908-763037988-2153106441-516
    SID[  9]: S-1-5-21-1822457908-763037988-2153106441-1293
    SID[ 10]: S-1-5-21-1822457908-763037988-2153106441-1269
    SID[ 11]: S-1-5-21-1822457908-763037988-2153106441-1122
    SID[ 12]: S-1-1-0
    SID[ 13]: S-1-5-2
    SID[ 14]: S-1-5-11
    SID[ 15]: S-1-5-32-544
    SID[ 16]: S-1-5-32-560
    SID[ 17]: S-1-5-32-545
    SID[ 18]: S-1-5-32-554
   Privileges (0x        1FFFFF00):
    Privilege[  0]: SeTakeOwnershipPrivilege
    Privilege[  1]: SeBackupPrivilege
    Privilege[  2]: SeRestorePrivilege
    Privilege[  3]: SeRemoteShutdownPrivilege
    Privilege[  4]: SeSecurityPrivilege
    Privilege[  5]: SeSystemtimePrivilege
    Privilege[  6]: SeShutdownPrivilege
    Privilege[  7]: SeDebugPrivilege
    Privilege[  8]: SeSystemEnvironmentPrivilege
    Privilege[  9]: SeSystemProfilePrivilege
    Privilege[ 10]: SeProfileSingleProcessPrivilege
    Privilege[ 11]: SeIncreaseBasePriorityPrivilege
    Privilege[ 12]: SeLoadDriverPrivilege
    Privilege[ 13]: SeCreatePagefilePrivilege
    Privilege[ 14]: SeIncreaseQuotaPrivilege
    Privilege[ 15]: SeChangeNotifyPrivilege
    Privilege[ 16]: SeUndockPrivilege
    Privilege[ 17]: SeManageVolumePrivilege
    Privilege[ 18]: SeImpersonatePrivilege
    Privilege[ 19]: SeCreateGlobalPrivilege
    Privilege[ 20]: SeEnableDelegationPrivilege
   Rights (0x             403):
    Right[  0]: SeInteractiveLogonRight
    Right[  1]: SeNetworkLogonRight
    Right[  2]: SeRemoteInteractiveLogonRight

According to this topic I figured out that the samba SID mapping seems to be corrupt. The sambaSID is associated to a user. But the univention-s4search gives an other object.

root@ucs-backup:~# wbinfo --uid-to-sid 2190
S-1-5-21-1822457908-763037988-2153106441-1293

root@ucs-backup:~# wbinfo --sid-to-uid S-1-5-21-1822457908-763037988-2153106441-1293
2190

root@ucs-backup:~# univention-ldapsearch -LLLo ldif-wrap=no uidnumber=2190 sambaSID | awk '/^sambaSID:/ { print $2 }'
S-1-5-21-1822457908-763037988-2153106441-1293

root@ucs-backup:~# univention-s4search objectSid=S-1-5-21-1822457908-763037988-2153106441-1293 dn
# record 1
dn: CN=DC Backup Hosts,CN=Groups,DC=phaenovum,DC=org
...
# returned 4 records
# 1 entries
# 3 referrals

root@ucs-backup:~# ldbsearch -H /var/lib/samba/private/idmap.ldb '(&(xidnumber=2190)(type=ID_TYPE_UID))'
# record 1
dn: CN=S-1-5-21-1822457908-763037988-2153106441-1293
cn: S-1-5-21-1822457908-763037988-2153106441-1293
objectClass: sidMap
objectSid: S-1-5-21-1822457908-763037988-2153106441-1293
type: ID_TYPE_UID
xidNumber: 2190
distinguishedName: CN=S-1-5-21-1822457908-763037988-2153106441-1293

# returned 1 records
# 1 entries
# 0 referrals

root@ucs-backup:~# univention-ldapsearch -LLLo ldif-wrap=no uidnumber=2190
dn: uid=jan.XXXX,cn=users,dc=phaenovum,dc=org
...

The join.log file also contains several errors but the join script hasn’t failed.

../../source3/passdb/pdb_samba_dsdb.c:1409Group S-1-5-21-1822457908-763037988-2153106441-1293, of which CN=Administrator,CN=Users,DC=phaenovum,DC=org is a member, could not be converted to a GID
enum_group_memberships failed for S-1-5-21-1822457908-763037988-2153106441-500: NT_STATUS_NO_SUCH_GROUP
Fall back to unix uid lookup

I have also used univention-s4connector-list-rejected command. It has reported several rejected entries. But removing them didn’t helped. After reinstalling the AD domain controller the tool reports an error:

root@ucs-backup:~# univention-s4connector-list-rejected 
Traceback (most recent call last):
  File "/usr/sbin/univention-s4connector-list-rejected", line 162, in <module>
    main()
  File "/usr/sbin/univention-s4connector-list-rejected", line 114, in main
    mapping.s4_mapping,
AttributeError: 'module' object has no attribute 's4_mapping'

Any suggestion? Can I re-create the whole sambaSID mapping?

Mastodon