Unable to convert first SID ... in user token to a UID

Hi all,

(especially @scheinig and @Dirk_Schnick ;))

I am unsure if I have an issue here. At least one Windows-program has issues when installed on server instead of local disk. When installed on server it always complains of not having access or not finding a file. Even though, when using explorer I find the file and I have full access (as the same user). So I did some logwatching and found this in log.smbd:

[2021/07/28 12:45:13.944540,  0, pid=18750] ../../source4
/auth/unix_token.c:97(security_token_to_unix_token)
  Unable to convert first SID (S-1-5-21-963731466-2093488295-4049041747-1120) in user token to a UID.  Conversion was returned as type 0, full token:
[2021/07/28 12:45:13.944589,  0, pid=18750] ../../libcli/security/security_token.c:57(security_token_debug)
  Security token SIDs (6):
    SID[  0]: S-1-5-21-963731466-2093488295-4049041747-1120
    SID[  1]: S-1-5-21-963731466-2093488295-4049041747-515
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-11
    SID[  5]: S-1-5-32-554
   Privileges (0x          800000):
    Privilege[  0]: SeChangeNotifyPrivilege
   Rights (0x             400):
    Right[  0]: SeRemoteInteractiveLogonRight

Strange enough. So I tried (with the help of this great Community forum ;)) wbinfo:

root@praxis:/srv/praxis# wbinfo -S S-1-5-21-963731466-2093488295-4049041747-1120
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-963731466-2093488295-4049041747-1120 to uid

Hmmmm… ok, there is an error. Now I was looking for the SID with univention-ldapsearch:

root@praxis:/srv/praxis# univention-ldapsearch sambaSID=S-1-5-21-963731466-2093488295-4049041747-1120
# extended LDIF
#
# LDAPv3
# base <dc=xxx> (default) with scope subtree
# filter: sambaSID=S-1-5-21-963731466-2093488295-4049041747-1120
# requesting: ALL
#

# ANM, computers, xxx.de
dn: cn=ANM,cn=computers,dc=xxx,dc=de
univentionServerRole: windows_client
displayName: ANM
cn: ANM
krb5PrincipalName: host/ANM.xxx.de@XXX.DE
objectClass: krb5KDCEntry
objectClass: top
objectClass: univentionHost
objectClass: univentionObject
objectClass: sambaSamAccount
objectClass: person
objectClass: shadowAccount
objectClass: univentionWindows
objectClass: krb5Principal
objectClass: posixAccount
loginShell: /bin/false
univentionObjectType: computers/windows
uidNumber: 2017
krb5KDCFlags: 126
sambaAcctFlags: [W          ]
krb5MaxRenew: 604800
sn: ANM
homeDirectory: /dev/null
krb5MaxLife: 86400
uid: ANM$
gidNumber: 1005
sambaPrimaryGroupSID: S-1-5-21-963731466-2093488295-4049041747-11011
aRecord: 192.168.1.50
associatedDomain: xxx.de
univentionNetworkLink: cn=PRAXIS,cn=networks,dc=xxx,dc=de
macAddress: 54:04:a6:81:7f:74
univentionOperatingSystem: Windows 10 Pro
univentionOperatingSystemVersion: 10.0 (19042)
sambaSID: S-1-5-21-963731466-2093488295-4049041747-1120
sambaNTPassword: C7753A7CBF8785675234345987395E2C62C72
krb5Key:: MB2hGzAZoAMFGHehEgQQx3U6fL+Hhz69mHOV4sYscg==
krb5Key:: MG6hKzApoAMFGHKhIgQgSwOkpjOyjKsN3M1G/WBb0jRDhT++nhVgBttIxa+hmQKiPzA9oAMCAQOhNgQ0QUtVUFVOS1RVUlBSQVhJUy1OQi5ERWhvc3Rhbm0uYWt1cHVua3R1cnByYXhpcy1uYi5kZQ==
krb5Key:: MF6hGzAZoAMFGHGhEgQQ/uG66DkIwAnKTLS9Bh6pVaI/MD2gAwIBA6E2BDRBS1VQVU5LVFVSUFJBWElTLU5CLkRFaG9zdGFubS5ha3VwdW5rdHVycHJheGlzLW5iLmRl
krb5Key:: MFahEzARoAMCAQOhCgQImUmWSDFSiiPzA9oAMCAQOhNgQ0QUtVUFVOS1RVUlBSQVhJUy1OQi5ERWhvc3Rhbm0uYWt1cHVua3R1cnByYXhpcy1uYi5kZQ==
krb5Key:: MFahEzARoASDFSFhCgQI6M4VatV2g+iiPzA9oAMCAQOhNgQ0QUtVUFVOS1RVUlBSQVhJUy1OQi5ERWhvc3Rhbm0uYWt1cHVua3R1cnByYXhpcy1uYi5kZQ==
krb5KeyVersionNumber: 56
shadowLastChange: 18836
sambaPwdLastSet: 1627467662

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

So it appears it is the computer account for the computer ANM. Ok, fine. Yes, this can obviously not converted to a USER-ID. But why is Samba then complaining about this?
(BTW: I alread did a re-join of the Windows-PC with no change).

Any ideas?

/KNEBB

Hey Knebb,
I’m not sure if I’m the right one to answer a samba question. My first thought as I read the wbinfo error was the complete wbinfo loop described in scheinig’s help article and the net cache flush in the end.

Do you find the SID in s4search?

Hi,

thanks and greetings to Reiherwald :wink:

I was just wondering about this entry. As I was unsure what it meant. In the end I simply re-joined the PC and since then everything is fine.wbinfo does not report any errors. Shame one me, I did not do s4search, I should have known this.
[EDIT] The issue with the Windows program was “fixed” by disabling virusscan for this particular folder. :exploding_head: Did I mention I “love” Windoes?

Thanks anyways and greetings!

/KNEBB