Join Log in
Score:-1
avatar Server

Samba server with copied SID fails mounts with STATUS_INVALID_SID

fr flag
Lars Hanke

In my Linux based infrastructure I run MIT Kerberos and LDAP for authentication. For the very few Windows VM clients I use a Samba stand-alone file server. It has it accounts stored in LDAP as well. The infrastructure is decades old and is the remainder of a NT domain.

I now have a second site. I cloned my file server and set-up a new Samba server. I followed this post or this post in the past and simply had my stand alone servers all with the same SID, since otherwise the servers are not able to authenticate users.

So, I copied the SID for my workgroup to the new sambaDomainName entry created by my new server. Just as I did a couple of years ago for the old server.

While I still can mount the shares of my old server, trying to mount shares from the new server produces ERROR_INVALID_SID from Win10. Similarly, CIFS mount yields

[247902.830949] CIFS: Attempting to mount //new_server/public
[247902.994871] CIFS: Status code returned 0xc0000078 STATUS_INVALID_SID
[247902.994889] CIFS: VFS: \\new_server Send error in SessSetup = -5
[247902.994925] CIFS: VFS: cifs_mount failed w/return code = -5

Any idea why the SID is invalid? I don't see any difference to the other SID; neither by net getlocalsid, nor by ldapsearch or ApacheDirectoryStudio.

I know it's a hacky solution. Moving to AD is no option. Since I heard that NT domains may be be dropped by Microsoft soon, I don't want to set up another PDC / BDC system. Actually, the copy SID solution was a work around during a time where samba had a known bug with net join.

Is there another method to have multiple samba servers using the same ldapsam?

41
0 + 0
Score:2
avatar Server
cn flag
Rowland Penny

Why is running Samba as an AD DC not an option ? I ask this because this is very probably your answer. Microsoft dropped NT domains about 15 years ago. it is Samba that is working towards removing NT4-style domains, so I wouldn't recommend setting up a new one.

0 + 0
fr flag
Lars Hanke
My infrastructure is 95% Linux. I had this venture some time ago. First shock, there is no Linux based administration tool. I had to buy a Win7 Ultimate to maintain my system. With Kerberos, LDAP, Bind9 the services are isolated and I can do a systematic troubleshooting.
0
Reply
user1686 avatar
fr flag
user1686
@LarsHanke: _ldapmodify_ is your administration tool, but Samba comes with `samba-tool` for most common management tasks (as much as you could manage an NT-style domain from Linux, anyway).
0
Reply
Score:0
avatar Server
fr flag
Lars Hanke

The issue disappeared after a re-boot of the file server following a kernel panic unrelated to Samba. I can now mount all shares from Win10 or via Linux CIFS. I even can mount shares from both servers concurrently although they use the same SID!

I'm not aware that I did change anything in between. But maybe service nmbd restart and service smbd restart were not enough to make certain changes effective.

In my special environment I still think that this hack is a sensible solution. Please use AD, if you have to support Windows clients for general use, or if the Samba servers have any role in your security concept.

Thanks to Rowland for contacting me here.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.