RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1388589 - SPNEGO login failed: Indicates the SID structure is not valid. - with 4.2.10 but 3.6.23-36.el6_8 is OK
Summary: SPNEGO login failed: Indicates the SID structure is not valid. - with 4.2.10 ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-25 17:43 UTC by lejeczek
Modified: 2016-11-07 10:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-07 10:08:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description lejeczek 2016-10-25 17:43:12 UTC 
Description of problem:

I have in userdb LDAP backend(multi-master replicas) this one user (and many others):
(raw ldap):

# user243, People, xxzz.tech
dn: uid=user243,ou=People,dc=xxzz,dc=tech
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: user243
homeDirectory: /home/user243
loginShell: /bin/bash
sambaLogonTime: 0
sambaLogoffTime: 2147483647
gecos: Some User
sambaPwdCanChange: 2147483647
mail: user243
sn: User
cn: Some User
givenName: Some
displayName: Some User
gidNumber: 513
uidNumber: 1177
sambaSID: S-1-5-21-2925918746-2661067204-1764633667-2002
sambaLMPassword: ED84DDFFD9A97C2ECA922D8A7EE0CA0B
sambaAcctFlags: [U]
sambaNTPassword: 079073B583031A7AAE5D5C2D049FC05A
userPassword:: e1NTSEF9TEl6QXB1TEpkNDZ6N1hxWFFiNFhTWUtxbXZKcmMwOTU=
shadowLastChange: 17038
shadowWarning: 4
shadowExpire: 17449
shadowMax: 99999
sambaKickoffTime: 1507597200
sambaPwdLastSet: 1476091342
sambaPwdMustChange: 2147483647
shadowMin: 99999 
Version-Release number of selected component (if applicable):

server (4.2.10 which i BDC) fails, smbclient locally: 

SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID

pdbedit -v ...

Primary group S-1-5-21-2925918746-2661067204-1764633667-513 for user user243 is a UNKNOWN and not a domain group
Forcing Primary Group to 'Domain Users' for user243

..but remaining info gets shown.

Another server (3.6.23-36.el6_8) which is PDC (it's not AD setup) has no problems whatsoever.

Before you ask for logs, when I do smbclient or pdbedit on failing (4.2.) server then nothing gets logged, even with level 10 of debugging.
Only journald logs:

 0, pid=37787, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:494(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INVALID_SID'

faulty samba:
$ net getdomainsid
SID for local machine RIDER is: S-1-5-21-2925918746-2661067204-3920627605
SID for domain XXZZ_TEC is: S-1-5-21-2925918746-2661067204-1764633667

good samba
$ net getdomainsid
SID for local machine TUNA is: S-1-5-21-2925918746-2661067204-4277062323
SID for domain XXZZ_TEC is: S-1-5-21-2925918746-2661067204-1764633667


How reproducible:

not really sure, have a ldap backend to 3.x version and see that 4.2.x won't work?


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 lejeczek 2016-11-01 16:19:26 UTC 
server that fails (4.2.10 which i BDC) has - domain logons = no - I've tried samba mailing hoping to grasp complete meaning of this param, but without any response there.

If this is mis-configuration then trouble it is not describe anywhere. If I change above to "yes" then problem does not occur.

I don't know whether it's a bug, some compatibility issues between versions or...
Comment 3 Andreas Schneider 2016-11-07 10:08:19 UTC 
From the smb.conf manpage:

domain logons (G)

    If set to yes, the Samba server will provide the netlogon service for Windows
    9X network logons for the workgroup it is in. This will also cause the Samba 
    server to act as a domain controller for NT4 style domain services.


If you disable 'domain logons' then users will not be able to authenticate with this NT4 DC. If you want that users are able to authenticate, you need to enable it.
Note You need to log in before you can comment on or make changes to this bug.