Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Partha Sarathi parthasarathi.bl at gmail.com
Thu Jul 2 16:56:16 CEST 2015


Hi,

Currently we are using samba-4.1.17 as member server to AD. The below is
the idmap settings in smb.conf

allow trusted domains = yes
idmap config * : backend = tdb
idmap config * : range = 2000000-2999999
idmap config  * : backend = hash
idmap config  * : range = 10000000-109999999

==================================================

#net sam -d10 createbuiltingroup Administrators
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Could not find map for sid S-1-5-32-544
Trying to create builtin alias 544
lookup_sid called for SID 'S-1-5-32-544'
Accepting SID S-1-5-32 in level 1
lookup_rids called for domain sid 'S-1-5-32'
Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
*pdb_create_builtin_alias: Could not get a gid out of winbind*
Creating Administrators failed with NT_STATUS_ACCESS_DENIED
return code = -1
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb


root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
*failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
Could not convert sid S-1-5-32-545 to gid

I used the *hash* backend method for the trusted domain support without
giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
idmap hash backend method I could see the above commands get succeeds.

Note: I didn't had this issue in 3.6.X

Question is: If I specify the "DOMAIN" to idmap hash bckend without giving
" * "  will it support  trusted domain users to get the uid and gid from
the range I specified ?

-- 
Thanks & Regards
-Partha


More information about the samba-technical mailing list