Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Partha Sarathi parthasarathi.bl at gmail.com
Thu Jul 2 18:04:56 CEST 2015 

Thanks Richard for the reply.

Yes you are correct, joining domain its self will create the builtin
Administrators and Users only on the below idmap settings i.e with DOMAIN
specified.

 idmap config * : backend = tdb
 idmap config * : range = 2000000-2999999
 idmap  config CORP : backend = hash
 idmap config CORP :  range = 10000000-109999999

# id administrator

uid=10000500(administrator) gid=10000513(domain users)
groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
password replication group),10000519(enterprise admins),10000518(schema
admins),10000512(domain admins),10000520(group policy creator
owners),10001149(adtest-group-1),
*2000001(BUILTIN\users),2000000(BUILTIN\administrators)*

But when I give as below I don't see the it get create by default.


 idmap config * : backend = tdb
 idmap config * : range = 2000000-2999999
 idmap config * : backend = hash
 idmap config * :  range = 10000000-109999999

# id administrator

uid=10000500(administrator) gid=10000513(domain users)
groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
password replication group),10000519(enterprise admins),10000518(schema
admins),10000512(domain admins),10000520(group policy creator
owners),10001149(adtest-group-1)

# net sam list builtin  ====> Empty



On Thu, Jul 2, 2015 at 8:18 AM, Richard Sharpe <realrichardsharpe at gmail.com>
wrote:

> On Thu, Jul 2, 2015 at 7:56 AM, Partha Sarathi
> <parthasarathi.bl at gmail.com> wrote:
> > Hi,
> >
> > Currently we are using samba-4.1.17 as member server to AD. The below is
> > the idmap settings in smb.conf
> >
> > allow trusted domains = yes
> > idmap config * : backend = tdb
> > idmap config * : range = 2000000-2999999
> > idmap config  * : backend = hash
> > idmap config  * : range = 10000000-109999999
> >
> > ==================================================
> >
> > #net sam -d10 createbuiltingroup Administrators
> > Found pdb backend tdbsam
> > pdb backend tdbsam has a valid init
> > Could not find map for sid S-1-5-32-544
> > Trying to create builtin alias 544
> > lookup_sid called for SID 'S-1-5-32-544'
> > Accepting SID S-1-5-32 in level 1
> > lookup_rids called for domain sid 'S-1-5-32'
> > Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> > *pdb_create_builtin_alias: Could not get a gid out of winbind*
> > Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> > return code = -1
> > Opening cache file at /var/cache/samba/gencache.tdb
> > Opening cache file at /var/run/samba/gencache_notrans.tdb
> >
> >
> > root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
> > *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
> > Could not convert sid S-1-5-32-545 to gid
>
> I'm just guessing here, but normally, when you join a domain
> BUILTIN\Administrators and BUILTIN\Users are created automatically so
> that Domain Admins and Domain Users can be added to them.
>
> Did that not happen in your case? That is, why are you trying to
> manually create this group?
>
> > I used the *hash* backend method for the trusted domain support without
> > giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
> > idmap hash backend method I could see the above commands get succeeds.
> >
> > Note: I didn't had this issue in 3.6.X
> >
> > Question is: If I specify the "DOMAIN" to idmap hash bckend without
> giving
> > " * "  will it support  trusted domain users to get the uid and gid from
> > the range I specified ?
> >
> > --
> > Thanks & Regards
> > -Partha
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>



-- 
Thanks & Regards
-Partha

More information about the samba-technical mailing list