Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend
Partha Sarathi
parthasarathi.bl at gmail.com
Thu Jul 2 18:04:56 CEST 2015
Thanks Richard for the reply.
Yes you are correct, joining domain its self will create the builtin
Administrators and Users only on the below idmap settings i.e with DOMAIN
specified.
idmap config * : backend = tdb
idmap config * : range = 2000000-2999999
idmap config CORP : backend = hash
idmap config CORP : range = 10000000-109999999
# id administrator
uid=10000500(administrator) gid=10000513(domain users)
groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
password replication group),10000519(enterprise admins),10000518(schema
admins),10000512(domain admins),10000520(group policy creator
owners),10001149(adtest-group-1),
*2000001(BUILTIN\users),2000000(BUILTIN\administrators)*
But when I give as below I don't see the it get create by default.
idmap config * : backend = tdb
idmap config * : range = 2000000-2999999
idmap config * : backend = hash
idmap config * : range = 10000000-109999999
# id administrator
uid=10000500(administrator) gid=10000513(domain users)
groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
password replication group),10000519(enterprise admins),10000518(schema
admins),10000512(domain admins),10000520(group policy creator
owners),10001149(adtest-group-1)
# net sam list builtin ====> Empty
On Thu, Jul 2, 2015 at 8:18 AM, Richard Sharpe <realrichardsharpe at gmail.com>
wrote:
> On Thu, Jul 2, 2015 at 7:56 AM, Partha Sarathi
> <parthasarathi.bl at gmail.com> wrote:
> > Hi,
> >
> > Currently we are using samba-4.1.17 as member server to AD. The below is
> > the idmap settings in smb.conf
> >
> > allow trusted domains = yes
> > idmap config * : backend = tdb
> > idmap config * : range = 2000000-2999999
> > idmap config * : backend = hash
> > idmap config * : range = 10000000-109999999
> >
> > ==================================================
> >
> > #net sam -d10 createbuiltingroup Administrators
> > Found pdb backend tdbsam
> > pdb backend tdbsam has a valid init
> > Could not find map for sid S-1-5-32-544
> > Trying to create builtin alias 544
> > lookup_sid called for SID 'S-1-5-32-544'
> > Accepting SID S-1-5-32 in level 1
> > lookup_rids called for domain sid 'S-1-5-32'
> > Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> > *pdb_create_builtin_alias: Could not get a gid out of winbind*
> > Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> > return code = -1
> > Opening cache file at /var/cache/samba/gencache.tdb
> > Opening cache file at /var/run/samba/gencache_notrans.tdb
> >
> >
> > root at OneBlox0025:/opt/exablox/config# wbinfo -Y S-1-5-32-545
> > *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
> > Could not convert sid S-1-5-32-545 to gid
>
> I'm just guessing here, but normally, when you join a domain
> BUILTIN\Administrators and BUILTIN\Users are created automatically so
> that Domain Admins and Domain Users can be added to them.
>
> Did that not happen in your case? That is, why are you trying to
> manually create this group?
>
> > I used the *hash* backend method for the trusted domain support without
> > giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
> > idmap hash backend method I could see the above commands get succeeds.
> >
> > Note: I didn't had this issue in 3.6.X
> >
> > Question is: If I specify the "DOMAIN" to idmap hash bckend without
> giving
> > " * " will it support trusted domain users to get the uid and gid from
> > the range I specified ?
> >
> > --
> > Thanks & Regards
> > -Partha
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
--
Thanks & Regards
-Partha
More information about the samba-technical
mailing list