Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Rowland Penny repenny241155 at gmail.com
Thu Jul 2 18:34:12 CEST 2015 

On 02/07/15 17:04, Partha Sarathi wrote:
> Thanks Richard for the reply.
>
> Yes you are correct, joining domain its self will create the builtin
> Administrators and Users only on the below idmap settings i.e with DOMAIN
> specified.
>
>   idmap config * : backend = tdb
>   idmap config * : range = 2000000-2999999
>   idmap  config CORP : backend = hash
>   idmap config CORP :  range = 10000000-109999999
>
> # id administrator
>
> uid=10000500(administrator) gid=10000513(domain users)
> groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
> password replication group),10000519(enterprise admins),10000518(schema
> admins),10000512(domain admins),10000520(group policy creator
> owners),10001149(adtest-group-1),
> *2000001(BUILTIN\users),2000000(BUILTIN\administrators)*
>
> But when I give as below I don't see the it get create by default.
>
>
>   idmap config * : backend = tdb
>   idmap config * : range = 2000000-2999999
>   idmap config * : backend = hash
>   idmap config * :  range = 10000000-109999999
>
> # id administrator
>
> uid=10000500(administrator) gid=10000513(domain users)
> groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
> password replication group),10000519(enterprise admins),10000518(schema
> admins),10000512(domain admins),10000520(group policy creator
> owners),10001149(adtest-group-1)
>
> # net sam list builtin  ====> Empty
>
>
>
> On Thu, Jul 2, 2015 at 8:18 AM, Richard Sharpe <realrichardsharpe at gmail.com>
> wrote:
>
>> On Thu, Jul 2, 2015 at 7:56 AM, Partha Sarathi
>> <parthasarathi.bl at gmail.com> wrote:
>>> Hi,
>>>
>>> Currently we are using samba-4.1.17 as member server to AD. The below is
>>> the idmap settings in smb.conf
>>>
>>> allow trusted domains = yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000000-2999999
>>> idmap config  * : backend = hash
>>> idmap config  * : range = 10000000-109999999
>>>
>>> ==================================================
>>>
>>> #net sam -d10 createbuiltingroup Administrators
>>> Found pdb backend tdbsam
>>> pdb backend tdbsam has a valid init
>>> Could not find map for sid S-1-5-32-544
>>> Trying to create builtin alias 544
>>> lookup_sid called for SID 'S-1-5-32-544'
>>> Accepting SID S-1-5-32 in level 1
>>> lookup_rids called for domain sid 'S-1-5-32'
>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>> *pdb_create_builtin_alias: Could not get a gid out of winbind*
>>> Creating Administrators failed with NT_STATUS_ACCESS_DENIED
>>> return code = -1
>>> Opening cache file at /var/cache/samba/gencache.tdb
>>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>>>
>>>
>>> root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
>>> *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
>>> Could not convert sid S-1-5-32-545 to gid
>> I'm just guessing here, but normally, when you join a domain
>> BUILTIN\Administrators and BUILTIN\Users are created automatically so
>> that Domain Admins and Domain Users can be added to them.
>>
>> Did that not happen in your case? That is, why are you trying to
>> manually create this group?
>>
>>> I used the *hash* backend method for the trusted domain support without
>>> giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
>>> idmap hash backend method I could see the above commands get succeeds.
>>>
>>> Note: I didn't had this issue in 3.6.X
>>>
>>> Question is: If I specify the "DOMAIN" to idmap hash bckend without
>> giving
>>> " * "  will it support  trusted domain users to get the uid and gid from
>>> the range I specified ?
>>>
>>> --
>>> Thanks & Regards
>>> -Partha
>>
>>
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂?唯有杜康。--曹操)
>>
>
>

Your problem is when you use this line:

idmap config CORP : range = 10000000-109999999

Winbind knows where to store the domain mappings, whilst when you use:

idmap config * : range = 2000000-2999999
idmap config * : range = 10000000-109999999

Winbind doesn't know where to store the domain mappings and I would also 
expect the first line will be ignored.

The thing is why do you need 'Administrators' to be visible to Unix ?

Rowland

More information about the samba-technical mailing list