Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Richard Sharpe realrichardsharpe at gmail.com
Thu Jul 2 19:18:33 CEST 2015 

On Thu, Jul 2, 2015 at 9:34 AM, Rowland Penny <repenny241155 at gmail.com> wrote:
> On 02/07/15 17:04, Partha Sarathi wrote:
>>
>> Thanks Richard for the reply.
>>
>> Yes you are correct, joining domain its self will create the builtin
>> Administrators and Users only on the below idmap settings i.e with DOMAIN
>> specified.
>>
>>   idmap config * : backend = tdb
>>   idmap config * : range = 2000000-2999999
>>   idmap  config CORP : backend = hash
>>   idmap config CORP :  range = 10000000-109999999
>>
>> # id administrator
>>
>> uid=10000500(administrator) gid=10000513(domain users)
>> groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
>> password replication group),10000519(enterprise admins),10000518(schema
>> admins),10000512(domain admins),10000520(group policy creator
>> owners),10001149(adtest-group-1),
>> *2000001(BUILTIN\users),2000000(BUILTIN\administrators)*
>>
>>
>> But when I give as below I don't see the it get create by default.
>>
>>
>>   idmap config * : backend = tdb
>>   idmap config * : range = 2000000-2999999
>>   idmap config * : backend = hash
>>   idmap config * :  range = 10000000-109999999
>>
>> # id administrator
>>
>> uid=10000500(administrator) gid=10000513(domain users)
>> groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
>> password replication group),10000519(enterprise admins),10000518(schema
>> admins),10000512(domain admins),10000520(group policy creator
>> owners),10001149(adtest-group-1)
>>
>> # net sam list builtin  ====> Empty
>>
>>
>>
>> On Thu, Jul 2, 2015 at 8:18 AM, Richard Sharpe
>> <realrichardsharpe at gmail.com>
>> wrote:
>>
>>> On Thu, Jul 2, 2015 at 7:56 AM, Partha Sarathi
>>> <parthasarathi.bl at gmail.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Currently we are using samba-4.1.17 as member server to AD. The below is
>>>> the idmap settings in smb.conf
>>>>
>>>> allow trusted domains = yes
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000000-2999999
>>>> idmap config  * : backend = hash
>>>> idmap config  * : range = 10000000-109999999
>>>>
>>>> ==================================================
>>>>
>>>> #net sam -d10 createbuiltingroup Administrators
>>>> Found pdb backend tdbsam
>>>> pdb backend tdbsam has a valid init
>>>> Could not find map for sid S-1-5-32-544
>>>> Trying to create builtin alias 544
>>>> lookup_sid called for SID 'S-1-5-32-544'
>>>> Accepting SID S-1-5-32 in level 1
>>>> lookup_rids called for domain sid 'S-1-5-32'
>>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>>> *pdb_create_builtin_alias: Could not get a gid out of winbind*
>>>> Creating Administrators failed with NT_STATUS_ACCESS_DENIED
>>>> return code = -1
>>>> Opening cache file at /var/cache/samba/gencache.tdb
>>>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>>>>
>>>>
>>>> root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
>>>> *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
>>>> Could not convert sid S-1-5-32-545 to gid
>>>
>>> I'm just guessing here, but normally, when you join a domain
>>> BUILTIN\Administrators and BUILTIN\Users are created automatically so
>>> that Domain Admins and Domain Users can be added to them.
>>>
>>> Did that not happen in your case? That is, why are you trying to
>>> manually create this group?
>>>
>>>> I used the *hash* backend method for the trusted domain support without
>>>> giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
>>>> idmap hash backend method I could see the above commands get succeeds.
>>>>
>>>> Note: I didn't had this issue in 3.6.X
>>>>
>>>> Question is: If I specify the "DOMAIN" to idmap hash bckend without
>>>
>>> giving
>>>>
>>>> " * "  will it support  trusted domain users to get the uid and gid from
>>>> the range I specified ?
>>>>
>>>> --
>>>> Thanks & Regards
>>>> -Partha
>
> Your problem is when you use this line:
>
> idmap config CORP : range = 10000000-109999999
>
> Winbind knows where to store the domain mappings, whilst when you use:
>
> idmap config * : range = 2000000-2999999
> idmap config * : range = 10000000-109999999
>
> Winbind doesn't know where to store the domain mappings and I would also
> expect the first line will be ignored.

I am not sure that I believe that explanation. I went and checked the
in-development project I am on, and we have this in our smb.conf
around idmapping:

    idmap config * : backend = hash
    idmap config * : range = 10000-40000000

And we are also not getting those groups created. This is a problem,
so I will have to investigate some more.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list