Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Richard Sharpe realrichardsharpe at gmail.com
Thu Jul 2 19:42:31 CEST 2015 

On Thu, Jul 2, 2015 at 10:18 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Thu, Jul 2, 2015 at 9:34 AM, Rowland Penny <repenny241155 at gmail.com> wrote:
>> On 02/07/15 17:04, Partha Sarathi wrote:
>>>
>>> Thanks Richard for the reply.
>>>
>>> Yes you are correct, joining domain its self will create the builtin
>>> Administrators and Users only on the below idmap settings i.e with DOMAIN
>>> specified.
>>>
>>>   idmap config * : backend = tdb
>>>   idmap config * : range = 2000000-2999999
>>>   idmap  config CORP : backend = hash
>>>   idmap config CORP :  range = 10000000-109999999
>>>
>>> # id administrator
>>>
>>> uid=10000500(administrator) gid=10000513(domain users)
>>> groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
>>> password replication group),10000519(enterprise admins),10000518(schema
>>> admins),10000512(domain admins),10000520(group policy creator
>>> owners),10001149(adtest-group-1),
>>> *2000001(BUILTIN\users),2000000(BUILTIN\administrators)*
>>>
>>>
>>> But when I give as below I don't see the it get create by default.
>>>
>>>
>>>   idmap config * : backend = tdb
>>>   idmap config * : range = 2000000-2999999
>>>   idmap config * : backend = hash
>>>   idmap config * :  range = 10000000-109999999
>>>
>>> # id administrator
>>>
>>> uid=10000500(administrator) gid=10000513(domain users)
>>> groups=10000513(domain users),10005439(netmon users),10000572(denied rodc
>>> password replication group),10000519(enterprise admins),10000518(schema
>>> admins),10000512(domain admins),10000520(group policy creator
>>> owners),10001149(adtest-group-1)
>>>
>>> # net sam list builtin  ====> Empty
>>>
>>>
>>>
>>> On Thu, Jul 2, 2015 at 8:18 AM, Richard Sharpe
>>> <realrichardsharpe at gmail.com>
>>> wrote:
>>>
>>>> On Thu, Jul 2, 2015 at 7:56 AM, Partha Sarathi
>>>> <parthasarathi.bl at gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> Currently we are using samba-4.1.17 as member server to AD. The below is
>>>>> the idmap settings in smb.conf
>>>>>
>>>>> allow trusted domains = yes
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000000-2999999
>>>>> idmap config  * : backend = hash
>>>>> idmap config  * : range = 10000000-109999999
>>>>>
>>>>> ==================================================
>>>>>
>>>>> #net sam -d10 createbuiltingroup Administrators
>>>>> Found pdb backend tdbsam
>>>>> pdb backend tdbsam has a valid init
>>>>> Could not find map for sid S-1-5-32-544
>>>>> Trying to create builtin alias 544
>>>>> lookup_sid called for SID 'S-1-5-32-544'
>>>>> Accepting SID S-1-5-32 in level 1
>>>>> lookup_rids called for domain sid 'S-1-5-32'
>>>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>>>> *pdb_create_builtin_alias: Could not get a gid out of winbind*
>>>>> Creating Administrators failed with NT_STATUS_ACCESS_DENIED
>>>>> return code = -1
>>>>> Opening cache file at /var/cache/samba/gencache.tdb
>>>>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>>>>>
>>>>>
>>>>> root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
>>>>> *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
>>>>> Could not convert sid S-1-5-32-545 to gid
>>>>
>>>> I'm just guessing here, but normally, when you join a domain
>>>> BUILTIN\Administrators and BUILTIN\Users are created automatically so
>>>> that Domain Admins and Domain Users can be added to them.
>>>>
>>>> Did that not happen in your case? That is, why are you trying to
>>>> manually create this group?
>>>>
>>>>> I used the *hash* backend method for the trusted domain support without
>>>>> giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
>>>>> idmap hash backend method I could see the above commands get succeeds.
>>>>>
>>>>> Note: I didn't had this issue in 3.6.X
>>>>>
>>>>> Question is: If I specify the "DOMAIN" to idmap hash bckend without
>>>>
>>>> giving
>>>>>
>>>>> " * "  will it support  trusted domain users to get the uid and gid from
>>>>> the range I specified ?
>>>>>
>>>>> --
>>>>> Thanks & Regards
>>>>> -Partha
>>
>> Your problem is when you use this line:
>>
>> idmap config CORP : range = 10000000-109999999
>>
>> Winbind knows where to store the domain mappings, whilst when you use:
>>
>> idmap config * : range = 2000000-2999999
>> idmap config * : range = 10000000-109999999
>>
>> Winbind doesn't know where to store the domain mappings and I would also
>> expect the first line will be ignored.
>
> I am not sure that I believe that explanation. I went and checked the
> in-development project I am on, and we have this in our smb.conf
> around idmapping:
>
>     idmap config * : backend = hash
>     idmap config * : range = 10000-40000000
>
> And we are also not getting those groups created. This is a problem,
> so I will have to investigate some more.

It turns out that we have exactly this problem. During the join we see:

-----------------------------
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Could not find map for sid S-1-5-32-544
Trying to create builtin alias 544
lookup_sid called for SID 'S-1-5-32-544'
Accepting SID S-1-5-32 in level 1
lookup_rids called for domain sid 'S-1-5-32'
Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
pdb_create_builtin_alias: Could not get a gid out of winbind
create_builtin_administrators: Failed to create Administrators
Failed to auto-add domain administrators to BUILTIN\Administrators
during join: NT_STATUS_ACCESS_DENIED
-----------------------------

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list