Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Richard Sharpe realrichardsharpe at gmail.com
Thu Jul 2 19:45:34 CEST 2015 

On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
>>> Your problem is when you use this line:
>>>
>>> idmap config CORP : range = 10000000-109999999
>>>
>>> Winbind knows where to store the domain mappings, whilst when you use:
>>>
>>> idmap config * : range = 2000000-2999999
>>> idmap config * : range = 10000000-109999999
>>>
>>> Winbind doesn't know where to store the domain mappings and I would also
>>> expect the first line will be ignored.
>>
>> I am not sure that I believe that explanation. I went and checked the
>> in-development project I am on, and we have this in our smb.conf
>> around idmapping:
>>
>>     idmap config * : backend = hash
>>     idmap config * : range = 10000-40000000
>>
>> And we are also not getting those groups created. This is a problem,
>> so I will have to investigate some more.
>
> It turns out that we have exactly this problem. During the join we see:
>
> -----------------------------
> Attempting to register passdb backend tdbsam
> Successfully added passdb backend 'tdbsam'
> Found pdb backend tdbsam
> pdb backend tdbsam has a valid init
> Could not find map for sid S-1-5-32-544
> Trying to create builtin alias 544
> lookup_sid called for SID 'S-1-5-32-544'
> Accepting SID S-1-5-32 in level 1
> lookup_rids called for domain sid 'S-1-5-32'
> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> pdb_create_builtin_alias: Could not get a gid out of winbind
> create_builtin_administrators: Failed to create Administrators
> Failed to auto-add domain administrators to BUILTIN\Administrators
> during join: NT_STATUS_ACCESS_DENIED
> -----------------------------

If I kill winbindd and then perform the join, which is how it would
normally happen, I see:

--------------------------------
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Could not find map for sid S-1-5-32-544
create_builtin_administrators: Failed to create Administrators
Unable to auto-add domain administrators to BUILTIN\Administrators
during join because winbindd must be running.
Could not find map for sid S-1-5-32-545
create_builtin_users: Failed to create Users
Unable to auto-add domain users to BUILTIN\users during join because
winbindd must be running.
--------------------------------

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list