Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Rowland Penny repenny241155 at gmail.com
Thu Jul 2 19:53:53 CEST 2015


On 02/07/15 18:45, Richard Sharpe wrote:
> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>>>> Your problem is when you use this line:
>>>>
>>>> idmap config CORP : range = 10000000-109999999
>>>>
>>>> Winbind knows where to store the domain mappings, whilst when you use:
>>>>
>>>> idmap config * : range = 2000000-2999999
>>>> idmap config * : range = 10000000-109999999
>>>>
>>>> Winbind doesn't know where to store the domain mappings and I would also
>>>> expect the first line will be ignored.
>>> I am not sure that I believe that explanation. I went and checked the
>>> in-development project I am on, and we have this in our smb.conf
>>> around idmapping:
>>>
>>>      idmap config * : backend = hash
>>>      idmap config * : range = 10000-40000000
>>>
>>> And we are also not getting those groups created. This is a problem,
>>> so I will have to investigate some more.
>> It turns out that we have exactly this problem. During the join we see:
>>
>> -----------------------------
>> Attempting to register passdb backend tdbsam
>> Successfully added passdb backend 'tdbsam'
>> Found pdb backend tdbsam
>> pdb backend tdbsam has a valid init
>> Could not find map for sid S-1-5-32-544
>> Trying to create builtin alias 544
>> lookup_sid called for SID 'S-1-5-32-544'
>> Accepting SID S-1-5-32 in level 1
>> lookup_rids called for domain sid 'S-1-5-32'
>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>> pdb_create_builtin_alias: Could not get a gid out of winbind
>> create_builtin_administrators: Failed to create Administrators
>> Failed to auto-add domain administrators to BUILTIN\Administrators
>> during join: NT_STATUS_ACCESS_DENIED
>> -----------------------------
> If I kill winbindd and then perform the join, which is how it would
> normally happen, I see:
>
> --------------------------------
> Attempting to register passdb backend tdbsam
> Successfully added passdb backend 'tdbsam'
> Found pdb backend tdbsam
> pdb backend tdbsam has a valid init
> Could not find map for sid S-1-5-32-544
> create_builtin_administrators: Failed to create Administrators
> Unable to auto-add domain administrators to BUILTIN\Administrators
> during join because winbindd must be running.
> Could not find map for sid S-1-5-32-545
> create_builtin_users: Failed to create Users
> Unable to auto-add domain users to BUILTIN\users during join because
> winbindd must be running.
> --------------------------------
>

Hi, how are you doing the join ? just what do you have in smb.conf. Only 
ask because I have never seen that output.

Rowland



More information about the samba-technical mailing list