Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Partha Sarathi parthasarathi.bl at gmail.com
Thu Jul 2 20:00:44 CEST 2015 

Thanks Richard.

we  ended with WBC_ERR_DOMAIN_NOT_FOUND error in the below function

static wbcErr wbcRequestResponseInt(
int cmd,
struct winbindd_request *request,
struct winbindd_response *response,
NSS_STATUS (*fn)(int req_type,
 struct winbindd_request *request,
 struct winbindd_response *response))
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
NSS_STATUS nss_status;

/* for some calls the request and/or response can be NULL */

nss_status = fn(cmd, request, response);

switch (nss_status) {
case NSS_STATUS_SUCCESS:
wbc_status = WBC_ERR_SUCCESS;
break;
case NSS_STATUS_UNAVAIL:
wbc_status = WBC_ERR_WINBIND_NOT_AVAILABLE;
break;
case NSS_STATUS_NOTFOUND:
wbc_status = WBC_ERR_DOMAIN_NOT_FOUND;      >>>>>>>> HERE
break;
default:
wbc_status = WBC_ERR_NSS_ERROR;
break;
}

return wbc_status;
}

The net ads join -d10  output

pdb backend tdbsam has a valid init
Could not find map for sid S-1-5-32-544
Trying to create builtin alias 544
lookup_sid called for SID 'S-1-5-32-544'
Accepting SID S-1-5-32 in level 1
lookup_rids called for domain sid 'S-1-5-32'
Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
pdb_create_builtin_alias: Could not get a gid out of winbind
create_builtin_administrators: Failed to create Administrators
Failed to auto-add domain administrators to BUILTIN\Administrators during
join: NT_STATUS_ACCESS_DENIED
Could not find map for sid S-1-5-32-545
Trying to create builtin alias 545
lookup_sid called for SID 'S-1-5-32-545'
Accepting SID S-1-5-32 in level 1
lookup_rids called for domain sid 'S-1-5-32'
Sid S-1-5-32-545 -> BUILTIN\Users(4)
pdb_create_builtin_alias: Could not get a gid out of winbind
create_builtin_users: Failed to create Users
Failed to auto-add domain administrators to BUILTIN\Administrators during
join: NT_STATUS_ACCESS_DENIED


Regards,
--Partha

On Thu, Jul 2, 2015 at 10:45 AM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:

> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> >>> Your problem is when you use this line:
> >>>
> >>> idmap config CORP : range = 10000000-109999999
> >>>
> >>> Winbind knows where to store the domain mappings, whilst when you use:
> >>>
> >>> idmap config * : range = 2000000-2999999
> >>> idmap config * : range = 10000000-109999999
> >>>
> >>> Winbind doesn't know where to store the domain mappings and I would
> also
> >>> expect the first line will be ignored.
> >>
> >> I am not sure that I believe that explanation. I went and checked the
> >> in-development project I am on, and we have this in our smb.conf
> >> around idmapping:
> >>
> >>     idmap config * : backend = hash
> >>     idmap config * : range = 10000-40000000
> >>
> >> And we are also not getting those groups created. This is a problem,
> >> so I will have to investigate some more.
> >
> > It turns out that we have exactly this problem. During the join we see:
> >
> > -----------------------------
> > Attempting to register passdb backend tdbsam
> > Successfully added passdb backend 'tdbsam'
> > Found pdb backend tdbsam
> > pdb backend tdbsam has a valid init
> > Could not find map for sid S-1-5-32-544
> > Trying to create builtin alias 544
> > lookup_sid called for SID 'S-1-5-32-544'
> > Accepting SID S-1-5-32 in level 1
> > lookup_rids called for domain sid 'S-1-5-32'
> > Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> > pdb_create_builtin_alias: Could not get a gid out of winbind
> > create_builtin_administrators: Failed to create Administrators
> > Failed to auto-add domain administrators to BUILTIN\Administrators
> > during join: NT_STATUS_ACCESS_DENIED
> > -----------------------------
>
> If I kill winbindd and then perform the join, which is how it would
> normally happen, I see:
>
> --------------------------------
> Attempting to register passdb backend tdbsam
> Successfully added passdb backend 'tdbsam'
> Found pdb backend tdbsam
> pdb backend tdbsam has a valid init
> Could not find map for sid S-1-5-32-544
> create_builtin_administrators: Failed to create Administrators
> Unable to auto-add domain administrators to BUILTIN\Administrators
> during join because winbindd must be running.
> Could not find map for sid S-1-5-32-545
> create_builtin_users: Failed to create Users
> Unable to auto-add domain users to BUILTIN\users during join because
> winbindd must be running.
> --------------------------------
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>



-- 
Thanks & Regards
-Partha

More information about the samba-technical mailing list