Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Thu Jul 2 20:06:50 CEST 2015

Richard,

If I remember correctly this was working in 3.6.X . in 4.1.17 winbindd rely
on DOMAIN name to perform sid-to-gid for builtin sids which is strange.

Regards,
--Partha

On Thu, Jul 2, 2015 at 11:01 AM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:

> On Thu, Jul 2, 2015 at 10:53 AM, Rowland Penny <repenny241155 at gmail.com>
> wrote:
> > On 02/07/15 18:45, Richard Sharpe wrote:
> >>
> >> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
> >> <realrichardsharpe at gmail.com> wrote:
> >>>>>
> >>>>> Your problem is when you use this line:
> >>>>>
> >>>>> idmap config CORP : range = 10000000-109999999
> >>>>>
> >>>>> Winbind knows where to store the domain mappings, whilst when you
> use:
> >>>>>
> >>>>> idmap config * : range = 2000000-2999999
> >>>>> idmap config * : range = 10000000-109999999
> >>>>>
> >>>>> Winbind doesn't know where to store the domain mappings and I would
> >>>>> also
> >>>>> expect the first line will be ignored.
> >>>>
> >>>> I am not sure that I believe that explanation. I went and checked the
> >>>> in-development project I am on, and we have this in our smb.conf
> >>>> around idmapping:
> >>>>
> >>>>      idmap config * : backend = hash
> >>>>      idmap config * : range = 10000-40000000
> >>>>
> >>>> And we are also not getting those groups created. This is a problem,
> >>>> so I will have to investigate some more.
> >>>
> >>> It turns out that we have exactly this problem. During the join we see:
> >>>
> >>> -----------------------------
> >>> Attempting to register passdb backend tdbsam
> >>> Successfully added passdb backend 'tdbsam'
> >>> Found pdb backend tdbsam
> >>> pdb backend tdbsam has a valid init
> >>> Could not find map for sid S-1-5-32-544
> >>> Trying to create builtin alias 544
> >>> lookup_sid called for SID 'S-1-5-32-544'
> >>> Accepting SID S-1-5-32 in level 1
> >>> lookup_rids called for domain sid 'S-1-5-32'
> >>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> >>> pdb_create_builtin_alias: Could not get a gid out of winbind
> >>> create_builtin_administrators: Failed to create Administrators
> >>> Failed to auto-add domain administrators to BUILTIN\Administrators
> >>> during join: NT_STATUS_ACCESS_DENIED
> >>> -----------------------------
> >>
> >> If I kill winbindd and then perform the join, which is how it would
> >> normally happen, I see:
> >>
> >> --------------------------------
> >> Attempting to register passdb backend tdbsam
> >> Successfully added passdb backend 'tdbsam'
> >> Found pdb backend tdbsam
> >> pdb backend tdbsam has a valid init
> >> Could not find map for sid S-1-5-32-544
> >> create_builtin_administrators: Failed to create Administrators
> >> Unable to auto-add domain administrators to BUILTIN\Administrators
> >> during join because winbindd must be running.
> >> Could not find map for sid S-1-5-32-545
> >> create_builtin_users: Failed to create Users
> >> Unable to auto-add domain users to BUILTIN\users during join because
> >> winbindd must be running.
> >> --------------------------------
> >>
> >
> > Hi, how are you doing the join ? just what do you have in smb.conf. Only
> ask
> > because I have never seen that output.
>
> I used -d10 on the join line.
>
> It seems that if I use net groupmap add to explicitly map
> S-1-5-32-544/545 to local groups I do get the correct things added on
> domain join, but I am concerned that that is not the correct way to do
> things.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)
>

-- 
Thanks & Regards
-Partha