Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Thu Jul 2 20:22:52 CEST 2015

On Thu, Jul 2, 2015 at 11:06 AM, Partha Sarathi
<parthasarathi.bl at gmail.com> wrote:
> Richard,
>
> If I remember correctly this was working in 3.6.X . in 4.1.17 winbindd rely
> on DOMAIN name to perform sid-to-gid for builtin sids which is strange.

Yes, this was working in 3.6.X. I did some breakage in 3.5.X with
Likewise's auth.

I haven't looked specifically at 4.X.Y but will check it out over the
long weekend because although I have a workaround for this, I am not
happy with it and don't understand the underlying cause.

> Regards,
> --Partha
>
> On Thu, Jul 2, 2015 at 11:01 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>>
>> On Thu, Jul 2, 2015 at 10:53 AM, Rowland Penny <repenny241155 at gmail.com>
>> wrote:
>> > On 02/07/15 18:45, Richard Sharpe wrote:
>> >>
>> >> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
>> >> <realrichardsharpe at gmail.com> wrote:
>> >>>>>
>> >>>>> Your problem is when you use this line:
>> >>>>>
>> >>>>> idmap config CORP : range = 10000000-109999999
>> >>>>>
>> >>>>> Winbind knows where to store the domain mappings, whilst when you
>> >>>>> use:
>> >>>>>
>> >>>>> idmap config * : range = 2000000-2999999
>> >>>>> idmap config * : range = 10000000-109999999
>> >>>>>
>> >>>>> Winbind doesn't know where to store the domain mappings and I would
>> >>>>> also
>> >>>>> expect the first line will be ignored.
>> >>>>
>> >>>> I am not sure that I believe that explanation. I went and checked the
>> >>>> in-development project I am on, and we have this in our smb.conf
>> >>>> around idmapping:
>> >>>>
>> >>>>      idmap config * : backend = hash
>> >>>>      idmap config * : range = 10000-40000000
>> >>>>
>> >>>> And we are also not getting those groups created. This is a problem,
>> >>>> so I will have to investigate some more.
>> >>>
>> >>> It turns out that we have exactly this problem. During the join we
>> >>> see:
>> >>>
>> >>> -----------------------------
>> >>> Attempting to register passdb backend tdbsam
>> >>> Successfully added passdb backend 'tdbsam'
>> >>> Found pdb backend tdbsam
>> >>> pdb backend tdbsam has a valid init
>> >>> Could not find map for sid S-1-5-32-544
>> >>> Trying to create builtin alias 544
>> >>> lookup_sid called for SID 'S-1-5-32-544'
>> >>> Accepting SID S-1-5-32 in level 1
>> >>> lookup_rids called for domain sid 'S-1-5-32'
>> >>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>> >>> pdb_create_builtin_alias: Could not get a gid out of winbind
>> >>> create_builtin_administrators: Failed to create Administrators
>> >>> Failed to auto-add domain administrators to BUILTIN\Administrators
>> >>> during join: NT_STATUS_ACCESS_DENIED
>> >>> -----------------------------
>> >>
>> >> If I kill winbindd and then perform the join, which is how it would
>> >> normally happen, I see:
>> >>
>> >> --------------------------------
>> >> Attempting to register passdb backend tdbsam
>> >> Successfully added passdb backend 'tdbsam'
>> >> Found pdb backend tdbsam
>> >> pdb backend tdbsam has a valid init
>> >> Could not find map for sid S-1-5-32-544
>> >> create_builtin_administrators: Failed to create Administrators
>> >> Unable to auto-add domain administrators to BUILTIN\Administrators
>> >> during join because winbindd must be running.
>> >> Could not find map for sid S-1-5-32-545
>> >> create_builtin_users: Failed to create Users
>> >> Unable to auto-add domain users to BUILTIN\users during join because
>> >> winbindd must be running.
>> >> --------------------------------
>> >>
>> >
>> > Hi, how are you doing the join ? just what do you have in smb.conf. Only
>> > ask
>> > because I have never seen that output.
>>
>> I used -d10 on the join line.
>>
>> It seems that if I use net groupmap add to explicitly map
>> S-1-5-32-544/545 to local groups I do get the correct things added on
>> domain join, but I am concerned that that is not the correct way to do
>> things.
>>
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂？唯有杜康。--曹操)
>
>
>
>
> --
> Thanks & Regards
> -Partha

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)