Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend
Rowland Penny
repenny241155 at gmail.com
Thu Jul 2 20:56:10 CEST 2015
On 02/07/15 19:22, Richard Sharpe wrote:
> On Thu, Jul 2, 2015 at 11:06 AM, Partha Sarathi
> <parthasarathi.bl at gmail.com> wrote:
>> Richard,
>>
>> If I remember correctly this was working in 3.6.X . in 4.1.17 winbindd rely
>> on DOMAIN name to perform sid-to-gid for builtin sids which is strange.
> Yes, this was working in 3.6.X. I did some breakage in 3.5.X with
> Likewise's auth.
>
> I haven't looked specifically at 4.X.Y but will check it out over the
> long weekend because although I have a workaround for this, I am not
> happy with it and don't understand the underlying cause.
>
>> Regards,
>> --Partha
>>
>> On Thu, Jul 2, 2015 at 11:01 AM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>>> On Thu, Jul 2, 2015 at 10:53 AM, Rowland Penny <repenny241155 at gmail.com>
>>> wrote:
>>>> On 02/07/15 18:45, Richard Sharpe wrote:
>>>>> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
>>>>> <realrichardsharpe at gmail.com> wrote:
>>>>>>>> Your problem is when you use this line:
>>>>>>>>
>>>>>>>> idmap config CORP : range = 10000000-109999999
>>>>>>>>
>>>>>>>> Winbind knows where to store the domain mappings, whilst when you
>>>>>>>> use:
>>>>>>>>
>>>>>>>> idmap config * : range = 2000000-2999999
>>>>>>>> idmap config * : range = 10000000-109999999
>>>>>>>>
>>>>>>>> Winbind doesn't know where to store the domain mappings and I would
>>>>>>>> also
>>>>>>>> expect the first line will be ignored.
>>>>>>> I am not sure that I believe that explanation. I went and checked the
>>>>>>> in-development project I am on, and we have this in our smb.conf
>>>>>>> around idmapping:
>>>>>>>
>>>>>>> idmap config * : backend = hash
>>>>>>> idmap config * : range = 10000-40000000
>>>>>>>
>>>>>>> And we are also not getting those groups created. This is a problem,
>>>>>>> so I will have to investigate some more.
>>>>>> It turns out that we have exactly this problem. During the join we
>>>>>> see:
>>>>>>
>>>>>> -----------------------------
>>>>>> Attempting to register passdb backend tdbsam
>>>>>> Successfully added passdb backend 'tdbsam'
>>>>>> Found pdb backend tdbsam
>>>>>> pdb backend tdbsam has a valid init
>>>>>> Could not find map for sid S-1-5-32-544
>>>>>> Trying to create builtin alias 544
>>>>>> lookup_sid called for SID 'S-1-5-32-544'
>>>>>> Accepting SID S-1-5-32 in level 1
>>>>>> lookup_rids called for domain sid 'S-1-5-32'
>>>>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>>>>> pdb_create_builtin_alias: Could not get a gid out of winbind
>>>>>> create_builtin_administrators: Failed to create Administrators
>>>>>> Failed to auto-add domain administrators to BUILTIN\Administrators
>>>>>> during join: NT_STATUS_ACCESS_DENIED
>>>>>> -----------------------------
>>>>> If I kill winbindd and then perform the join, which is how it would
>>>>> normally happen, I see:
>>>>>
>>>>> --------------------------------
>>>>> Attempting to register passdb backend tdbsam
>>>>> Successfully added passdb backend 'tdbsam'
>>>>> Found pdb backend tdbsam
>>>>> pdb backend tdbsam has a valid init
>>>>> Could not find map for sid S-1-5-32-544
>>>>> create_builtin_administrators: Failed to create Administrators
>>>>> Unable to auto-add domain administrators to BUILTIN\Administrators
>>>>> during join because winbindd must be running.
>>>>> Could not find map for sid S-1-5-32-545
>>>>> create_builtin_users: Failed to create Users
>>>>> Unable to auto-add domain users to BUILTIN\users during join because
>>>>> winbindd must be running.
>>>>> --------------------------------
>>>>>
>>>> Hi, how are you doing the join ? just what do you have in smb.conf. Only
>>>> ask
>>>> because I have never seen that output.
>>> I used -d10 on the join line.
>>>
>>> It seems that if I use net groupmap add to explicitly map
>>> S-1-5-32-544/545 to local groups I do get the correct things added on
>>> domain join, but I am concerned that that is not the correct way to do
>>> things.
>>>
>>> --
>>> Regards,
>>> Richard Sharpe
>>> (何以解憂?唯有杜康。--曹操)
>>
>>
>>
>> --
>> Thanks & Regards
>> -Partha
>
>
OK, the OPs original command works for me on Debian wheezy, latest
sernet 4.2 packages set up like the OP, just using different ranges.
I cannot get the error message when I do the join, what I do get is this:
Note: at -d10 it just scrolled off the page.
root at debclient:~# net ads join -U Administrator%XXXXXXXXXX -d2
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=192.168.0.196 bcast=192.168.0.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'DEBCLIENT'
domain_name : *
domain_name : 'EXAMPLE.COM'
account_ou : NULL
admin_account : 'Administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
ads_get_upn: No userPrincipalName attribute!
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'EXAMPLE'
dns_domain_name : 'example.com'
forest_name : 'example.com'
dn :
'CN=debclient,CN=Computers,DC=example,DC=com'
domain_sid : *
domain_sid :
S-1-5-21-2025076216-3455336656-3842161122
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- EXAMPLE
Joined 'DEBCLIENT' to dns domain 'example.com'
added interface eth0 ip=192.168.0.196 bcast=192.168.0.255
netmask=255.255.255.0
return code = 0
I then tried to carry out the command that the OP posted:
root at debclient:~# net sam -d10 createbuiltingroup Administrators
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
Processing section "[global]"
doing parameter workgroup = EXAMPLE
doing parameter security = ADS
doing parameter realm = EXAMPLE.COM
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter server string = Samba 4 Client %h
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter winbind expand groups = 4
doing parameter winbind nss info = rfc2307
doing parameter winbind refresh tickets = Yes
doing parameter winbind offline logon = yes
doing parameter winbind normalize names = Yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 2000-9999
doing parameter idmap config EXAMPLE : backend = hash
doing parameter idmap config EXAMPLE : range = 10000-999999
doing parameter printcap name = cups
doing parameter cups options = raw
doing parameter usershare allow guests = yes
doing parameter domain master = no
doing parameter local master = no
doing parameter map to guest = bad user
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
pm_process() returned Yes
lp_servicenumber: couldn't find EXAMPLEs
Netbios name list:-
my_netbios_names[0]="DEBCLIENT"
added interface eth0 ip=192.168.0.196 bcast=192.168.0.255
netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
lookup_name: BUILTIN\Administrators => domain=[BUILTIN],
name=[Administrators]
lookup_name: flags = 0x073
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Could not find map for sid S-1-5-32-544
Trying to create builtin alias 544
lookup_sid called for SID 'S-1-5-32-544'
Accepting SID S-1-5-32 in level 1
lookup_rids called for domain sid 'S-1-5-32'
Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
Creating alias Administrators with gid 2000
check lock order 1 for /var/lib/samba/group_mapping.tdb
lock order: 1:/var/lib/samba/group_mapping.tdb 2:<none> 3:<none>
Locking key 554E495847524F55502F
Allocated locked data 0x0x7ff986234270
Unlocking key 554E495847524F55502F
release lock order 1 for /var/lib/samba/group_mapping.tdb
lock order: 1:<none> 2:<none> 3:<none>
Created BUILTIN group Administrators with RID 544
return code = 0
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/cache/samba/gencache_notrans.tdb
getent produced nothing but:
root at debclient:~# getent group Administrators
root at debclient:~# wbinfo --sid-to-gid=S-1-5-32-544
2000
Rowland
More information about the samba-technical
mailing list