Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Rowland Penny repenny241155 at gmail.com
Thu Jul 2 20:56:10 CEST 2015


On 02/07/15 19:22, Richard Sharpe wrote:
> On Thu, Jul 2, 2015 at 11:06 AM, Partha Sarathi
> <parthasarathi.bl at gmail.com> wrote:
>> Richard,
>>
>> If I remember correctly this was working in 3.6.X . in 4.1.17 winbindd rely
>> on DOMAIN name to perform sid-to-gid for builtin sids which is strange.
> Yes, this was working in 3.6.X. I did some breakage in 3.5.X with
> Likewise's auth.
>
> I haven't looked specifically at 4.X.Y but will check it out over the
> long weekend because although I have a workaround for this, I am not
> happy with it and don't understand the underlying cause.
>
>> Regards,
>> --Partha
>>
>> On Thu, Jul 2, 2015 at 11:01 AM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>>> On Thu, Jul 2, 2015 at 10:53 AM, Rowland Penny <repenny241155 at gmail.com>
>>> wrote:
>>>> On 02/07/15 18:45, Richard Sharpe wrote:
>>>>> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
>>>>> <realrichardsharpe at gmail.com> wrote:
>>>>>>>> Your problem is when you use this line:
>>>>>>>>
>>>>>>>> idmap config CORP : range = 10000000-109999999
>>>>>>>>
>>>>>>>> Winbind knows where to store the domain mappings, whilst when you
>>>>>>>> use:
>>>>>>>>
>>>>>>>> idmap config * : range = 2000000-2999999
>>>>>>>> idmap config * : range = 10000000-109999999
>>>>>>>>
>>>>>>>> Winbind doesn't know where to store the domain mappings and I would
>>>>>>>> also
>>>>>>>> expect the first line will be ignored.
>>>>>>> I am not sure that I believe that explanation. I went and checked the
>>>>>>> in-development project I am on, and we have this in our smb.conf
>>>>>>> around idmapping:
>>>>>>>
>>>>>>>       idmap config * : backend = hash
>>>>>>>       idmap config * : range = 10000-40000000
>>>>>>>
>>>>>>> And we are also not getting those groups created. This is a problem,
>>>>>>> so I will have to investigate some more.
>>>>>> It turns out that we have exactly this problem. During the join we
>>>>>> see:
>>>>>>
>>>>>> -----------------------------
>>>>>> Attempting to register passdb backend tdbsam
>>>>>> Successfully added passdb backend 'tdbsam'
>>>>>> Found pdb backend tdbsam
>>>>>> pdb backend tdbsam has a valid init
>>>>>> Could not find map for sid S-1-5-32-544
>>>>>> Trying to create builtin alias 544
>>>>>> lookup_sid called for SID 'S-1-5-32-544'
>>>>>> Accepting SID S-1-5-32 in level 1
>>>>>> lookup_rids called for domain sid 'S-1-5-32'
>>>>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>>>>> pdb_create_builtin_alias: Could not get a gid out of winbind
>>>>>> create_builtin_administrators: Failed to create Administrators
>>>>>> Failed to auto-add domain administrators to BUILTIN\Administrators
>>>>>> during join: NT_STATUS_ACCESS_DENIED
>>>>>> -----------------------------
>>>>> If I kill winbindd and then perform the join, which is how it would
>>>>> normally happen, I see:
>>>>>
>>>>> --------------------------------
>>>>> Attempting to register passdb backend tdbsam
>>>>> Successfully added passdb backend 'tdbsam'
>>>>> Found pdb backend tdbsam
>>>>> pdb backend tdbsam has a valid init
>>>>> Could not find map for sid S-1-5-32-544
>>>>> create_builtin_administrators: Failed to create Administrators
>>>>> Unable to auto-add domain administrators to BUILTIN\Administrators
>>>>> during join because winbindd must be running.
>>>>> Could not find map for sid S-1-5-32-545
>>>>> create_builtin_users: Failed to create Users
>>>>> Unable to auto-add domain users to BUILTIN\users during join because
>>>>> winbindd must be running.
>>>>> --------------------------------
>>>>>
>>>> Hi, how are you doing the join ? just what do you have in smb.conf. Only
>>>> ask
>>>> because I have never seen that output.
>>> I used -d10 on the join line.
>>>
>>> It seems that if I use net groupmap add to explicitly map
>>> S-1-5-32-544/545 to local groups I do get the correct things added on
>>> domain join, but I am concerned that that is not the correct way to do
>>> things.
>>>
>>> --
>>> Regards,
>>> Richard Sharpe
>>> (何以解憂?唯有杜康。--曹操)
>>
>>
>>
>> --
>> Thanks & Regards
>> -Partha
>
>

OK, the OPs original command works for me on Debian wheezy, latest 
sernet 4.2 packages set up like the OP, just using different ranges.
I cannot get the error message when I do the join, what I do get is this:
Note: at -d10 it just scrolled off the page.

  root at debclient:~# net ads join -U Administrator%XXXXXXXXXX -d2
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=192.168.0.196 bcast=192.168.0.255 
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
libnet_Join:
     libnet_JoinCtx: struct libnet_JoinCtx
         in: struct libnet_JoinCtx
             dc_name                  : NULL
             machine_name             : 'DEBCLIENT'
             domain_name              : *
                 domain_name              : 'EXAMPLE.COM'
             account_ou               : NULL
             admin_account            : 'Administrator'
             admin_domain             : NULL
             machine_password         : NULL
             join_flags               : 0x00000023 (35)
                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
             os_version               : NULL
             os_name                  : NULL
             create_upn               : 0x00 (0)
             upn                      : NULL
             modify_config            : 0x00 (0)
             ads                      : NULL
             debug                    : 0x01 (1)
             use_kerberos             : 0x00 (0)
             secure_channel_type      : SEC_CHAN_WKSTA (2)
ads_get_upn: No userPrincipalName attribute!
libnet_Join:
     libnet_JoinCtx: struct libnet_JoinCtx
         out: struct libnet_JoinCtx
             account_name             : NULL
             netbios_domain_name      : 'EXAMPLE'
             dns_domain_name          : 'example.com'
             forest_name              : 'example.com'
             dn                       : 
'CN=debclient,CN=Computers,DC=example,DC=com'
             domain_sid               : *
                 domain_sid               : 
S-1-5-21-2025076216-3455336656-3842161122
             modified_config          : 0x00 (0)
             error_string             : NULL
             domain_is_ad             : 0x01 (1)
             result                   : WERR_OK
Using short domain name -- EXAMPLE
Joined 'DEBCLIENT' to dns domain 'example.com'
added interface eth0 ip=192.168.0.196 bcast=192.168.0.255 
netmask=255.255.255.0
return code = 0

I then tried to carry out the command that the OP posted:

root at debclient:~# net sam -d10 createbuiltingroup Administrators
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
Processing section "[global]"
doing parameter workgroup = EXAMPLE
doing parameter security = ADS
doing parameter realm = EXAMPLE.COM
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter server string = Samba 4 Client %h
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter winbind expand groups = 4
doing parameter winbind nss info = rfc2307
doing parameter winbind refresh tickets = Yes
doing parameter winbind offline logon = yes
doing parameter winbind normalize names = Yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 2000-9999
doing parameter idmap config EXAMPLE : backend = hash
doing parameter idmap config EXAMPLE : range = 10000-999999
doing parameter printcap name = cups
doing parameter cups options = raw
doing parameter usershare allow guests = yes
doing parameter domain master = no
doing parameter local master = no
doing parameter map to guest = bad user
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
pm_process() returned Yes
lp_servicenumber: couldn't find EXAMPLEs
Netbios name list:-
my_netbios_names[0]="DEBCLIENT"
added interface eth0 ip=192.168.0.196 bcast=192.168.0.255 
netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
lookup_name: BUILTIN\Administrators => domain=[BUILTIN], 
name=[Administrators]
lookup_name: flags = 0x073
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Could not find map for sid S-1-5-32-544
Trying to create builtin alias 544
lookup_sid called for SID 'S-1-5-32-544'
Accepting SID S-1-5-32 in level 1
lookup_rids called for domain sid 'S-1-5-32'
Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
Creating alias Administrators with gid 2000
check lock order 1 for /var/lib/samba/group_mapping.tdb
lock order:  1:/var/lib/samba/group_mapping.tdb 2:<none> 3:<none>
Locking key 554E495847524F55502F
Allocated locked data 0x0x7ff986234270
Unlocking key 554E495847524F55502F
release lock order 1 for /var/lib/samba/group_mapping.tdb
lock order:  1:<none> 2:<none> 3:<none>
Created BUILTIN group Administrators with RID 544
return code = 0
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/cache/samba/gencache_notrans.tdb

getent produced nothing but:

root at debclient:~# getent group Administrators
root at debclient:~# wbinfo --sid-to-gid=S-1-5-32-544
2000

Rowland




More information about the samba-technical mailing list