Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Richard Sharpe realrichardsharpe at gmail.com
Thu Jul 2 21:23:27 CEST 2015 

On Thu, Jul 2, 2015 at 11:56 AM, Rowland Penny <repenny241155 at gmail.com> wrote:
> On 02/07/15 19:22, Richard Sharpe wrote:
>>
>> On Thu, Jul 2, 2015 at 11:06 AM, Partha Sarathi
>> <parthasarathi.bl at gmail.com> wrote:
>>>
>>> Richard,
>>>
>>> If I remember correctly this was working in 3.6.X . in 4.1.17 winbindd
>>> rely
>>> on DOMAIN name to perform sid-to-gid for builtin sids which is strange.
>>
>> Yes, this was working in 3.6.X. I did some breakage in 3.5.X with
>> Likewise's auth.
>>
>> I haven't looked specifically at 4.X.Y but will check it out over the
>> long weekend because although I have a workaround for this, I am not
>> happy with it and don't understand the underlying cause.
>>
>>> Regards,
>>> --Partha
>>>
>>> On Thu, Jul 2, 2015 at 11:01 AM, Richard Sharpe
>>> <realrichardsharpe at gmail.com> wrote:
>>>>
>>>> On Thu, Jul 2, 2015 at 10:53 AM, Rowland Penny <repenny241155 at gmail.com>
>>>> wrote:
>>>>>
>>>>> On 02/07/15 18:45, Richard Sharpe wrote:
>>>>>>
>>>>>> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
>>>>>> <realrichardsharpe at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Your problem is when you use this line:
>>>>>>>>>
>>>>>>>>> idmap config CORP : range = 10000000-109999999
>>>>>>>>>
>>>>>>>>> Winbind knows where to store the domain mappings, whilst when you
>>>>>>>>> use:
>>>>>>>>>
>>>>>>>>> idmap config * : range = 2000000-2999999
>>>>>>>>> idmap config * : range = 10000000-109999999
>>>>>>>>>
>>>>>>>>> Winbind doesn't know where to store the domain mappings and I would
>>>>>>>>> also
>>>>>>>>> expect the first line will be ignored.
>>>>>>>>
>>>>>>>> I am not sure that I believe that explanation. I went and checked
>>>>>>>> the
>>>>>>>> in-development project I am on, and we have this in our smb.conf
>>>>>>>> around idmapping:
>>>>>>>>
>>>>>>>>       idmap config * : backend = hash
>>>>>>>>       idmap config * : range = 10000-40000000
>>>>>>>>
>>>>>>>> And we are also not getting those groups created. This is a problem,
>>>>>>>> so I will have to investigate some more.
>>>>>>>
>>>>>>> It turns out that we have exactly this problem. During the join we
>>>>>>> see:
>>>>>>>
>>>>>>> -----------------------------
>>>>>>> Attempting to register passdb backend tdbsam
>>>>>>> Successfully added passdb backend 'tdbsam'
>>>>>>> Found pdb backend tdbsam
>>>>>>> pdb backend tdbsam has a valid init
>>>>>>> Could not find map for sid S-1-5-32-544
>>>>>>> Trying to create builtin alias 544
>>>>>>> lookup_sid called for SID 'S-1-5-32-544'
>>>>>>> Accepting SID S-1-5-32 in level 1
>>>>>>> lookup_rids called for domain sid 'S-1-5-32'
>>>>>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>>>>>> pdb_create_builtin_alias: Could not get a gid out of winbind
>>>>>>> create_builtin_administrators: Failed to create Administrators
>>>>>>> Failed to auto-add domain administrators to BUILTIN\Administrators
>>>>>>> during join: NT_STATUS_ACCESS_DENIED
>>>>>>> -----------------------------
>>>>>>
>>>>>> If I kill winbindd and then perform the join, which is how it would
>>>>>> normally happen, I see:
>>>>>>
>>>>>> --------------------------------
>>>>>> Attempting to register passdb backend tdbsam
>>>>>> Successfully added passdb backend 'tdbsam'
>>>>>> Found pdb backend tdbsam
>>>>>> pdb backend tdbsam has a valid init
>>>>>> Could not find map for sid S-1-5-32-544
>>>>>> create_builtin_administrators: Failed to create Administrators
>>>>>> Unable to auto-add domain administrators to BUILTIN\Administrators
>>>>>> during join because winbindd must be running.
>>>>>> Could not find map for sid S-1-5-32-545
>>>>>> create_builtin_users: Failed to create Users
>>>>>> Unable to auto-add domain users to BUILTIN\users during join because
>>>>>> winbindd must be running.
>>>>>> --------------------------------

Hmmm, I went and looked at the offending code:

static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
{
        NTSTATUS status;

        /* Try adding dom admins to builtin\admins. Only log failures. */
        status = create_builtin_administrators(domain_sid);
        if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
                DEBUG(10,("Unable to auto-add domain administrators to "
                          "BUILTIN\\Administrators during join because "
                          "winbindd must be running.\n"));
        } else if (!NT_STATUS_IS_OK(status)) {
                DEBUG(5, ("Failed to auto-add domain administrators to "
                          "BUILTIN\\Administrators during join: %s\n",
                          nt_errstr(status)));
        }

        /* Try adding dom users to builtin\users. Only log failures. */
        status = create_builtin_users(domain_sid);
        if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
                DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
                          "during join because winbindd must be running.\n"));
        } else if (!NT_STATUS_IS_OK(status)) {
                DEBUG(5, ("Failed to auto-add domain administrators to "
                          "BUILTIN\\Administrators during join: %s\n",
                          nt_errstr(status)));
        }
}

The problem here, it seems to me, is that this code will often be run
when we do not have winbindd running, And after tracking things down,
I see the following for pdb_create_builtin:

/**
 * Create the requested BUILTIN if it doesn't already exist.  This requires
 * winbindd to be running.
 *
 * @param[in] rid BUILTIN rid to create
 * @return Normal NTSTATUS return.
 */

Hmmm, did anyone think about the way in which people normally join a
domain from a member server?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list