Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Michael Adam obnox at samba.org
Thu Jul 2 21:46:43 CEST 2015 

On 2015-07-02 at 07:56 -0700, Partha Sarathi wrote:
> Hi,
> 
> Currently we are using samba-4.1.17 as member server to AD. The below is
> the idmap settings in smb.conf
> 
> allow trusted domains = yes
> idmap config * : backend = tdb
> idmap config * : range = 2000000-2999999
> idmap config  * : backend = hash
> idmap config  * : range = 10000000-109999999

This idmap config is invalid.
It specifies the default config ("*") twice,
hence only the second settings take effect.

And the hash backend is actually not suitable
for the default config, since it does not implement
the methods for just producing an ID. But creation
of group objects ('group mappings' as we call them)
currently relies on this feature from "idmap config *".
Hence the builtin groups can not be created.

We should have removed idmap_hash long ago since
it has other problems (hash collisions) and
I actually thought we had. I am shocked this
does not seem to be the case...

Cheers - Michael



> ==================================================
> 
> #net sam -d10 createbuiltingroup Administrators
> Found pdb backend tdbsam
> pdb backend tdbsam has a valid init
> Could not find map for sid S-1-5-32-544
> Trying to create builtin alias 544
> lookup_sid called for SID 'S-1-5-32-544'
> Accepting SID S-1-5-32 in level 1
> lookup_rids called for domain sid 'S-1-5-32'
> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> *pdb_create_builtin_alias: Could not get a gid out of winbind*
> Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> return code = -1
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> 
> 
> root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
> *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
> Could not convert sid S-1-5-32-545 to gid
> 
> I used the *hash* backend method for the trusted domain support without
> giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
> idmap hash backend method I could see the above commands get succeeds.
> 
> Note: I didn't had this issue in 3.6.X
> 
> Question is: If I specify the "DOMAIN" to idmap hash bckend without giving
> " * "  will it support  trusted domain users to get the uid and gid from
> the range I specified ?
> 
> -- 
> Thanks & Regards
> -Partha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150702/0108afa9/attachment.pgp>

More information about the samba-technical mailing list