Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend
Partha Sarathi
parthasarathi.bl at gmail.com
Thu Jul 2 22:25:24 CEST 2015
Thanks Michael,
Also even If I have the below setting alone with rid as backend I see the
same issue on creating builtins. Winbindd expects the DOMAIN name should be
set to the backend always.
idmap config * : backend = rid
idmap config * : range = 10000000-109999999
tdb(/var/lib/samba/private/secrets.tdb): tdb_transaction_start: nesting 1
Could not find map for sid S-1-5-32-544
Trying to create builtin alias 544
lookup_sid called for SID 'S-1-5-32-544'
Accepting SID S-1-5-32 in level 1
lookup_rids called for domain sid 'S-1-5-32'
Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
*pdb_create_builtin_alias: Could not get a gid out of winbind*
Creating Administrators failed with NT_STATUS_ACCESS_DENIED
return code = -1
And my intension here is to not to give the DOMAIN be cause I don't want to
specify the separate ranges for every trusted domains. Also I have the
Builtin Administrators and Users as my default NTACLS on shares.
Could you please tel me if there any other idmap backend where its support
both trusted domain and auto add of Builtins.
Regards,
--Partha
On Thu, Jul 2, 2015 at 12:46 PM, Michael Adam <obnox at samba.org> wrote:
> On 2015-07-02 at 07:56 -0700, Partha Sarathi wrote:
> > Hi,
> >
> > Currently we are using samba-4.1.17 as member server to AD. The below is
> > the idmap settings in smb.conf
> >
> > allow trusted domains = yes
> > idmap config * : backend = tdb
> > idmap config * : range = 2000000-2999999
> > idmap config * : backend = hash
> > idmap config * : range = 10000000-109999999
>
> This idmap config is invalid.
> It specifies the default config ("*") twice,
> hence only the second settings take effect.
>
> And the hash backend is actually not suitable
> for the default config, since it does not implement
> the methods for just producing an ID. But creation
> of group objects ('group mappings' as we call them)
> currently relies on this feature from "idmap config *".
> Hence the builtin groups can not be created.
>
> We should have removed idmap_hash long ago since
> it has other problems (hash collisions) and
> I actually thought we had. I am shocked this
> does not seem to be the case...
>
> Cheers - Michael
>
>
>
> > ==================================================
> >
> > #net sam -d10 createbuiltingroup Administrators
> > Found pdb backend tdbsam
> > pdb backend tdbsam has a valid init
> > Could not find map for sid S-1-5-32-544
> > Trying to create builtin alias 544
> > lookup_sid called for SID 'S-1-5-32-544'
> > Accepting SID S-1-5-32 in level 1
> > lookup_rids called for domain sid 'S-1-5-32'
> > Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> > *pdb_create_builtin_alias: Could not get a gid out of winbind*
> > Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> > return code = -1
> > Opening cache file at /var/cache/samba/gencache.tdb
> > Opening cache file at /var/run/samba/gencache_notrans.tdb
> >
> >
> > root at OneBlox0025:/opt/exablox/config# wbinfo -Y S-1-5-32-545
> > *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
> > Could not convert sid S-1-5-32-545 to gid
> >
> > I used the *hash* backend method for the trusted domain support without
> > giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
> > idmap hash backend method I could see the above commands get succeeds.
> >
> > Note: I didn't had this issue in 3.6.X
> >
> > Question is: If I specify the "DOMAIN" to idmap hash bckend without
> giving
> > " * " will it support trusted domain users to get the uid and gid from
> > the range I specified ?
> >
> > --
> > Thanks & Regards
> > -Partha
>
--
Thanks & Regards
-Partha
More information about the samba-technical
mailing list