Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Michael Adam obnox at samba.org
Thu Jul 2 22:43:22 CEST 2015 

On 2015-07-02 at 13:25 -0700, Partha Sarathi wrote:
> Thanks Michael,
> 
> Also even If I have the below setting alone with rid as backend I see the
> same issue on creating builtins. Winbindd expects the DOMAIN name should be
> set to the backend always.
> 
>  idmap config  * : backend = rid
> idmap config  * : range = 10000000-109999999

Rid can not be used as default backend either.
See the manpaged of idmp_rid for examples.

Rid has to be configured for each domain that
should use the rid backend separately and with
mutually disjoint ranges. Otherwise, sids from
different domains but with the same RID would
get the same UID or GID ...

You can use the autorid backend as default!
This automatically associates rid-ranges for
the domains as they come across.

Michael

> tdb(/var/lib/samba/private/secrets.tdb): tdb_transaction_start: nesting 1
> Could not find map for sid S-1-5-32-544
> Trying to create builtin alias 544
> lookup_sid called for SID 'S-1-5-32-544'
> Accepting SID S-1-5-32 in level 1
> lookup_rids called for domain sid 'S-1-5-32'
> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> *pdb_create_builtin_alias: Could not get a gid out of winbind*
> Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> return code = -1
> 
> And my intension here is to not to give the DOMAIN be cause I don't want to
> specify the separate ranges for every trusted domains. Also I have the
> Builtin Administrators and Users as my default NTACLS on shares.
> 
> Could you please tel me if there any other idmap backend where its support
> both trusted domain and auto add of Builtins.
> 
> Regards,
> --Partha
> 
> 
> On Thu, Jul 2, 2015 at 12:46 PM, Michael Adam <obnox at samba.org> wrote:
> 
> > On 2015-07-02 at 07:56 -0700, Partha Sarathi wrote:
> > > Hi,
> > >
> > > Currently we are using samba-4.1.17 as member server to AD. The below is
> > > the idmap settings in smb.conf
> > >
> > > allow trusted domains = yes
> > > idmap config * : backend = tdb
> > > idmap config * : range = 2000000-2999999
> > > idmap config  * : backend = hash
> > > idmap config  * : range = 10000000-109999999
> >
> > This idmap config is invalid.
> > It specifies the default config ("*") twice,
> > hence only the second settings take effect.
> >
> > And the hash backend is actually not suitable
> > for the default config, since it does not implement
> > the methods for just producing an ID. But creation
> > of group objects ('group mappings' as we call them)
> > currently relies on this feature from "idmap config *".
> > Hence the builtin groups can not be created.
> >
> > We should have removed idmap_hash long ago since
> > it has other problems (hash collisions) and
> > I actually thought we had. I am shocked this
> > does not seem to be the case...
> >
> > Cheers - Michael
> >
> >
> >
> > > ==================================================
> > >
> > > #net sam -d10 createbuiltingroup Administrators
> > > Found pdb backend tdbsam
> > > pdb backend tdbsam has a valid init
> > > Could not find map for sid S-1-5-32-544
> > > Trying to create builtin alias 544
> > > lookup_sid called for SID 'S-1-5-32-544'
> > > Accepting SID S-1-5-32 in level 1
> > > lookup_rids called for domain sid 'S-1-5-32'
> > > Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> > > *pdb_create_builtin_alias: Could not get a gid out of winbind*
> > > Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> > > return code = -1
> > > Opening cache file at /var/cache/samba/gencache.tdb
> > > Opening cache file at /var/run/samba/gencache_notrans.tdb
> > >
> > >
> > > root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
> > > *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
> > > Could not convert sid S-1-5-32-545 to gid
> > >
> > > I used the *hash* backend method for the trusted domain support without
> > > giving any specific "DOMAIN" to it. But if I specify the DOMAIN to the
> > > idmap hash backend method I could see the above commands get succeeds.
> > >
> > > Note: I didn't had this issue in 3.6.X
> > >
> > > Question is: If I specify the "DOMAIN" to idmap hash bckend without
> > giving
> > > " * "  will it support  trusted domain users to get the uid and gid from
> > > the range I specified ?
> > >
> > > --
> > > Thanks & Regards
> > > -Partha
> >
> 
> 
> 
> -- 
> Thanks & Regards
> -Partha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150702/92dcb335/attachment.pgp>

More information about the samba-technical mailing list