Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

[Richard Sharpe]

On Thu, Jul 2, 2015 at 1:43 PM, Michael Adam <obnox at samba.org> wrote:
> On 2015-07-02 at 13:25 -0700, Partha Sarathi wrote:
>> Thanks Michael,
>>
>> Also even If I have the below setting alone with rid as backend I see the
>> same issue on creating builtins. Winbindd expects the DOMAIN name should be
>> set to the backend always.
>>
>>  idmap config  * : backend = rid
>> idmap config  * : range = 10000000-109999999
>
> Rid can not be used as default backend either.
> See the manpaged of idmp_rid for examples.
>
> Rid has to be configured for each domain that
> should use the rid backend separately and with
> mutually disjoint ranges. Otherwise, sids from
> different domains but with the same RID would
> get the same UID or GID ...
>
> You can use the autorid backend as default!
> This automatically associates rid-ranges for
> the domains as they come across.

OK, but what about the issue where it seems that net ads join will not
auto-add Domain Admins and Domain Users to the builtin groups when
winbindd is not running.

Surely, winbindd is never running before someone joins a domain, and
silent errors can cause all sorts of problems in tracking things down.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)