Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend
Michael Adam
obnox at samba.org
Fri Jul 3 10:40:30 CEST 2015
On 2015-07-02 at 14:10 -0700, Richard Sharpe wrote:
> On Thu, Jul 2, 2015 at 1:43 PM, Michael Adam <obnox at samba.org> wrote:
> > On 2015-07-02 at 13:25 -0700, Partha Sarathi wrote:
> >> Thanks Michael,
> >>
> >> Also even If I have the below setting alone with rid as backend I see the
> >> same issue on creating builtins. Winbindd expects the DOMAIN name should be
> >> set to the backend always.
> >>
> >> idmap config * : backend = rid
> >> idmap config * : range = 10000000-109999999
> >
> > Rid can not be used as default backend either.
> > See the manpaged of idmp_rid for examples.
> >
> > Rid has to be configured for each domain that
> > should use the rid backend separately and with
> > mutually disjoint ranges. Otherwise, sids from
> > different domains but with the same RID would
> > get the same UID or GID ...
> >
> > You can use the autorid backend as default!
> > This automatically associates rid-ranges for
> > the domains as they come across.
>
> OK, but what about the issue where it seems that net ads join
> will not auto-add Domain Admins and Domain Users to the builtin
> groups when winbindd is not running.
If net did not do it, then it will be done later
when users authenticate to the system:
e.g.
create_local_token
-> create_local_nt_token_from_info3
-> finalize_local_nt_token
-> create_builtin_administrators
-> add_sid_to_builtin...
> Surely, winbindd is never running before someone joins a domain,
Not sure if this can be taken for granted.
> and silent errors can cause all sorts of problems in tracking
> things down.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150703/694d8f63/attachment.pgp>
More information about the samba-technical
mailing list