Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend
Richard Sharpe
realrichardsharpe at gmail.com
Sat Jul 4 17:08:16 CEST 2015
On Fri, Jul 3, 2015 at 1:40 AM, Michael Adam <obnox at samba.org> wrote:
> On 2015-07-02 at 14:10 -0700, Richard Sharpe wrote:
>> On Thu, Jul 2, 2015 at 1:43 PM, Michael Adam <obnox at samba.org> wrote:
>> > On 2015-07-02 at 13:25 -0700, Partha Sarathi wrote:
>> >> Thanks Michael,
>> >>
>> >> Also even If I have the below setting alone with rid as backend I see the
>> >> same issue on creating builtins. Winbindd expects the DOMAIN name should be
>> >> set to the backend always.
>> >>
>> >> idmap config * : backend = rid
>> >> idmap config * : range = 10000000-109999999
>> >
>> > Rid can not be used as default backend either.
>> > See the manpaged of idmp_rid for examples.
>> >
>> > Rid has to be configured for each domain that
>> > should use the rid backend separately and with
>> > mutually disjoint ranges. Otherwise, sids from
>> > different domains but with the same RID would
>> > get the same UID or GID ...
>> >
>> > You can use the autorid backend as default!
>> > This automatically associates rid-ranges for
>> > the domains as they come across.
>>
>> OK, but what about the issue where it seems that net ads join
>> will not auto-add Domain Admins and Domain Users to the builtin
>> groups when winbindd is not running.
>
> If net did not do it, then it will be done later
> when users authenticate to the system:
>
> e.g.
>
> create_local_token
> -> create_local_nt_token_from_info3
> -> finalize_local_nt_token
> -> create_builtin_administrators
> -> add_sid_to_builtin...
OK, I can see that this has been deferred until the first logon.
However, I can see workflows where customers are adding to
BUILTIN\Administrators via the vendor supplied workflow before the
first user login and they would have to know to
create_builtin_administrators.
>> Surely, winbindd is never running before someone joins a domain,
>
> Not sure if this can be taken for granted.
Well, generally, it is true when they first join a domain and in most
appliance situations customers very rarely unjoin and rejoin the
domain, and in those cases I have seen cases where we are not cleaning
up the group mapping file.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list