[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Rowland Penny rpenny at samba.org
Mon Sep 4 12:50:10 UTC 2017 

On Mon, 04 Sep 2017 13:53:23 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in output of
> /usr/bin/samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
> 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
> 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
> 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> That's nothing new, this was disused here many times.
> 
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
> 
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
> 
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
> 
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
> 
> Is there any way to fix my domain?
> 

There is probably nothing wrong with your domain, it looks like you
have given some of your windows AD groups a gidNumber:

S-1-5-32-549 is Server Operators

S-1-5-11 is Authenticated Users

They are both listed as 'ID_TYPE_BOTH' in idmap.ldb.

Can I suggest you go here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

Check your AD and remove any gidNumber or uidNumber attributes from any
users or groups that appear on that page except for 'Domain Users'

Rowland

More information about the samba mailing list