[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 4 12:54:52 UTC 2017
Hai,
I had a quick look at this. ( in the mid of server upgrades ) ..
You config looks ok.
This looks also ok.
> wbinfo --sid-to-uid=S-1-5-11
> 15549
Mine shows,
wbinfo --sid-to-uid=S-1-5-11
3000003
Normaly on a DC you should see 30000xx, but thats probely from the samba 3 upgrade.
Did you give these groups uid/gids, or did you use some mappings somewhere for these groups?
And after the upgrade, did you run net cache flush and restarted samba-ad-dc?
It should not matter what the uid/gid are if the checks all work out.
So we have to find first why this is not working for you.
wbinfo --sid-to-uid=S-1-5-32-544
3000000 <<< my output.
Compaired to your setup with to mine.
( this one is default set to 0 , you need minimal 2 in my opinion, i preffer 4)
winbind expand groups = 4
Beside that, almost the same, i use bind9_dlz you internal dns.
But that should not matter.
Start with the net cache flush and restart samba-ad-dc.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Ji??í ??erný via samba
> Verzonden: maandag 4 september 2017 13:53
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] BUILTIN\Administrators - failed to call
> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in
> output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016
> F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
> lp)
> File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1723, in checksysvolacl
> direct_db_access)
> File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1674, in check_gpos_acl
> domainsid, direct_db_access)
> File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1621, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s
> does not match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> That's nothing new, this was disused here many times.
>
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert sid S-1-5-32-544 to uid
>
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert sid S-1-5-32-544 to uid
>
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
>
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
>
> Is there any way to fix my domain?
>
> I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
> Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
> Here is my DS's smb.conf:
> # Global parameters
> [global]
> workgroup = COMPANY
> realm = samdom.company.cz
> netbios name = DC01
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes dns forwarder = 192.168.1.34
> allow dns updates = nonsecure log level = 1 load printers =
> no printing = bsd printcap name = /dev/null disable spoolss = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.company.cz/scripts
> read only = No
> acl_xattr:ignore system acls = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = yes
>
>
>
>
> Yours sincerely
>
> Ji??í ??erný
> System administrator
>
> +420 775 860 300
> cerny at svmetal.cz
> helpdesk at svmetal.cz
>
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>
> www.svmetal.cz
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list