[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

L.P.H. van Belle belle at bazuin.nl
Mon Sep 4 12:54:52 UTC 2017 

Hai, 

I had a quick look at this. ( in the mid of server upgrades ) .. 

You config looks ok. 
This looks also ok. 
> wbinfo --sid-to-uid=S-1-5-11
> 15549 

Mine shows, 
wbinfo --sid-to-uid=S-1-5-11
3000003

Normaly on a DC you should see 30000xx, but thats probely from the samba 3 upgrade. 

Did you give these groups uid/gids, or did you use some mappings somewhere for these groups? 
And after the upgrade, did you run net cache flush and restarted samba-ad-dc? 

It should not matter what the uid/gid are if the checks all work out. 

So we have to find first why this is not working for you.
wbinfo --sid-to-uid=S-1-5-32-544
3000000 <<< my output. 

Compaired to your setup with to mine. 

( this one is default set to 0 , you need minimal 2 in my opinion, i preffer 4) 
winbind expand groups = 4 

Beside that, almost the same, i use bind9_dlz you internal dns. 
But that should not matter. 

Start with the net cache flush and restart samba-ad-dc. 



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Ji??í ??erný via samba
> Verzonden: maandag 4 september 2017 13:53
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] BUILTIN\Administrators - failed to call 
> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in 
> output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 
> 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016
> F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", 
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s 
> does not match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> That's nothing new, this was disused here many times.
> 
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
> 
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
> 
> Is there any way to fix my domain?
> 
> I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
> Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
> Here is my DS's smb.conf:
> # Global parameters
> [global]
>  workgroup = COMPANY
>  realm = samdom.company.cz
>  netbios name = DC01
>  server role = active directory domain controller  
> idmap_ldb:use rfc2307 = yes  dns forwarder = 192.168.1.34  
> allow dns updates = nonsecure  log level = 1  load printers = 
> no  printing = bsd  printcap name = /dev/null  disable spoolss = yes
> 
> [netlogon]
>  path = /var/lib/samba/sysvol/samdom.company.cz/scripts
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> 
> 
> 
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> cerny at svmetal.cz
> helpdesk at svmetal.cz
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list