[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Jiří Černý
cerny at svmetal.cz
Tue Sep 5 08:24:58 UTC 2017
Thank you both, Rowland and Louis.
I'll try to answer you both and give you more info about our domain.
Generally:
In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages
before, never upgraded). In 2015 I finally decided to migrate to Samba 4
AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no
errors. AD worked (and working) as expected.
This summer, I managed Samba+ subscription from SerNet, so we upgraded
to 4.6.X. As I said, everything work, but sysvolcheck throws errors that
you discussed in other thread.
Original Samba 3 domain was combination of Samba and LDAP backed. So
domain scheme was populated by smbldap-tools. Users/groups were added by
LAM (so smbldap-tools too). UIDs/GIDs were populated by RIDs. ID map
range was from 500 to 10000, so every group and user in our domain have
UIDs/GIDs same as their RID. NSS was driven by LDAP (passwd, shadow and
group in nsswitch.conf had ldap directive).
After migration (in 2015) I changed this at least for new users and
groups. I know, that's not the best solution, but it worked I hadn't to
reset all ACLs on our fileservers.
Rowland:
Yes, our are right. There were UIDs and GIDs set on "system" users and
groups. I removed all (is removing in AUDC enough? I newer worked with
ldb tools) except Domain Users and Domain Admins (we use this group as
owner group on many shares on our fileservers).
Louis:
I thing that the "bad" numbers in my domain are legacy pro Samba 3 +
LDAP. AD service restart and net cache flush were executed many times as
we run this domain 2 years.
So what's next?
Do you think that I have to rearrange UIDs and GIDs in our domain to
match numeric pattern as in cleanly provisioned domain?
Thanks for you time. Have a nice day.
Yours sincerely
Jiří Černý
System administrator
+420 775 860 300
cerny at svmetal.cz
helpdesk at svmetal.cz
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
www.svmetal.cz
>>> Jiří Černý 4.9.2017 13:53 >>>
Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line
270, in run
lp)
File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
That's nothing new, this was disused here many times.
Today, I decided to try script
(https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
by mr. van Belle and I ended with this error:
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid
Confirmed:
wbinfo --sid-to-uid=S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid
So I have problem with builtin group Administrators, other groups look
good:
wbinfo --sid-to-uid=S-1-5-32-549
15543
wbinfo --sid-to-uid=S-1-5-11
15549
DB seems to be ok:
samba-tool dbcheck --cross-ncs --fix
Checking 5227 objects
Checked 5227 objects (0 errors)
Is there any way to fix my domain?
I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
Here is my DS's smb.conf:
# Global parameters
[global]
workgroup = COMPANY
realm = samdom.company.cz
netbios name = DC01
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 192.168.1.34
allow dns updates = nonsecure
log level = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.company.cz/scripts
read only = No
acl_xattr:ignore system acls = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
Yours sincerely
Jiří Černý
System administrator
+420 775 860 300
cerny at svmetal.cz
helpdesk at svmetal.cz
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
www.svmetal.cz
More information about the samba
mailing list