[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

L.P.H. van Belle belle at bazuin.nl
Tue Sep 5 08:48:52 UTC 2017 

Hai, 

I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that. 

The script was made in such a way that it should not matter what uid/gids are where used. 
The script looks them up for you, but it must be error free so we are sure what is set is correct. 

If you look in the script, you see the four SID. 

DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"	
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"
These must work in resolving with wbinfo to get the correct uid/gid for sysvol.

These wbinfo --... Tests

For "BUILTIN\Administrators" and BUILTIN\Server Operators
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name --name-to-sid 

For System and Authenticated users, these must be tested. 
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name


If one of these fail, you have a error in the setup, these should al resolv on the dc. 
wbinfo --sid-to-uid="S-1-5-32-544"

wbinfo --uid-to-sid="The result of above (uid)", returns the value of above (S-1-5-32-544)
wbinfo --gid-to-sid="The result of the first, =(uid)=(gid)", returns the value of above (S-1-5-32-544)

wbinfo --sid-to-name="S-1-5-32-544" results in the name.
wbinfo --name-to-sid="The result of above (name)", returns the value of above (S-1-5-32-544)


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Ji??í ??erný via samba
> Verzonden: dinsdag 5 september 2017 10:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] BUILTIN\Administrators - failed to 
> call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Thank you both, Rowland and Louis.
> 
> I'll try to answer you both and give you more info about our domain.
> 
> Generally:
> In the past, we have Samba 3.5 NT4 domain on SLES server 
> (designed ages before, never upgraded). In 2015 I finally 
> decided to migrate to Samba 4 AD. In those day it was 4.2. 
> samba-tool ntacl sysvolcheck was ok, no errors. AD worked 
> (and working) as expected.
> This summer, I managed Samba+ subscription from SerNet, so we 
> upgraded to 4.6.X. As I said, everything work, but 
> sysvolcheck throws errors that you discussed in other thread.
> 
> Original Samba 3 domain was combination of Samba and LDAP 
> backed. So domain scheme was populated by smbldap-tools. 
> Users/groups were added by LAM (so smbldap-tools too). 
> UIDs/GIDs were populated by RIDs. ID map range was from 500 
> to 10000, so every group and user in our domain have 
> UIDs/GIDs same as their RID. NSS was driven by LDAP (passwd, 
> shadow and group in nsswitch.conf had ldap directive).
> 
> After migration (in 2015) I changed this at least for new 
> users and groups. I know, that's not the best solution, but 
> it worked I hadn't to reset all ACLs on our fileservers.
> 
> Rowland:
> Yes, our are right. There were UIDs and GIDs set on "system" 
> users and groups. I removed all (is removing in AUDC enough? 
> I newer worked with ldb tools) except Domain Users and Domain 
> Admins (we use this group as owner group on many shares on 
> our fileservers).
> 
> Louis:
> I thing that the "bad" numbers in my domain are legacy pro 
> Samba 3 + LDAP. AD service restart and net cache flush were 
> executed many times as we run this domain 2 years.
> 
> So what's next?
> Do you think that I have to rearrange UIDs and GIDs in our 
> domain to match numeric pattern as in cleanly provisioned domain?
> 
> 
> Thanks for you time. Have a nice day.
> 
> 
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> cerny at svmetal.cz
> helpdesk at svmetal.cz
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz 
> 
> 
> >>> Ji??í ??erný 4.9.2017 13:53 >>>
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in 
> output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 
> 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016
> F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", 
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s 
> does not match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> That's nothing new, this was disused here many times.
> 
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
> 
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
> 
> Is there any way to fix my domain?
> 
> I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
> Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
> Here is my DS's smb.conf:
> # Global parameters
> [global]
>  workgroup = COMPANY
>  realm = samdom.company.cz
>  netbios name = DC01
>  server role = active directory domain controller  
> idmap_ldb:use rfc2307 = yes  dns forwarder = 192.168.1.34  
> allow dns updates = nonsecure  log level = 1  load printers = 
> no  printing = bsd  printcap name = /dev/null  disable spoolss = yes
> 
> [netlogon]
>  path = /var/lib/samba/sysvol/samdom.company.cz/scripts
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> 
> 
> 
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> cerny at svmetal.cz
> helpdesk at svmetal.cz
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list