[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 5 12:45:02 UTC 2017
Rowland,
Are (one) these not an option for him to correct this?
--allocate-uid Get a new UID out of idmap
--allocate-gid Get a new GID out of idmap
--set-uid-mapping=UID,SID Create or modify uid to sid mapping in idmap
--set-gid-mapping=GID,SID Create or modify gid to sid mapping in idmap
--remove-uid-mapping=UID,SID Remove uid to sid mapping in idmap
--remove-gid-mapping=GID,SID Remove gid to sid mapping in idmap
--sids-to-unix-ids=Sid-List Translate SIDs to Unix IDs
--unix-ids-to-sids=ID-List (u<num> g<num>) Translate Unix IDs to SIDs
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 5 september 2017 14:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] BUILTIN\Administrators - failed to
> call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>
> On Tue, 05 Sep 2017 14:01:37 +0200
> Ji??í ??erný via samba <samba at lists.samba.org> wrote:
>
> > Thank you very much for clarifying the ID mapping "magic";)
> >
> >> You do not need 'posixgroup', it is an auxiliary objectclass of
> >> group, you can add any of the rfc2307 attributes without it.
>
> > Well, is there any option to remove it? Because "posixgroup" is on
> > every group that was migrated from Samba 3.
> > And I cannot edit this attribute in ADUC (delete button is grayed).
>
> It is probably 'greyed' out because no Windows tools use it
> or will add it. You will probably need to use Unix tools (ldb
> or ldap) to remove them, but you can if you so wish ignore
> them. What you should never do is to rely on them being
> there, because they may or may not be there.
>
> >
> > > Try restarting Samba and then run 'getent group Domain\ Admins'
> > getent group Domain\ Admins
> > COMPANY\domain admins:x:512:
> >
> > Which is expected, because it has set NIS domain and GID in ADUC.
>
> You need to remove the gidNumber from Domain Admins. If you
> add any GPOs to 'sysvol' (other than the two default ones),
> they will be created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> And the Sddl will be:
>
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0
> x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-
> 5-21-2695348288-4157658249-429813502-519)
>
> The important bit (as far as the Unix OS is concerned) is
> 'O:DAG:DA', which if we expand it becomes 'O:DA G:DA'
> O = Owner
> G = Group
> DA = Domain Admins
>
> So we can see that Domain Admins is both the owner and group
> of the directory. If Domain Admins has a gidNumber it is just
> a group and 'O:DAG:DA' becomes 'O:??G:DA'
>
>
> > But
> > when I look to sysvol, I don't see Domain admins but
> > BUILTIN\Administrators (Domain Admins are members of this
> group). So I
> > am confused by behavior of BUILTIN groups.
> > I made some investigations about BUILTIN\Administrators.
> >
> > Production domain (migrated from Samba 3):
> > wbinfo --sid-to-uid=S-1-5-32-544
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert
> > sid S-1-5-32-544 to uid
> >
> > ldbsearch -H /var/lib/samba/private/idmap.ldb | grep
> S-1-5-32-544 -A2
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_GID
> > xidNumber: 15538
> > distinguishedName: CN=S-1-5-32-544
>
> and mine is:
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
>
> >
> > Testing lab domain (provisioned from scratch):
> > wbinfo --sid-to-uid=S-1-5-32-544
> > 3000003
> >
> > ldbsearch -H /usr/local/samba/private/idmap.ldb | grep S-1-5-32-544
> > -A2
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_BOTH
> > xidNumber: 3000003
> > distinguishedName: CN=S-1-5-32-544
> >
> > Almost every (except 0, 99 and 100) BUILTIN xidNumber on my
> migrated
> > domain starts with 15000. On provisioned domain it starts with
> > 3000000. Is that the way to fix my errors? Correct
> idmap.ldb to match
> > cleanly provisioned Samba AD? Is save to edit this file?
> >
> >
>
> It is perfectly safe to edit, in fact if you add another DC,
> you have to edit it on the second DC by overwriting it with
> the idmap.ldb from the first.
>
> Let me have a look at the classicupgrade code and get back to
> you, it shouldn't create xidNumbers like that. Speaking of
> which, can you check in idmap.ldb for the DN 'dn: CN=CONFIG'.
> What are 'lowerBound' and 'upperBound' set to ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list