[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Rowland Penny rpenny at samba.org
Tue Sep 5 15:20:29 UTC 2017 

On Tue, 05 Sep 2017 15:07:33 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

> Well, we are getting somewere...;)
> 
> >It is probably 'greyed' out because no Windows tools use it or will
> add it. You will probably need to use Unix tools (ldb or ldap) to
> remove>them, but you can if you so wish ignore them. What you should
> never do is to rely on them being there, because they may or may not
> be there.Ok, I'll let it be there> You need to remove the gidNumber
> from Domain Admins. If you add any GPOs to 'sysvol' (other than the
> two default ones), they will be
> > created in 'sysvol\DOMAIN.LOCAL\Policies\{GUID}'
> > And the Sddl will be:
> > 
> >
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)
> > 
> > The important bit (as far as the Unix OS is concerned) is
> 'O:DAG:DA',
> > which if we expand it becomes 'O:DA G:DA' 
> > O = Owner
> > G = Group
> > DA = Domain Admins
> > 
> > So we can see that Domain Admins is both the owner and group of the
> directory. If Domain Admins has a gidNumber it is just a group and
> > 'O:DAG:DA' becomes 'O:??G:DA'Deleted. Now, I can do samba-tool ntacl
> sysvolreset and samba-tool ntacl sysvolcheck without errors.Domain
> Admins ID is now:getent group 'Domain Admins'
> SVMETAL\domain admins:x:15655:
> > It is perfectly safe to edit, in fact if you add another DC, you
> > have
> to edit it on the second DC by overwriting it with the idmap.ldb from>
> the first.> > Let me have a look at the classicupgrade code and get
> back to you, it shouldn't create xidNumbers like that. Speaking of
> which, can you check> in idmap.ldb for the DN 'dn: CN=CONFIG'. What
> are 'lowerBound' and 'upperBound' set to ?
> You're right, I remember dumping of that file and copying to second
> DC. Interesting is, that on Samba 4.2 there was no problem about
> sysvolcheck/reset:
> UIDs/GIDs were absolutely same, I didn't do any changes on
> them.ldbsearch -H /var/lib/samba/private/idmap.ldb | grep "dn:
> CN=CONFIG" -A6 -B1
> # record 8
> dn: CN=CONFIG
> cn: CONFIG
> upperBound: 4000000
> lowerBound: 15543
> xidNumber: 15655
> distinguishedName: CN=CONFIG
> Which is very interesting, because is has same xidNumber as Domain
> Admins
> 

When you provision a new domain, it is set 3000000, but, seemingly, when
you run the classicupgrade it gets sets to a lower number (never
actually run a classicupgrade) based on what is in your old domain.

Not sure what to suggest here, do you feel up to sending me (offlist) a
copy of your idmap.ldb ? 

Rowland

More information about the samba mailing list