[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Jiří Černý cerny at svmetal.cz
Wed Sep 6 13:15:57 UTC 2017

>On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba at
( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel
this all has something to do with the classicupgrade, the>> command
works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>> Yes.
Take a look:wbinfo --sid-to-gid="S-1-5-32-544"> 15538wbinfo
--gid-info=15538> BUILTIN\administrators:x:15538:>>> I haven't received
it yet, but will examine and comment on it when>> I do.I sent it to
<rpenny at samba.org>, so I hope that antispam>> filters do their job
not so hard;) >>> Yes, but is this set on the>> computers object in
sam.ldb as a gidNumber or in idmap.ldb as a>> xidNumber ?>> I mean in
ADUC, i didn't inspected databases. I was NIS> domain and GIDs in UNIX
Attributes tab of ADUC.> So it was definetely gidNumber. Stored propably
in sam.ldb.>>If you don't have any Unix machine (other than the Samba AD
DC) you do>not need any uidNumber or gidNumber attributes in AD.We have
5 linux fileservers, so we really need this function. Also we use LDAP
login to our intranet (Plone) of which plugin uses UIDs/GIDs.
I presonally use Fedora laptop and desktop joined to domain by realmd
and sssd, which work well. In past I made some work on project of
'CentOS linux desktop', so there is chance, that we will need UNIX
attributes at least for user acounts and Domain Users group as primary
group. But we don't need set numeric IDs for other "default" domain
groups like BUILTIN and Domain\xxxxx.> > Is enough to just set NIS
domnain to <none> in ADUC to "clear" GID at> groups/users which
shouldn't have it?>> No, sorry that will not work.Probably yes or maybe
we don't understand each other.
I tested it in lab domain (Samba 4.7rc4) by ldbsearch in sam.ldb. If I
set NIS domain and GID (in ADUC), then there appear msSFU30NisDomain:
and gidNumber: attributes.
When I set NIS domain to <none>, both attributes disappear.>> A
gidNumber can be used on any Unix machine in the domain, a>> xidNumber
will only be used on the DC. >> Finally I got it. Forgive me, sometimes
it takes quite long time than> my brain assembles all information
together:D> >>No problem>>RowlandCan I have the proposal?
Is it possible to edit wiki page about Classic upgrade?
At least add some warning about possibility of problems with ID map
ranges migrated from ancient Samba 3.X+LDAP systems?

And second. Is possible to change Classic upgrade scripts to have
option of not copying of GIDs to "default" groups?
I think it should be enough. migration script copy members of that
groups but skip copying of GIDs.Not for us, it will be difficult to fix
our domain (but I believe that amazing guys here help me to fix that
goddamn BUILTIN Admins;)), but for another people who will migrate S3
NT4 domain to S4 AD.

More information about the samba mailing list