[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Rowland Penny
rpenny at samba.org
Wed Sep 6 14:19:12 UTC 2017
On Wed, 06 Sep 2017 15:15:57 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:
> >On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba at
> lists.samba.org
> ( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel
> this all has something to do with the classicupgrade, the>> command
> works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>>
> Yes. Take a look:wbinfo --sid-to-gid="S-1-5-32-544"> 15538wbinfo
> --gid-info=15538> BUILTIN\administrators:x:15538:>>> I haven't
> received it yet, but will examine and comment on it when>> I do.I
> sent it to <rpenny at samba.org>, so I hope that antispam>> filters
> do their job not so hard;) >>> Yes, but is this set on the>>
> computers object in sam.ldb as a gidNumber or in idmap.ldb as a>>
> xidNumber ?>> I mean in ADUC, i didn't inspected databases. I was
> NIS> domain and GIDs in UNIX Attributes tab of ADUC.> So it was
> NIS> definetely gidNumber. Stored propably
> in sam.ldb.>>If you don't have any Unix machine (other than the Samba
> AD DC) you do>not need any uidNumber or gidNumber attributes in AD.We
> have 5 linux fileservers, so we really need this function. Also we
> use LDAP login to our intranet (Plone) of which plugin uses UIDs/GIDs.
> I presonally use Fedora laptop and desktop joined to domain by realmd
> and sssd, which work well. In past I made some work on project of
> 'CentOS linux desktop', so there is chance, that we will need UNIX
> attributes at least for user acounts and Domain Users group as primary
> group. But we don't need set numeric IDs for other "default" domain
> groups like BUILTIN and Domain\xxxxx.> > Is enough to just set NIS
> domnain to <none> in ADUC to "clear" GID at> groups/users which
> shouldn't have it?>> No, sorry that will not work.Probably yes or
> maybe we don't understand each other.
> I tested it in lab domain (Samba 4.7rc4) by ldbsearch in sam.ldb. If I
> set NIS domain and GID (in ADUC), then there appear msSFU30NisDomain:
> and gidNumber: attributes.
> When I set NIS domain to <none>, both attributes disappear.>> A
> gidNumber can be used on any Unix machine in the domain, a>> xidNumber
> will only be used on the DC. >> Finally I got it. Forgive me,
> sometimes it takes quite long time than> my brain assembles all
> information together:D> >>No problem>>RowlandCan I have the proposal?
> Is it possible to edit wiki page about Classic upgrade?
> At least add some warning about possibility of problems with ID map
> ranges migrated from ancient Samba 3.X+LDAP systems?
>
> And second. Is possible to change Classic upgrade scripts to have
> option of not copying of GIDs to "default" groups?
> I think it should be enough. migration script copy members of that
> groups but skip copying of GIDs.Not for us, it will be difficult to
> fix our domain (but I believe that amazing guys here help me to fix
> that goddamn BUILTIN Admins;)), but for another people who will
> migrate S3 NT4 domain to S4 AD.
This was hard to decipher, but I think I understand it
You need to make some choices about your fileservers, do you need to
move data between them ? if you do, then you need to use the winbind
'ad' backend to ensure the data retains the correct ownership. If you
don't, then you can use the 'rid' backend, this doesn't add anything to
AD.
Rowland
More information about the samba
mailing list