Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Thu Jul 2 20:01:18 CEST 2015

On Thu, Jul 2, 2015 at 10:53 AM, Rowland Penny <repenny241155 at gmail.com> wrote:
> On 02/07/15 18:45, Richard Sharpe wrote:
>>
>> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>>>>>
>>>>> Your problem is when you use this line:
>>>>>
>>>>> idmap config CORP : range = 10000000-109999999
>>>>>
>>>>> Winbind knows where to store the domain mappings, whilst when you use:
>>>>>
>>>>> idmap config * : range = 2000000-2999999
>>>>> idmap config * : range = 10000000-109999999
>>>>>
>>>>> Winbind doesn't know where to store the domain mappings and I would
>>>>> also
>>>>> expect the first line will be ignored.
>>>>
>>>> I am not sure that I believe that explanation. I went and checked the
>>>> in-development project I am on, and we have this in our smb.conf
>>>> around idmapping:
>>>>
>>>>      idmap config * : backend = hash
>>>>      idmap config * : range = 10000-40000000
>>>>
>>>> And we are also not getting those groups created. This is a problem,
>>>> so I will have to investigate some more.
>>>
>>> It turns out that we have exactly this problem. During the join we see:
>>>
>>> -----------------------------
>>> Attempting to register passdb backend tdbsam
>>> Successfully added passdb backend 'tdbsam'
>>> Found pdb backend tdbsam
>>> pdb backend tdbsam has a valid init
>>> Could not find map for sid S-1-5-32-544
>>> Trying to create builtin alias 544
>>> lookup_sid called for SID 'S-1-5-32-544'
>>> Accepting SID S-1-5-32 in level 1
>>> lookup_rids called for domain sid 'S-1-5-32'
>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>> pdb_create_builtin_alias: Could not get a gid out of winbind
>>> create_builtin_administrators: Failed to create Administrators
>>> Failed to auto-add domain administrators to BUILTIN\Administrators
>>> during join: NT_STATUS_ACCESS_DENIED
>>> -----------------------------
>>
>> If I kill winbindd and then perform the join, which is how it would
>> normally happen, I see:
>>
>> --------------------------------
>> Attempting to register passdb backend tdbsam
>> Successfully added passdb backend 'tdbsam'
>> Found pdb backend tdbsam
>> pdb backend tdbsam has a valid init
>> Could not find map for sid S-1-5-32-544
>> create_builtin_administrators: Failed to create Administrators
>> Unable to auto-add domain administrators to BUILTIN\Administrators
>> during join because winbindd must be running.
>> Could not find map for sid S-1-5-32-545
>> create_builtin_users: Failed to create Users
>> Unable to auto-add domain users to BUILTIN\users during join because
>> winbindd must be running.
>> --------------------------------
>>
>
> Hi, how are you doing the join ? just what do you have in smb.conf. Only ask
> because I have never seen that output.

I used -d10 on the join line.

It seems that if I use net groupmap add to explicitly map
S-1-5-32-544/545 to local groups I do get the correct things added on
domain join, but I am concerned that that is not the correct way to do
things.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)