Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend
Rowland Penny
repenny241155 at gmail.com
Thu Jul 2 21:32:34 CEST 2015
On 02/07/15 20:23, Richard Sharpe wrote:
> On Thu, Jul 2, 2015 at 11:56 AM, Rowland Penny <repenny241155 at gmail.com> wrote:
>> On 02/07/15 19:22, Richard Sharpe wrote:
>>> On Thu, Jul 2, 2015 at 11:06 AM, Partha Sarathi
>>> <parthasarathi.bl at gmail.com> wrote:
>>>> Richard,
>>>>
>>>> If I remember correctly this was working in 3.6.X . in 4.1.17 winbindd
>>>> rely
>>>> on DOMAIN name to perform sid-to-gid for builtin sids which is strange.
>>> Yes, this was working in 3.6.X. I did some breakage in 3.5.X with
>>> Likewise's auth.
>>>
>>> I haven't looked specifically at 4.X.Y but will check it out over the
>>> long weekend because although I have a workaround for this, I am not
>>> happy with it and don't understand the underlying cause.
>>>
>>>> Regards,
>>>> --Partha
>>>>
>>>> On Thu, Jul 2, 2015 at 11:01 AM, Richard Sharpe
>>>> <realrichardsharpe at gmail.com> wrote:
>>>>> On Thu, Jul 2, 2015 at 10:53 AM, Rowland Penny <repenny241155 at gmail.com>
>>>>> wrote:
>>>>>> On 02/07/15 18:45, Richard Sharpe wrote:
>>>>>>> On Thu, Jul 2, 2015 at 10:42 AM, Richard Sharpe
>>>>>>> <realrichardsharpe at gmail.com> wrote:
>>>>>>>>>> Your problem is when you use this line:
>>>>>>>>>>
>>>>>>>>>> idmap config CORP : range = 10000000-109999999
>>>>>>>>>>
>>>>>>>>>> Winbind knows where to store the domain mappings, whilst when you
>>>>>>>>>> use:
>>>>>>>>>>
>>>>>>>>>> idmap config * : range = 2000000-2999999
>>>>>>>>>> idmap config * : range = 10000000-109999999
>>>>>>>>>>
>>>>>>>>>> Winbind doesn't know where to store the domain mappings and I would
>>>>>>>>>> also
>>>>>>>>>> expect the first line will be ignored.
>>>>>>>>> I am not sure that I believe that explanation. I went and checked
>>>>>>>>> the
>>>>>>>>> in-development project I am on, and we have this in our smb.conf
>>>>>>>>> around idmapping:
>>>>>>>>>
>>>>>>>>> idmap config * : backend = hash
>>>>>>>>> idmap config * : range = 10000-40000000
>>>>>>>>>
>>>>>>>>> And we are also not getting those groups created. This is a problem,
>>>>>>>>> so I will have to investigate some more.
>>>>>>>> It turns out that we have exactly this problem. During the join we
>>>>>>>> see:
>>>>>>>>
>>>>>>>> -----------------------------
>>>>>>>> Attempting to register passdb backend tdbsam
>>>>>>>> Successfully added passdb backend 'tdbsam'
>>>>>>>> Found pdb backend tdbsam
>>>>>>>> pdb backend tdbsam has a valid init
>>>>>>>> Could not find map for sid S-1-5-32-544
>>>>>>>> Trying to create builtin alias 544
>>>>>>>> lookup_sid called for SID 'S-1-5-32-544'
>>>>>>>> Accepting SID S-1-5-32 in level 1
>>>>>>>> lookup_rids called for domain sid 'S-1-5-32'
>>>>>>>> Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
>>>>>>>> pdb_create_builtin_alias: Could not get a gid out of winbind
>>>>>>>> create_builtin_administrators: Failed to create Administrators
>>>>>>>> Failed to auto-add domain administrators to BUILTIN\Administrators
>>>>>>>> during join: NT_STATUS_ACCESS_DENIED
>>>>>>>> -----------------------------
>>>>>>> If I kill winbindd and then perform the join, which is how it would
>>>>>>> normally happen, I see:
>>>>>>>
>>>>>>> --------------------------------
>>>>>>> Attempting to register passdb backend tdbsam
>>>>>>> Successfully added passdb backend 'tdbsam'
>>>>>>> Found pdb backend tdbsam
>>>>>>> pdb backend tdbsam has a valid init
>>>>>>> Could not find map for sid S-1-5-32-544
>>>>>>> create_builtin_administrators: Failed to create Administrators
>>>>>>> Unable to auto-add domain administrators to BUILTIN\Administrators
>>>>>>> during join because winbindd must be running.
>>>>>>> Could not find map for sid S-1-5-32-545
>>>>>>> create_builtin_users: Failed to create Users
>>>>>>> Unable to auto-add domain users to BUILTIN\users during join because
>>>>>>> winbindd must be running.
>>>>>>> --------------------------------
> Hmmm, I went and looked at the offending code:
>
> static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
> {
> NTSTATUS status;
>
> /* Try adding dom admins to builtin\admins. Only log failures. */
> status = create_builtin_administrators(domain_sid);
> if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
> DEBUG(10,("Unable to auto-add domain administrators to "
> "BUILTIN\\Administrators during join because "
> "winbindd must be running.\n"));
> } else if (!NT_STATUS_IS_OK(status)) {
> DEBUG(5, ("Failed to auto-add domain administrators to "
> "BUILTIN\\Administrators during join: %s\n",
> nt_errstr(status)));
> }
>
> /* Try adding dom users to builtin\users. Only log failures. */
> status = create_builtin_users(domain_sid);
> if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
> DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
> "during join because winbindd must be running.\n"));
> } else if (!NT_STATUS_IS_OK(status)) {
> DEBUG(5, ("Failed to auto-add domain administrators to "
> "BUILTIN\\Administrators during join: %s\n",
> nt_errstr(status)));
> }
> }
>
> The problem here, it seems to me, is that this code will often be run
> when we do not have winbindd running, And after tracking things down,
> I see the following for pdb_create_builtin:
>
> /**
> * Create the requested BUILTIN if it doesn't already exist. This requires
> * winbindd to be running.
> *
> * @param[in] rid BUILTIN rid to create
> * @return Normal NTSTATUS return.
> */
>
> Hmmm, did anyone think about the way in which people normally join a
> domain from a member server?
>
The problem is that whilst I normally do the join and then start nmbd,
smbd & winbindd, this time I tried to do it with them running, only
problem was that whilst winbindd started, it shut down again straight away.
Rowland
More information about the samba-technical
mailing list