Creating builtingroup fails with NTSTATUS_ACCESS_DENIED with idmap hash backend

Partha Sarathi parthasarathi.bl at gmail.com
Thu Jul 2 22:53:15 CEST 2015 

Thanks Michael. autorid helped me :-)

Regards,
--Partha

On Thu, Jul 2, 2015 at 1:43 PM, Michael Adam <obnox at samba.org> wrote:

> On 2015-07-02 at 13:25 -0700, Partha Sarathi wrote:
> > Thanks Michael,
> >
> > Also even If I have the below setting alone with rid as backend I see the
> > same issue on creating builtins. Winbindd expects the DOMAIN name should
> be
> > set to the backend always.
> >
> >  idmap config  * : backend = rid
> > idmap config  * : range = 10000000-109999999
>
> Rid can not be used as default backend either.
> See the manpaged of idmp_rid for examples.
>
> Rid has to be configured for each domain that
> should use the rid backend separately and with
> mutually disjoint ranges. Otherwise, sids from
> different domains but with the same RID would
> get the same UID or GID ...
>
> You can use the autorid backend as default!
> This automatically associates rid-ranges for
> the domains as they come across.
>
> Michael
>
> > tdb(/var/lib/samba/private/secrets.tdb): tdb_transaction_start: nesting 1
> > Could not find map for sid S-1-5-32-544
> > Trying to create builtin alias 544
> > lookup_sid called for SID 'S-1-5-32-544'
> > Accepting SID S-1-5-32 in level 1
> > lookup_rids called for domain sid 'S-1-5-32'
> > Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> > *pdb_create_builtin_alias: Could not get a gid out of winbind*
> > Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> > return code = -1
> >
> > And my intension here is to not to give the DOMAIN be cause I don't want
> to
> > specify the separate ranges for every trusted domains. Also I have the
> > Builtin Administrators and Users as my default NTACLS on shares.
> >
> > Could you please tel me if there any other idmap backend where its
> support
> > both trusted domain and auto add of Builtins.
> >
> > Regards,
> > --Partha
> >
> >
> > On Thu, Jul 2, 2015 at 12:46 PM, Michael Adam <obnox at samba.org> wrote:
> >
> > > On 2015-07-02 at 07:56 -0700, Partha Sarathi wrote:
> > > > Hi,
> > > >
> > > > Currently we are using samba-4.1.17 as member server to AD. The
> below is
> > > > the idmap settings in smb.conf
> > > >
> > > > allow trusted domains = yes
> > > > idmap config * : backend = tdb
> > > > idmap config * : range = 2000000-2999999
> > > > idmap config  * : backend = hash
> > > > idmap config  * : range = 10000000-109999999
> > >
> > > This idmap config is invalid.
> > > It specifies the default config ("*") twice,
> > > hence only the second settings take effect.
> > >
> > > And the hash backend is actually not suitable
> > > for the default config, since it does not implement
> > > the methods for just producing an ID. But creation
> > > of group objects ('group mappings' as we call them)
> > > currently relies on this feature from "idmap config *".
> > > Hence the builtin groups can not be created.
> > >
> > > We should have removed idmap_hash long ago since
> > > it has other problems (hash collisions) and
> > > I actually thought we had. I am shocked this
> > > does not seem to be the case...
> > >
> > > Cheers - Michael
> > >
> > >
> > >
> > > > ==================================================
> > > >
> > > > #net sam -d10 createbuiltingroup Administrators
> > > > Found pdb backend tdbsam
> > > > pdb backend tdbsam has a valid init
> > > > Could not find map for sid S-1-5-32-544
> > > > Trying to create builtin alias 544
> > > > lookup_sid called for SID 'S-1-5-32-544'
> > > > Accepting SID S-1-5-32 in level 1
> > > > lookup_rids called for domain sid 'S-1-5-32'
> > > > Sid S-1-5-32-544 -> BUILTIN\Administrators(4)
> > > > *pdb_create_builtin_alias: Could not get a gid out of winbind*
> > > > Creating Administrators failed with NT_STATUS_ACCESS_DENIED
> > > > return code = -1
> > > > Opening cache file at /var/cache/samba/gencache.tdb
> > > > Opening cache file at /var/run/samba/gencache_notrans.tdb
> > > >
> > > >
> > > > root at OneBlox0025:/opt/exablox/config# wbinfo  -Y S-1-5-32-545
> > > > *failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND*
> > > > Could not convert sid S-1-5-32-545 to gid
> > > >
> > > > I used the *hash* backend method for the trusted domain support
> without
> > > > giving any specific "DOMAIN" to it. But if I specify the DOMAIN to
> the
> > > > idmap hash backend method I could see the above commands get
> succeeds.
> > > >
> > > > Note: I didn't had this issue in 3.6.X
> > > >
> > > > Question is: If I specify the "DOMAIN" to idmap hash bckend without
> > > giving
> > > > " * "  will it support  trusted domain users to get the uid and gid
> from
> > > > the range I specified ?
> > > >
> > > > --
> > > > Thanks & Regards
> > > > -Partha
> > >
> >
> >
> >
> > --
> > Thanks & Regards
> > -Partha
>



-- 
Thanks & Regards
-Partha

More information about the samba-technical mailing list