Jiří Černý
2017-Sep-06 13:15 UTC
[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba atlists.samba.org ( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel this all has something to do with the classicupgrade, the>> command works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>> Yes. Take a look:wbinfo --sid-to-gid="S-1-5-32-544"> 15538wbinfo --gid-info=15538> BUILTIN\administrators:x:15538:>>> I haven't received it yet, but will examine and comment on it when>> I do.I sent it to <rpenny at samba.org>, so I hope that antispam>> filters do their job not so hard;) >>> Yes, but is this set on the>> computers object in sam.ldb as a gidNumber or in idmap.ldb as a>> xidNumber ?>> I mean in ADUC, i didn't inspected databases. I was NIS> domain and GIDs in UNIX Attributes tab of ADUC.> So it was definetely gidNumber. Stored propably in sam.ldb.>>If you don't have any Unix machine (other than the Samba AD DC) you do>not need any uidNumber or gidNumber attributes in AD.We have 5 linux fileservers, so we really need this function. Also we use LDAP login to our intranet (Plone) of which plugin uses UIDs/GIDs. I presonally use Fedora laptop and desktop joined to domain by realmd and sssd, which work well. In past I made some work on project of 'CentOS linux desktop', so there is chance, that we will need UNIX attributes at least for user acounts and Domain Users group as primary group. But we don't need set numeric IDs for other "default" domain groups like BUILTIN and Domain\xxxxx.> > Is enough to just set NIS domnain to <none> in ADUC to "clear" GID at> groups/users which shouldn't have it?>> No, sorry that will not work.Probably yes or maybe we don't understand each other. I tested it in lab domain (Samba 4.7rc4) by ldbsearch in sam.ldb. If I set NIS domain and GID (in ADUC), then there appear msSFU30NisDomain: and gidNumber: attributes. When I set NIS domain to <none>, both attributes disappear.>> A gidNumber can be used on any Unix machine in the domain, a>> xidNumber will only be used on the DC. >> Finally I got it. Forgive me, sometimes it takes quite long time than> my brain assembles all information together:D> >>No problem>>RowlandCan I have the proposal? Is it possible to edit wiki page about Classic upgrade? At least add some warning about possibility of problems with ID map ranges migrated from ancient Samba 3.X+LDAP systems? And second. Is possible to change Classic upgrade scripts to have option of not copying of GIDs to "default" groups? I think it should be enough. migration script copy members of that groups but skip copying of GIDs.Not for us, it will be difficult to fix our domain (but I believe that amazing guys here help me to fix that goddamn BUILTIN Admins;)), but for another people who will migrate S3 NT4 domain to S4 AD.
Rowland Penny
2017-Sep-06 14:19 UTC
[Samba] BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
On Wed, 06 Sep 2017 15:15:57 +0200 Jiří Černý via samba <samba at lists.samba.org> wrote:> >On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba at > lists.samba.org > ( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel > this all has something to do with the classicupgrade, the>> command > works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>> > Yes. Take a look:wbinfo --sid-to-gid="S-1-5-32-544"> 15538wbinfo > --gid-info=15538> BUILTIN\administrators:x:15538:>>> I haven't > received it yet, but will examine and comment on it when>> I do.I > sent it to <rpenny at samba.org>, so I hope that antispam>> filters > do their job not so hard;) >>> Yes, but is this set on the>> > computers object in sam.ldb as a gidNumber or in idmap.ldb as a>> > xidNumber ?>> I mean in ADUC, i didn't inspected databases. I was > NIS> domain and GIDs in UNIX Attributes tab of ADUC.> So it was > NIS> definetely gidNumber. Stored propably > in sam.ldb.>>If you don't have any Unix machine (other than the Samba > AD DC) you do>not need any uidNumber or gidNumber attributes in AD.We > have 5 linux fileservers, so we really need this function. Also we > use LDAP login to our intranet (Plone) of which plugin uses UIDs/GIDs. > I presonally use Fedora laptop and desktop joined to domain by realmd > and sssd, which work well. In past I made some work on project of > 'CentOS linux desktop', so there is chance, that we will need UNIX > attributes at least for user acounts and Domain Users group as primary > group. But we don't need set numeric IDs for other "default" domain > groups like BUILTIN and Domain\xxxxx.> > Is enough to just set NIS > domnain to <none> in ADUC to "clear" GID at> groups/users which > shouldn't have it?>> No, sorry that will not work.Probably yes or > maybe we don't understand each other. > I tested it in lab domain (Samba 4.7rc4) by ldbsearch in sam.ldb. If I > set NIS domain and GID (in ADUC), then there appear msSFU30NisDomain: > and gidNumber: attributes. > When I set NIS domain to <none>, both attributes disappear.>> A > gidNumber can be used on any Unix machine in the domain, a>> xidNumber > will only be used on the DC. >> Finally I got it. Forgive me, > sometimes it takes quite long time than> my brain assembles all > information together:D> >>No problem>>RowlandCan I have the proposal? > Is it possible to edit wiki page about Classic upgrade? > At least add some warning about possibility of problems with ID map > ranges migrated from ancient Samba 3.X+LDAP systems? > > And second. Is possible to change Classic upgrade scripts to have > option of not copying of GIDs to "default" groups? > I think it should be enough. migration script copy members of that > groups but skip copying of GIDs.Not for us, it will be difficult to > fix our domain (but I believe that amazing guys here help me to fix > that goddamn BUILTIN Admins;)), but for another people who will > migrate S3 NT4 domain to S4 AD.This was hard to decipher, but I think I understand it You need to make some choices about your fileservers, do you need to move data between them ? if you do, then you need to use the winbind 'ad' backend to ensure the data retains the correct ownership. If you don't, then you can use the 'rid' backend, this doesn't add anything to AD. Rowland
Possibly Parallel Threads
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- SOLVED: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- SOLVED: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND