Jiří Černý
2017-Sep-07 14:46 UTC
[Samba] SOLVED: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Yes, that's exactly what I've done.Ok, my group has name "IT admins", but logic is same;)Thank you. However I have one more problem. If I create new group or user and give it UID/GID, this is immediately reachable on linux server. id user, or getent group/passwd and also wbinfo -u/-g/-i can list info about it. But if I assign group to user (or deassign), it spends a lot of time to reflect this change. nsswitch.conf is set up corectly. I tried to "net cache flush", but no luck. Tried restart winbind service and also delete winbindd_cache.tdb and winbindd_idmap.tdb files and restart winbind, but no luck. Still old groups. I even tried to delete whole /var/lib/samba directory, reinstall all packages and rejoin, but the same. User has old groups. BUT after few hours (I didn't measured how long it took) I tried to id user and it has (magically) right groups. I tested it on 3 different member servers, 2 CentOS 7 with Samba 4.4.4 and SerNet Samba 4.6.7 and 1 CentOS with SerNet Samba 4.6.7. Have you ever heard about this behavior? Jiří On Thu, 07 Sep 2017 15:04:43 +0200 Jiří Černý via samba <samba at lists.samba.org ( https://lists.samba.org/mailman/listinfo/samba) > wrote: > > You may get away with using the 'rid' backend, but this will have to> be> your choice, but whatever you choose, I am sure we can help you> be> get> to> a working domain.>> > RowlandSo I have an example. We have file and print server based on> CentOS 7 with Samba 4.4.4. As wiki said> (https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients)> we have to set permissions on [print$] share:> > # chgrp -R "SAMDOM\Domain Admins" /srv/samba/printer_drivers/> # chmod -R 2755 /srv/samba/printer_drivers/But I can't do that,> beacause I removed GID of Domain Admins, so winbind can't enumerate> this group.> So how to do that?Do I have to change idmap backend to from AD to RID?OK, my suggestion is to create an AD group, (again this is just a suggestion, 'Unix Admins'), give this group a gidNumber and make it a member of 'Domain Admins'. Now use this new group instead of 'Domain Admins' on Unix. Rowland
Maybe Matching Threads
- SOLVED: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND