samba - May 2005 - rid_idmap_get_id_from_sid: no suitable range available for sid

Hello,

I have the following message posted on the linux.samba newsgroup, but so far
no response. Therefore I try again in this group, hoping that there are
other people reading this group, and yes, that hopefully somebody can help
me with my samba winbind problems.

John Knappers



Hello,

"John" <jknappers@nospam.hotmail.com> schreef in bericht
news:42805f47$0$55675$e4fe514c@news.xs4all.nl...
> Hello list,
>
>
> "John" <jknappers@nospam.hotmail.com> schreef in bericht
> news:427f81f8$0$53718$e4fe514c@news.xs4all.nl...
>> Hello,
>>
>> I have some trouble with rid_idmap facility. STFI did'nt help me
this
>> time..
>> Other issues I red about resolved to a too smal idmap range
>> specification.
>> But this an other issue..
>>
>> It looks that the rid_idmap facility tries to map the sid's from
>> Administrators, Backup operators and several other build in groups to a
>> uid <330
>>
>> Configuration:
>> OS Suse 9.1
>> Samba 3.0.14 backport from Suse
>> W2k3 DC in testlab is a NT4 domain upgrade
>>
>> smb.conf snippet
>> workgroup DOM1
>> security = ADS
>> realm:    CORP.DOM1..COM
>> passwd server = *
>> Allow trusted domains = no
>> loglevel =3
>> winbind seperator = no
>> idmap backend = idmap_rid:DOM=330-100000
>> idmap uid = 330-100000
>> idmap gid = 330-100000
>> winbind use default domain = yes
>> etc
>>
>> Joining the ADS domain goes smoothly
>> wbinfo -u gives list with domain users
>> wbinfo -n 'Domain Users' gives list SID  from domain Users
>> wbinfo -n 'Administrators' gives: Could not lookup name
Administratos
>> wbinfo -n 'Backup Operators' gives: Could not lookup name
Backup
>> Operators
>>
>> id Administrator has  uid 1000 and lot's of guid's from
different groups
>> he's member of, but not the guid from the Administrators and backup
>> operators group. I'm also getting log entries like
>> rid_idmap_get_id_from_sid: No available range availeble for sid.
>>
>> It's difficult to paste complete logs at the moment, because the
W2k dc
>> and samba ADS member are running in a isolated testlab.
>>
>> Does anybody know what I'm missing or what's going wrong?
>>
>> John Knappers
>> Argentia B.V.
>> The Netherlands
>>
>>
> Hello,
>
> A carefull look in the morning reveiled:
> The group Administrators / Powerusers ect are translated in samba to:
> BUILDIN/Administrators BUILDIN/Power users etc.
>
> But wbinfo -n BUILDIN/Administrators gives:
> S-1-5-32-544 Well-known Group (5)
> and wbinfo -Y  S-1-5-32-544 gives:
> Could not convert sid S-1-5-32-544 to gid...
>
> Are those sid's not very short? As I remembered the were much longer.
> It look that the Sid's from the BUILDIN groups are truncated!
> duh, how is that possible?
>
> A wbinfo -n 'Domain Admins' gives:
> S-1-5-21-431110786-547713429-883519231-512 Domain Group (2)
> and wbinfo -y S-1-5-21-431110786-547713429-883519231-512
> 1012
>
> Looking on the production network, that's still running a NT4 DC.
> The samba host there is running winbind without the idmap_rid facility.
> But there wbinfo -n 'BUILDIN/Administrators' also gives
> S-1-5-32-544 Well-known Group (5)
> becouse winbind is running without idmap_rid facility
> a wbinfo -Y S-1-5-32-544 resolves to
> 10063
>
> Does someone has any id what's going on here?
>
> regards,
>
> John Knappers
> Argentia B.V.
> The Netherlands
>
After a bit futher searching the internet I found some answers in the
following link:
http://support.microsoft.com/kb/q163846/

There I did find out that the BUILDIN local group and some special groups
/users have always the same short SID
Built-In Local Groups
BUILTIN\ADMINISTRATORS         S-1-5-32-544          (=0x220)
BUILTIN\USERS                                S-1-5-32-545          (=0x221)
BUILTIN\GUESTS                             S-1-5-32-546          (=0x222)
BUILTIN\ACCOUNT OPERATORS  S-1-5-32-548          (=0x224)
BUILTIN\SERVER OPERATORS       S-1-5-32-549          (=0x225)
BUILTIN\PRINT OPERATORS        S-1-5-32-550          (=0x226)
BUILTIN\BACKUP OPERATORS   S-1-5-32-551          (=0x227)
BUILTIN\REPLICATOR                 S-1-5-32-552          (=0x228)
Special Groups
\CREATOR OWNER                     S-1-3-0
\EVERYONE                                  S-1-1-0
NT AUTHORITY\NETWORK       S-1-5-2
NT AUTHORITY\INTERACTIVE   S-1-5-4
NT AUTHORITY\SYSTEM            S-1-5-18
NT AUTHORITY\authenticated users   S-1-5-11 *
NT AUTHORITY\LOCAL SERVICE S-1-5-19
NT AUTHORITY\NETWORK SERVICE S-1-5-

Those SID's matches, with what I found on our samba system.

So, it's clear now, that those SID's are not accidentely truncated, but
are
so
by design. How does this fit in the Samba rid_idmap?
Does anybody has a clue??

Regards,

John Knappers
Argentia B.V.
The Netherlands