John
2005-May-10 11:28 UTC
[Samba] rid_idmap_get_id_from_sid: no suitable range available for sid
Hello, I have the following message posted on the linux.samba newsgroup, but so far no response. Therefore I try again in this group, hoping that there are other people reading this group, and yes, that hopefully somebody can help me with my samba winbind problems. John Knappers Hello, "John" <jknappers@nospam.hotmail.com> schreef in bericht news:42805f47$0$55675$e4fe514c@news.xs4all.nl...> Hello list, > > > "John" <jknappers@nospam.hotmail.com> schreef in bericht > news:427f81f8$0$53718$e4fe514c@news.xs4all.nl... >> Hello, >> >> I have some trouble with rid_idmap facility. STFI did'nt help me this >> time.. >> Other issues I red about resolved to a too smal idmap range >> specification. >> But this an other issue.. >> >> It looks that the rid_idmap facility tries to map the sid's from >> Administrators, Backup operators and several other build in groups to a >> uid <330 >> >> Configuration: >> OS Suse 9.1 >> Samba 3.0.14 backport from Suse >> W2k3 DC in testlab is a NT4 domain upgrade >> >> smb.conf snippet >> workgroup DOM1 >> security = ADS >> realm: CORP.DOM1..COM >> passwd server = * >> Allow trusted domains = no >> loglevel =3 >> winbind seperator = no >> idmap backend = idmap_rid:DOM=330-100000 >> idmap uid = 330-100000 >> idmap gid = 330-100000 >> winbind use default domain = yes >> etc >> >> Joining the ADS domain goes smoothly >> wbinfo -u gives list with domain users >> wbinfo -n 'Domain Users' gives list SID from domain Users >> wbinfo -n 'Administrators' gives: Could not lookup name Administratos >> wbinfo -n 'Backup Operators' gives: Could not lookup name Backup >> Operators >> >> id Administrator has uid 1000 and lot's of guid's from different groups >> he's member of, but not the guid from the Administrators and backup >> operators group. I'm also getting log entries like >> rid_idmap_get_id_from_sid: No available range availeble for sid. >> >> It's difficult to paste complete logs at the moment, because the W2k dc >> and samba ADS member are running in a isolated testlab. >> >> Does anybody know what I'm missing or what's going wrong? >> >> John Knappers >> Argentia B.V. >> The Netherlands >> >> > Hello, > > A carefull look in the morning reveiled: > The group Administrators / Powerusers ect are translated in samba to: > BUILDIN/Administrators BUILDIN/Power users etc. > > But wbinfo -n BUILDIN/Administrators gives: > S-1-5-32-544 Well-known Group (5) > and wbinfo -Y S-1-5-32-544 gives: > Could not convert sid S-1-5-32-544 to gid... > > Are those sid's not very short? As I remembered the were much longer. > It look that the Sid's from the BUILDIN groups are truncated! > duh, how is that possible? > > A wbinfo -n 'Domain Admins' gives: > S-1-5-21-431110786-547713429-883519231-512 Domain Group (2) > and wbinfo -y S-1-5-21-431110786-547713429-883519231-512 > 1012 > > Looking on the production network, that's still running a NT4 DC. > The samba host there is running winbind without the idmap_rid facility. > But there wbinfo -n 'BUILDIN/Administrators' also gives > S-1-5-32-544 Well-known Group (5) > becouse winbind is running without idmap_rid facility > a wbinfo -Y S-1-5-32-544 resolves to > 10063 > > Does someone has any id what's going on here? > > regards, > > John Knappers > Argentia B.V. > The Netherlands >After a bit futher searching the internet I found some answers in the following link: http://support.microsoft.com/kb/q163846/ There I did find out that the BUILDIN local group and some special groups /users have always the same short SID Built-In Local Groups BUILTIN\ADMINISTRATORS S-1-5-32-544 (=0x220) BUILTIN\USERS S-1-5-32-545 (=0x221) BUILTIN\GUESTS S-1-5-32-546 (=0x222) BUILTIN\ACCOUNT OPERATORS S-1-5-32-548 (=0x224) BUILTIN\SERVER OPERATORS S-1-5-32-549 (=0x225) BUILTIN\PRINT OPERATORS S-1-5-32-550 (=0x226) BUILTIN\BACKUP OPERATORS S-1-5-32-551 (=0x227) BUILTIN\REPLICATOR S-1-5-32-552 (=0x228) Special Groups \CREATOR OWNER S-1-3-0 \EVERYONE S-1-1-0 NT AUTHORITY\NETWORK S-1-5-2 NT AUTHORITY\INTERACTIVE S-1-5-4 NT AUTHORITY\SYSTEM S-1-5-18 NT AUTHORITY\authenticated users S-1-5-11 * NT AUTHORITY\LOCAL SERVICE S-1-5-19 NT AUTHORITY\NETWORK SERVICE S-1-5- Those SID's matches, with what I found on our samba system. So, it's clear now, that those SID's are not accidentely truncated, but are so by design. How does this fit in the Samba rid_idmap? Does anybody has a clue?? Regards, John Knappers Argentia B.V. The Netherlands