samba - Aug 2005 - Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups

Hi,

wbinfo -Y BUILTIN\group can work without idmap_rid in Samba-3.0.14a. But
I'm experiencing wbinfo -Y with idmap_rid failed for SID to GID
conversion of BUILTIN groups. 

Since idmap_rid only works in a single domain, and captures workgroup's
domain sid as a real domain sid in rid_idmap_get_domains(), when running
"wbinfo -Y BUILTIN/System Operators", the function
rid_idmap_get_id_from_sid() checks if incoming sid is same with
workgroup domain sid by following comparison:
470   if ( sid_compare_domain(sid, &sidstr) == 0 )

This would let the first "for" loop continue to go to the end, and
make
the loop variable i equal to trust.number(=1). And the code after the
loop
474        if (i == trust.number) {
475                DEBUG(0,("rid_idmap_get_id_from_sid: no suitable
range available for sid: %s\n",
476                        sid_string_static(sid)));
477                return NT_STATUS_INVALID_PARAMETER;
478        }

leads to generate an error with "no suitable range available for
sid:",
even if both 
idmap uid range and idmap gid range are exactly equal to idmap_rid range
in smb.conf.

So I'm wondering idmap_rid capability. I'd like to ask somebody if
idmap_rid can work with BUILTIN group. If the answer is yes, How do we
get Samba BUILTIN groups' SID? If the answer is no, I want to know if
there is a possible solution to resolve sid to gid conversion for samba
builtin groups by winbind with idmap_rid.

smb.conf
[global]
   workgroup = MYDOMAIN
   security = ads or domain
   allow trust domains = no
   idmap backend = idmap_rid:"MYDOMAIN=50000-60000"
   idmap uid = 50000-60000
   idmap gid = 50000-60000
   ......

Any information is really appreciated.
-Ying

Did you find any solution to this? I'm experiencing a similar problem 
with all the builtin groups

sk
Li, Ying (ESG) wrote:
> Hi,
> 
> wbinfo -Y BUILTIN\group can work without idmap_rid in Samba-3.0.14a. But
> I'm experiencing wbinfo -Y with idmap_rid failed for SID to GID
> conversion of BUILTIN groups. 
> 
> Since idmap_rid only works in a single domain, and captures workgroup's
> domain sid as a real domain sid in rid_idmap_get_domains(), when running
> "wbinfo -Y BUILTIN/System Operators", the function
> rid_idmap_get_id_from_sid() checks if incoming sid is same with
> workgroup domain sid by following comparison:
> 470   if ( sid_compare_domain(sid, &sidstr) == 0 )
> 
> This would let the first "for" loop continue to go to the end,
and make
> the loop variable i equal to trust.number(=1). And the code after the
> loop
> 474        if (i == trust.number) {
> 475                DEBUG(0,("rid_idmap_get_id_from_sid: no suitable
> range available for sid: %s\n",
> 476                        sid_string_static(sid)));
> 477                return NT_STATUS_INVALID_PARAMETER;
> 478        }
> 
> leads to generate an error with "no suitable range available for
sid:",
> even if both 
> idmap uid range and idmap gid range are exactly equal to idmap_rid range
> in smb.conf.
> 
> So I'm wondering idmap_rid capability. I'd like to ask somebody if
> idmap_rid can work with BUILTIN group. If the answer is yes, How do we
> get Samba BUILTIN groups' SID? If the answer is no, I want to know if
> there is a possible solution to resolve sid to gid conversion for samba
> builtin groups by winbind with idmap_rid.
> 
> smb.conf
> [global]
>    workgroup = MYDOMAIN
>    security = ads or domain
>    allow trust domains = no
>    idmap backend = idmap_rid:"MYDOMAIN=50000-60000"
>    idmap uid = 50000-60000
>    idmap gid = 50000-60000
>    ......
> 
> Any information is really appreciated.
> -Ying
-- 
=====================================================================Stefanos
Karasavvidis
Electronic & Computer Engineer, M.Eng.
e-mail : sk@isc.tuc.gr

Technical University of Crete, Campus
Information Systems Center
Address: Akrotiri, Chania, 73100
Tel.: Library Buildings
       (+30) 28210 37352, (+30) 28210 37355, (+30) 28210 37376
       Environmental Engineering Buildings
       (+30) 28210 37766
Fax:  (+30) 28210 37571

Here is a patch for BUILTIN group sid/gid mapping in idmap_rid. It works
to me.

#>cd samba-3.0.14a/source/sam
#>diff -C3 idmap_rid.c idmap_rid.c_new
*** idmap_rid.c Fri Mar 11 05:47:05 2005
--- idmap_rid.c_new     Mon Aug 29 15:42:50 2005
***************
*** 459,466 ****
        fstring sid_string;
        int i;
        uint32 rid;
!       DOM_SID sidstr;

        /* check if we have a mapping for the sid */
        for (i=0; i<trust.number; i++) {
                if (!trust.dom[i].sid) {
--- 459,470 ----
        fstring sid_string;
        int i;
        uint32 rid;
!       DOM_SID sidstr, sidbuiltin;

+       string_to_sid(&sidbuiltin, "S-1-5-32");
+       if ( sid_compare_domain(sid, &sidbuiltin) == 0 ) {
+               i=0;
+       } else {
        /* check if we have a mapping for the sid */
        for (i=0; i<trust.number; i++) {
                if (!trust.dom[i].sid) {
***************
*** 469,474 ****
--- 473,479 ----
                string_to_sid(&sidstr, trust.dom[i].sid);
                if ( sid_compare_domain(sid, &sidstr) == 0 )
                        break;
+       }
        }

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Li, Ying (ESG) wrote:

| By the way, without idmap_rid, BUILTIN group's gid
| can be displayed when 'winbind nested groups = No'

ok.  That's the key thing I needed to know.  Thanks.

| When winbind nested groups is enabled, it works
| for ADS and Domain level. Accually, it seems we don't
| need to turn on the option on ADS. Why should it be
| turned on for DOMAIN?

LDAP searches vs. different RPC calls for domain and
builtin groups I expect.  Or simply a misplaced checked
that verifies the domain SID.  They may be some hoops
you could jump though with the current idmap_rid module.
I assume that it is just verifying that the SID you are
resolving matches our own domain SID.






cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDFe6mIR7qMdg1EfYRAjpmAJ92MEIMNN1hLTptyC1AlFqfVfWlTACguqpd
k+tp4X7z5r3+v7AaYpyqfA4=sS0i
-----END PGP SIGNATURE-----

Hi Jerry,

When winbind nested groups is enabled, it works for ADS and Domain
level. Accually, it seems we don't need to turn on the option on ADS.
Why should it be turned on for DOMAIN?

Thanks.
-Ying
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
> Sent: Wednesday, August 31, 2005 10:04 AM
> To: Li, Ying (ESG)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Wbinfo -Y couldn't work with idmap_rid 
> for BUILTIN groups
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Li, Ying (ESG) wrote:
> | Here is a patch for BUILTIN group sid/gid mapping in idmap_rid. It 
> | works to me.
> 
> Could you just try setting 'winbind nested groups = yes'
> in smb.conf and retest without this patch?  Thanks.
> 
> 
> 
> 
> 
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFDFeLkIR7qMdg1EfYRAnR4AKCxDrtV17O4Aiyvb7hknhsCj0uCgQCfTolX
> H2KPsCVALhQxDUAJdkpomJ4> =7wvw
> -----END PGP SIGNATURE-----
>

By the way, without idmap_rid, BUILTIN group's gid can be displayed when
'winbind nested groups = No' 
> -----Original Message-----
> From: Li, Ying (ESG) 
> Sent: Wednesday, August 31, 2005 10:43 AM
> To: 'Gerald (Jerry) Carter'
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] Wbinfo -Y couldn't work with idmap_rid 
> for BUILTIN groups
> 
> Hi Jerry,
> 
> When winbind nested groups is enabled, it works for ADS and 
> Domain level. Actually, it seems we don't need to turn on the 
> option on ADS. Why should it be turned on for DOMAIN?
> 
> Thanks.
> -Ying
> 
> > -----Original Message-----
> > From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
> > Sent: Wednesday, August 31, 2005 10:04 AM
> > To: Li, Ying (ESG)
> > Cc: samba@lists.samba.org
> > Subject: Re: [Samba] Wbinfo -Y couldn't work with idmap_rid for 
> > BUILTIN groups
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Li, Ying (ESG) wrote:
> > | Here is a patch for BUILTIN group sid/gid mapping in 
> idmap_rid. It 
> > | works to me.
> > 
> > Could you just try setting 'winbind nested groups = yes'
> > in smb.conf and retest without this patch?  Thanks.
> > 
> > 
> > 
> > 
> > 
> > cheers, jerry
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.0 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> > 
> > iD8DBQFDFeLkIR7qMdg1EfYRAnR4AKCxDrtV17O4Aiyvb7hknhsCj0uCgQCfTolX
> > H2KPsCVALhQxDUAJdkpomJ4> > =7wvw
> > -----END PGP SIGNATURE-----
> >

A bug #3056 has been filed.

Thanks.
-Ying
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
> Sent: Thursday, September 01, 2005 7:18 AM
> To: Li, Ying (ESG)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Wbinfo -Y couldn't work with idmap_rid 
> for BUILTIN groups
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Li, Ying (ESG) wrote:
> | By the way, without idmap_rid, BUILTIN group's gid can be displayed 
> | when 'winbind nested groups = No'
> 
> Ying,
> 
> Would you file a bug report for me at https://bugzilla.samba.org?
> That way the issue won't get lost in my inbox :-)
> 
> Thanks.
> 
> 
> 
> 
> cheers, jerry
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFDFw2CIR7qMdg1EfYRAl/TAKDksTXV150X3RN1YtEAev17A1BtBgCfeR61
> o5NhLBjZ44C+If2fcSkxnNc> =LyFf
> -----END PGP SIGNATURE-----
>