samba - Sep 2017 - BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
line
270, in run
    lp)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
    direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))

That's nothing new, this was disused here many times.

Today, I decided to try script
(https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
by mr. van Belle and I ended with this error:
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

Confirmed:
wbinfo --sid-to-uid=S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

So I have problem with builtin group Administrators, other groups look
good:
wbinfo --sid-to-uid=S-1-5-32-549
15543
wbinfo --sid-to-uid=S-1-5-11
15549

DB seems to be ok:
samba-tool dbcheck --cross-ncs --fix
Checking 5227 objects
Checked 5227 objects (0 errors)

Is there any way to fix my domain?

I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
Here is my DS's smb.conf:
# Global parameters
[global]
 workgroup = COMPANY
 realm = samdom.company.cz
 netbios name = DC01
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 dns forwarder = 192.168.1.34
 allow dns updates = nonsecure
 log level = 1
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

[netlogon]
 path = /var/lib/samba/sysvol/samdom.company.cz/scripts
 read only = No
 acl_xattr:ignore system acls = yes

[sysvol]
 path = /var/lib/samba/sysvol
 read only = No
 acl_xattr:ignore system acls = yes




Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
cerny at svmetal.cz
helpdesk at svmetal.cz
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz

On Mon, 04 Sep 2017 13:53:23 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in output of
> /usr/bin/samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
> - ProvisioningError: DB ACL on GPO directory
>
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File
"/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py",
line
> 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py",
line
> 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py",
line
> 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> That's nothing new, this was disused here many times.
> 
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
> 
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-544 to uid
> 
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
> 
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
> 
> Is there any way to fix my domain?
> 
There is probably nothing wrong with your domain, it looks like you
have given some of your windows AD groups a gidNumber:

S-1-5-32-549 is Server Operators

S-1-5-11 is Authenticated Users

They are both listed as 'ID_TYPE_BOTH' in idmap.ldb.

Can I suggest you go here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

Check your AD and remove any gidNumber or uidNumber attributes from any
users or groups that appear on that page except for 'Domain Users'

Rowland

Hai, 

I had a quick look at this. ( in the mid of server upgrades ) .. 

You config looks ok. 
This looks also ok. 
> wbinfo --sid-to-uid=S-1-5-11
> 15549 
Mine shows, 
wbinfo --sid-to-uid=S-1-5-11
3000003

Normaly on a DC you should see 30000xx, but thats probely from the samba 3
upgrade.

Did you give these groups uid/gids, or did you use some mappings somewhere for
these groups?
And after the upgrade, did you run net cache flush and restarted samba-ad-dc? 

It should not matter what the uid/gid are if the checks all work out. 

So we have to find first why this is not working for you.
wbinfo --sid-to-uid=S-1-5-32-544
3000000 <<< my output. 

Compaired to your setup with to mine. 

( this one is default set to 0 , you need minimal 2 in my opinion, i preffer 4) 
winbind expand groups = 4 

Beside that, almost the same, i use bind9_dlz you internal dns. 
But that should not matter. 

Start with the net cache flush and restart samba-ad-dc. 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Ji??í ??erný via samba
> Verzonden: maandag 4 september 2017 13:53
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] BUILTIN\Administrators - failed to call 
> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in 
> output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 
> 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016
> F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File
"/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", 
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
> y", line 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s 
> does not match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> That's nothing new, this was disused here many times.
> 
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
> 
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
> 
> Is there any way to fix my domain?
> 
> I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
> Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
> Here is my DS's smb.conf:
> # Global parameters
> [global]
>  workgroup = COMPANY
>  realm = samdom.company.cz
>  netbios name = DC01
>  server role = active directory domain controller  
> idmap_ldb:use rfc2307 = yes  dns forwarder = 192.168.1.34  
> allow dns updates = nonsecure  log level = 1  load printers = 
> no  printing = bsd  printcap name = /dev/null  disable spoolss = yes
> 
> [netlogon]
>  path = /var/lib/samba/sysvol/samdom.company.cz/scripts
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> 
> 
> 
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> cerny at svmetal.cz
> helpdesk at svmetal.cz
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>