samba - Sep 2017 - BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Thank you both, Rowland and Louis.

I'll try to answer you both and give you more info about our domain.

Generally:
In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages
before, never upgraded). In 2015 I finally decided to migrate to Samba 4
AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no
errors. AD worked (and working) as expected.
This summer, I managed Samba+ subscription from SerNet, so we upgraded
to 4.6.X. As I said, everything work, but sysvolcheck throws errors that
you discussed in other thread.

Original Samba 3 domain was combination of Samba and LDAP backed. So
domain scheme was populated by smbldap-tools. Users/groups were added by
LAM (so smbldap-tools too). UIDs/GIDs were populated by RIDs. ID map
range was from 500 to 10000, so every group and user in our domain have
UIDs/GIDs same as their RID. NSS was driven by LDAP (passwd, shadow and
group in nsswitch.conf had ldap directive).

After migration (in 2015) I changed this at least for new users and
groups. I know, that's not the best solution, but it worked I hadn't to
reset all ACLs on our fileservers.

Rowland:
Yes, our are right. There were UIDs and GIDs set on "system" users and
groups. I removed all (is removing in AUDC enough? I newer worked with
ldb tools) except Domain Users and Domain Admins (we use this group as
owner group on many shares on our fileservers).

Louis:
I thing that the "bad" numbers in my domain are legacy pro Samba 3 +
LDAP. AD service restart and net cache flush were executed many times as
we run this domain 2 years.

So what's next?
Do you think that I have to rearrange UIDs and GIDs in our domain to
match numeric pattern as in cleanly provisioned domain?


Thanks for you time. Have a nice day.


Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
cerny at svmetal.cz
helpdesk at svmetal.cz
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz 

>>> Jiří Černý 4.9.2017 13:53 >>>
Hello everyone.
I'm trying to fix sysvol rights, because i see errors in output of
/usr/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
line
270, in run
    lp)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
    direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))

That's nothing new, this was disused here many times.

Today, I decided to try script
(https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)
by mr. van Belle and I ended with this error:
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

Confirmed:
wbinfo --sid-to-uid=S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

So I have problem with builtin group Administrators, other groups look
good:
wbinfo --sid-to-uid=S-1-5-32-549
15543
wbinfo --sid-to-uid=S-1-5-11
15549

DB seems to be ok:
samba-tool dbcheck --cross-ncs --fix
Checking 5227 objects
Checked 5227 objects (0 errors)

Is there any way to fix my domain?

I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
Here is my DS's smb.conf:
# Global parameters
[global]
 workgroup = COMPANY
 realm = samdom.company.cz
 netbios name = DC01
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 dns forwarder = 192.168.1.34
 allow dns updates = nonsecure
 log level = 1
 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

[netlogon]
 path = /var/lib/samba/sysvol/samdom.company.cz/scripts
 read only = No
 acl_xattr:ignore system acls = yes

[sysvol]
 path = /var/lib/samba/sysvol
 read only = No
 acl_xattr:ignore system acls = yes




Yours sincerely
 
Jiří Černý
System administrator
 
+420 775 860 300
cerny at svmetal.cz
helpdesk at svmetal.cz
 
SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic
 
www.svmetal.cz

Hai, 

I leave the advice about the uid/gid numbering to Rowland, i can not give a good
advice on that.

The script was made in such a way that it should not matter what uid/gids are
where used.
The script looks them up for you, but it must be error free so we are sure what
is set is correct.

If you look in the script, you see the four SID. 

DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"	
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"
These must work in resolving with wbinfo to get the correct uid/gid for sysvol.

These wbinfo --... Tests

For "BUILTIN\Administrators" and BUILTIN\Server Operators
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name --name-to-sid 

For System and Authenticated users, these must be tested. 
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name


If one of these fail, you have a error in the setup, these should al resolv on
the dc.
wbinfo --sid-to-uid="S-1-5-32-544"

wbinfo --uid-to-sid="The result of above (uid)", returns the value of
above (S-1-5-32-544)
wbinfo --gid-to-sid="The result of the first, =(uid)=(gid)", returns
the value of above (S-1-5-32-544)

wbinfo --sid-to-name="S-1-5-32-544" results in the name.
wbinfo --name-to-sid="The result of above (name)", returns the value
of above (S-1-5-32-544)


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Ji??í ??erný via samba
> Verzonden: dinsdag 5 september 2017 10:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] BUILTIN\Administrators - failed to 
> call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Thank you both, Rowland and Louis.
> 
> I'll try to answer you both and give you more info about our domain.
> 
> Generally:
> In the past, we have Samba 3.5 NT4 domain on SLES server 
> (designed ages before, never upgraded). In 2015 I finally 
> decided to migrate to Samba 4 AD. In those day it was 4.2. 
> samba-tool ntacl sysvolcheck was ok, no errors. AD worked 
> (and working) as expected.
> This summer, I managed Samba+ subscription from SerNet, so we 
> upgraded to 4.6.X. As I said, everything work, but 
> sysvolcheck throws errors that you discussed in other thread.
> 
> Original Samba 3 domain was combination of Samba and LDAP 
> backed. So domain scheme was populated by smbldap-tools. 
> Users/groups were added by LAM (so smbldap-tools too). 
> UIDs/GIDs were populated by RIDs. ID map range was from 500 
> to 10000, so every group and user in our domain have 
> UIDs/GIDs same as their RID. NSS was driven by LDAP (passwd, 
> shadow and group in nsswitch.conf had ldap directive).
> 
> After migration (in 2015) I changed this at least for new 
> users and groups. I know, that's not the best solution, but 
> it worked I hadn't to reset all ACLs on our fileservers.
> 
> Rowland:
> Yes, our are right. There were UIDs and GIDs set on "system" 
> users and groups. I removed all (is removing in AUDC enough? 
> I newer worked with ldb tools) except Domain Users and Domain 
> Admins (we use this group as owner group on many shares on 
> our fileservers).
> 
> Louis:
> I thing that the "bad" numbers in my domain are legacy pro 
> Samba 3 + LDAP. AD service restart and net cache flush were 
> executed many times as we run this domain 2 years.
> 
> So what's next?
> Do you think that I have to rearrange UIDs and GIDs in our 
> domain to match numeric pattern as in cleanly provisioned domain?
> 
> 
> Thanks for you time. Have a nice day.
> 
> 
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> cerny at svmetal.cz
> helpdesk at svmetal.cz
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz 
> 
> 
> >>> Ji??í ??erný 4.9.2017 13:53 >>>
> Hello everyone.
> I'm trying to fix sysvol rights, because i see errors in 
> output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 
> 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016
> F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File
"/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", 
> line 270, in run
>     lp)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1723, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.p
y", line 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s 
> does not match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> That's nothing new, this was disused here many times.
> 
> Today, I decided to try script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh)
> by mr. van Belle and I ended with this error:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> Confirmed:
> wbinfo --sid-to-uid=S-1-5-32-544
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert sid S-1-5-32-544 to uid
> 
> So I have problem with builtin group Administrators, other groups look
> good:
> wbinfo --sid-to-uid=S-1-5-32-549
> 15543
> wbinfo --sid-to-uid=S-1-5-11
> 15549
> 
> DB seems to be ok:
> samba-tool dbcheck --cross-ncs --fix
> Checking 5227 objects
> Checked 5227 objects (0 errors)
> 
> Is there any way to fix my domain?
> 
> I have AD migrated from Samba 3 NT (migrated to SerNet Samba 4.2).
> Running now on 2 CentOS6 DCs, SerNet Samba 4.6.7.
> Here is my DS's smb.conf:
> # Global parameters
> [global]
>  workgroup = COMPANY
>  realm = samdom.company.cz
>  netbios name = DC01
>  server role = active directory domain controller  
> idmap_ldb:use rfc2307 = yes  dns forwarder = 192.168.1.34  
> allow dns updates = nonsecure  log level = 1  load printers = 
> no  printing = bsd  printcap name = /dev/null  disable spoolss = yes
> 
> [netlogon]
>  path = /var/lib/samba/sysvol/samdom.company.cz/scripts
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
> 
> 
> 
> 
> Yours sincerely
>  
> Ji??í ??erný
> System administrator
>  
> +420 775 860 300
> cerny at svmetal.cz
> helpdesk at svmetal.cz
>  
> SV metal spol. s r.o.
> Divec 99
> 500 03 Hradec Králové
> Czech republic
>  
> www.svmetal.cz 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 05 Sep 2017 10:24:58 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:
> Thank you both, Rowland and Louis.
> 
> I'll try to answer you both and give you more info about our domain.
> 
> Generally:
> In the past, we have Samba 3.5 NT4 domain on SLES server (designed
> ages before, never upgraded). In 2015 I finally decided to migrate to
> Samba 4 AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was
> ok, no errors. AD worked (and working) as expected.
> This summer, I managed Samba+ subscription from SerNet, so we upgraded
> to 4.6.X. As I said, everything work, but sysvolcheck throws errors
> that you discussed in other thread.
> 
> Original Samba 3 domain was combination of Samba and LDAP backed. So
> domain scheme was populated by smbldap-tools. Users/groups were added
> by LAM (so smbldap-tools too). UIDs/GIDs were populated by RIDs. ID
> map range was from 500 to 10000, so every group and user in our
> domain have UIDs/GIDs same as their RID. NSS was driven by LDAP
> (passwd, shadow and group in nsswitch.conf had ldap directive).
This was perfectly common, nobody thought this would ever be a problem,
mainly because you had to have a user or group in /etc/passwd
or /etc/group mapped to a Samba.
Now with AD, you do not need a user or group in /etc/passwd
or /etc/group, so any user or group that uses the RID as a Unix ID is
probably too low and is denying the use of any local Unix users
> 
> After migration (in 2015) I changed this at least for new users and
> groups. I know, that's not the best solution, but it worked I
hadn't
> to reset all ACLs on our fileservers.
> 
> Rowland:
> Yes, our are right. There were UIDs and GIDs set on "system"
users and
> groups. I removed all (is removing in AUDC enough? I newer worked with
> ldb tools) except Domain Users and Domain Admins (we use this group as
> owner group on many shares on our fileservers).
I hope you are not thinking of using GPOs, 'Domain Admins' needs to own
things is 'sysvol' and cannot if they are a group (the gidNumber makes
them a group)
> 
> Louis:
> I thing that the "bad" numbers in my domain are legacy pro Samba
3 +
> LDAP. AD service restart and net cache flush were executed many times
> as we run this domain 2 years.
> 
> So what's next?
> Do you think that I have to rearrange UIDs and GIDs in our domain to
> match numeric pattern as in cleanly provisioned domain?
If you can change the Unix IDs, then this is the way to go

Rowland

On Tue, 5 Sep 2017 10:48:52 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> I leave the advice about the uid/gid numbering to Rowland, i can not
> give a good advice on that. 
> 
> The script was made in such a way that it should not matter what
> uid/gids are where used. The script looks them up for you, but it
> must be error free so we are sure what is set is correct. 
Not entirely true (in my opinion) the script should ensure that whilst
the SIDs do resolve, they should resolve in a way that allows them to
do what they need to do, which in some cases is group being a user. The
only way to do this, the ID must come from idmap.ldb on a DC.

Rowland