samba - Sep 2017 - BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

I do think its a classic upgrade from 3.x to 4.x that causes this. 
And the samba 3 was a samba with smbldap-tools 
or configured with something like : net groupmap add ntgroup="Domain
Admins" unixgroup=domadm rid=512 type=d
( as shown here
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html )

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> lists via samba
> Verzonden: woensdag 6 september 2017 15:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] BUILTIN\Administrators - failed to 
> call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Hi,
> 
> On 6-9-2017 10:47, Rowland Penny via samba wrote:
> >> wbinfo --sid-to-uid="S-1-5-32-544"
> >> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not 
> >> convert sid S-1-5-32-544 to uid
> > I feel this all has something to do with the classicupgrade, the 
> > command works for me, does 'wbinfo 
> --sid-to-gid="S-1-5-32-544"' work ?
> 
> FYI: our domain was classicupgraded in the samba 4.1 days, 
> and both  > wbinfo --sid-to-uid="S-1-5-32-544"
> and
>  > wbinfo --sid-to-gid="S-1-5-32-544"
> give the same output on all DCs:
> 
> 3000000
> 
> So not sure if classicupgraded or not is relevant here.
> 
> MJ
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 6 Sep 2017 16:19:05 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> I do think its a classic upgrade from 3.x to 4.x that causes this. 
> And the samba 3 was a samba with smbldap-tools 
> or configured with something like : net groupmap add ntgroup="Domain
> Admins" unixgroup=domadm rid=512 type=d ( as shown here
>
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
> ) 
I feel I can tell you this without breaking any confidences, the OP
sent me their idmap.ldb and the problem boiled down to these three DNs

CN=S-1-5-32-545
CN=S-1-5-32-544
CN=S-1-5-32-546

The classicupgrade seems to set these to 'ID_TYPE_GID' instead of
'ID_TYPE_BOTH'.

Rowland

Ah, so you did find a bug in the classic upgrade :-) great, one less in the
future samba ;-)

One extra to remember. 

Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 6 september 2017 16:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] BUILTIN\Administrators - failed to 
> call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> 
> On Wed, 6 Sep 2017 16:19:05 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > 
> > I do think its a classic upgrade from 3.x to 4.x that causes this. 
> > And the samba 3 was a samba with smbldap-tools or configured with 
> > something like : net groupmap add ntgroup="Domain Admins" 
> > unixgroup=domadm rid=512 type=d ( as shown here 
> > 
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmappi
> > ng.html
> > )
> 
> I feel I can tell you this without breaking any confidences, 
> the OP sent me their idmap.ldb and the problem boiled down to 
> these three DNs
> 
> CN=S-1-5-32-545
> CN=S-1-5-32-544
> CN=S-1-5-32-546
> 
> The classicupgrade seems to set these to 'ID_TYPE_GID' 
> instead of 'ID_TYPE_BOTH'.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 6 Sep 2017 16:52:31 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Ah, so you did find a bug in the classic upgrade :-) great, one less
> in the future samba ;-) 
There appears to be a few 'problems' in 'classicupgrade' and the
way it
works. It doesn't seem to know about 'ID_TYPE_BOTH' and anyway, a
lot
of the 'well known SIDs' will not be in idmap.ldb because they
haven't
yet connected to Samba (as far as I am aware, an entry in idmap.ldb is
only created when a SID connects)

A lot of Samba 4 was written 5 plus years ago and a lot has been learnt
about AD since then and a lot of the code has been fixed, but there is
still a lot to fix.

Rowland