samba - Sep 2017 - SOLVED: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

> You may get away with using the 'rid' backend, but this will have
to
be> your choice, but whatever you choose, I am sure we can help you get
to> a working domain.>
> RowlandSo I have an example. We have file and print server based on
CentOS 7 with Samba 4.4.4. As wiki said
(https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients)
we have to set permissions on [print$] share:

# chgrp -R "SAMDOM\Domain Admins" /srv/samba/printer_drivers/
# chmod -R 2755 /srv/samba/printer_drivers/But I can't do that,
beacause I removed GID of Domain Admins, so winbind can't enumerate this
group.
So how to do that?Do I have to change idmap backend to from AD to RID?
smb.conf:
 [global]
 netbios name = itserver
 workgroup = COMPANY
 security = ADS
 realm = SAMDOM.COMPANY.CZ
 dedicated keytab file = /etc/krb5.keytab
 kerberos method = secrets and keytab
 idmap config *:backend = tdb
 idmap config *:range = 70001-99999
 idmap config COMPANY:backend = ad
 idmap config COMPANY:schema_mode = rfc2307
 idmap config COMPANY:range = 500-40000
 winbind nss info = rfc2307
 winbind trusted domains only = no
 winbind use default domain = Yes
 winbind refresh tickets = Yes
 winbind enum users  = yes
 winbind enum groups = yes
 winbind expand groups = 3
 vfs objects = acl_xattr
 map acl inherit = Yes
 store dos attributes = Yes
 rpc_server:spoolss = external
 rpc_daemon:spoolssd = fork
 load printers = Yes
 map to guest = bad user
 acl allow execute always = True
Jiří



On Wed, 06 Sep 2017 17:07:42 +0200Jiří Černý via samba <samba at
lists.samba.org
( https://lists.samba.org/mailman/listinfo/samba) > wrote:> > I feel I
can tell you this without breaking any confidences, the OP> sent me
their idmap.ldb and the problem boiled down to these three> DNs>>
CN=S-1-5-32-545> CN=S-1-5-32-544> CN=S-1-5-32-546> > The>
DNs>>
classicupgrade> seems to set these to 'ID_TYPE_GID' instead of
'ID_TYPE_BOTH'.>>> RowlandI can confirm this. After changing
'ID_TYPE_GID' to> 'ID_TYPE_BOTH' on these three CN= winbind
works well.
> So there is no errors. Also Louis' script works well;)> > This
was
hard to decipher, but I think I understand it>> You need to> make some
choices about your fileservers, do you need to move data> between them ?
if you do, then you need to use the winbind> 'ad'> backend to
ensure the
data retains the correct ownership. If you> don't, then you can use the
'rid' backend, this doesn't add anything> to AD.Sorry for that
mess, I
don't know why mailserver did it.> In 99% cases we don't move data
between them, so I have to consider> it.> You may get away with using
the 'rid' backend, but this will have to beyour choice, but whatever you
choose, I am sure we can help you get toa working domain.Rowland

On Thu, 07 Sep 2017 15:04:43 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:
> > You may get away with using the 'rid' backend, but this will
have to
> be> your choice, but whatever you choose, I am sure we can help you
> be> get
> to> a working domain.>
> > RowlandSo I have an example. We have file and print server based on
> CentOS 7 with Samba 4.4.4. As wiki said
>
(https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients)
> we have to set permissions on [print$] share:
> 
> # chgrp -R "SAMDOM\Domain Admins" /srv/samba/printer_drivers/
> # chmod -R 2755 /srv/samba/printer_drivers/But I can't do that,
> beacause I removed GID of Domain Admins, so winbind can't enumerate
> this group.
> So how to do that?Do I have to change idmap backend to from AD to RID?
OK, my suggestion is to create an AD group, (again this is just a
suggestion, 'Unix Admins'), give this group a gidNumber and make it a
member of 'Domain Admins'. Now use this new group instead of 'Domain
Admins' on Unix.

Rowland