samba - May 2022 - builtin groups are not mapped by winbind

Hello samba team.

I have a samba configured as a member server of a samba4 domain. This
member server is version 4.15.5

The big problem is that the member server winbind does not generate the
gids for some BUILTIN groups, for example:

Account Operators
Server Operators
Backup Operators
Print Operators

But generate the gid to:

Administrators
guests
users

When I run the wbinfo --group-info command to get the mapping the wbinfo
command returns the following:

wbinfo --group-info "BUILTIN\Account Operators"

failed to call wbcGetrnam: WBC_ERR_DOMAIN_NOT_FOUND
could not get info for group BUILTIN\Account Operators

Increasing the samba log level to 5, the following error appears in the log:

could not convert sid S-1-5-32-548 NT_STATUS_NONE_MAPPED

Windbind cannot convert, if I try to convert a SID to GID using the wbinfo
command given below, the error is the same:

wbinfo --sid-to-gid S-1-5-32-548

This is repeated with the informed groups: Account Operators, Server
Operators, Backup Operators and Print Operators

Me smb.conf looks like this in the global section:

[global]
workgroup = COMPANY
netbios name = fileserver
realm = EXAMPLE.LOCAL
security = ads
log file = /usr/local/samba/var/log/samba/fileserver.log
max log size = 2048
log level = 5
idmap config *:backend = tdb
idmap config *:range = 21000-80000
idmap config COMPANY:backend = rid
idmap config COMPANY:range = 1500-14000
shell template = /bin/bash
template homedir = /home/%D/%U

EXEMPLE.LOCAL domain users are mapped without any problems.

The wbinfo -m command returns the following:

wbinfo -m
BUILTIN
FILESERVER
EXAMPLE

the /etc/krb5.conf file looks like this

[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

Do you know what could be causing this behavior?

On Fri, 2022-05-13 at 02:14 -0300, Anderson Sampaio Mello via samba
wrote:
> Hello samba team.
> 
> I have a samba configured as a member server of a samba4 domain. This
> member server is version 4.15.5
> 
> The big problem is that the member server winbind does not generate
> the
> gids for some BUILTIN groups, for example:
> 
> Account Operators
> Server Operators
> Backup Operators
> Print Operators
I wouldn't worry it, that doesn't work for myself on a Unix domain
member, but these do:

sudo wbinfo --name-to-sid="BUILTIN\Account Operators"
S-1-5-32-548 SID_ALIAS (4)

sudo wbinfo --name-to-sid="BUILTIN\Server Operators"
S-1-5-32-549 SID_ALIAS (4)

sudo wbinfo --name-to-sid="BUILTIN\Backup Operators"
S-1-5-32-551 SID_ALIAS (4)

sudo wbinfo --name-to-sid="BUILTIN\Print Operators"
S-1-5-32-550 SID_ALIAS (4)

And in reverse:

sudo wbinfo --sid-to-name=S-1-5-32-548
BUILTIN\account operators 4

sudo wbinfo --sid-to-name=S-1-5-32-549
BUILTIN\server operators 4

sudo wbinfo --sid-to-name=S-1-5-32-551
BUILTIN\backup operators 4

sudo wbinfo --sid-to-name=S-1-5-32-550
BUILTIN\print operators 4

So the code knows who they are. :-)

Rowland