On a domain member: wbinfo --name-to-sid 'NT AUTHORITY\System' S-1-5-18 and wbinfo --name-to-sid S-1-5-18 returns a name again But wbinfo --group-info 'NT AUTHORITY\System' does not work.
The message is in winbindd log is: [2016/08/19 14:19:52.725686, 0, pid=27212] ../source3/winbindd/winbindd_group.c:45(fill_grent) Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains!
Hai, I know you guys are very very busy. But is there a way i can help speed up this bug fix. Due to this mismatch there are multiple things going wrong here. This is mostly GPO related, but it has a big impact. Lots of setttings, policies etc, are applies as user "SYSTEM" but this fails. To test this follow these steps. 1. Under "When running the task, use the following user account:", click "Change User or Group..." 2. Click "Locations" 3. Expand the [domain FQDN] and select the "Builtin" container, then click OK 4. In the box labelled "Enter the object name to select:" type "system", then click OK 5. You should see "NT AUTHORITY\System" in the box you wil see "DOMAIN\system" Now i need to set a GPO object with "NT AUTHORITY\System" as user, which im unable to. With above steps, when you enter the username, there is no sid mapping and it wil fail also. few tests On a member but i need it fixed in the ADDC. Running : ( samba 4.4.5 Debian ) wbinfo --name-to-sid 'NT AUTHORITY\System' S-1-5-18 SID_WKN_GROUP (5) wbinfo --name-to-sid S-1-5-18 failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name S-1-5-18 wbinfo --group-info 'NT AUTHORITY\System' failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group NT AUTHORITY\System no errors in the logs, but default loglevels. These are the four mapping which must be fixed, to make sure all basic windows thing work correct. Name for Local Service NT AUTHORITY\LOCAL SERVICE Name for Network Service NT AUTHORITY\NETWORK SERVICE Name for Local System NT AUTHORITY\SYSTEM Name for Admin Group BUILTIN\Administrators Not mentioned there is LocalSystem. The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. >> Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; And these accounts have access to most system objects. << but these dont resolve, result, error.
It would seem that whilst a group such as Domain Admins is mapped to 'ID_TYPE_BOTH' in idmap.ldb, the OS will only accept the group as a user by number, not by name. i.e. 'chown Domain\ Admins:Domain\ Admins file.txt' will fail, but 'chown 3000013:Domain\ Admins file.txt' will succeed. Note that '3000013' is the GID for Domain Admins: getent group Domain\ Admins SAMDOM\domain admins:x:3000013:SAMDOM\administrator,SAMDOM\rowland
(In reply to Rowland Penny from comment #3) this is a different bug, please open a new bug report for that and don't put that into this report, otherwise nobody will known who is talking about which issue if you mix different issues in here.
I just want to point out, that for me the behavior is a little bit different. I get the same winbindd error, but # wbinfo --name-to-sid 'NT AUTHORITY\System' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name NT AUTHORITY\System # wbinfo --name-to-sid S-1-5-18 failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name S-1-5-18 # net cache list | grep 3000002 Key: IDMAP/UID2SID/3000002 Timeout: Mon Aug 14 06:06:37 2017 Value: S-1-5-18 Key: IDMAP/SID2XID/S-1-5-18 Timeout: Mon Aug 14 06:06:37 2017 Value: 3000002:B Key: IDMAP/GID2SID/3000002 Timeout: Mon Aug 14 06:06:37 2017 Value: S-1-5-18 # samba-tool --version 4.5.12-SerNet-Ubuntu-17.trusty
Currently running CI with this patchset https://gitlab.com/samba-team/devel/samba/commits/a0309d9e7c283c8c6ee25a067695571c93d26313 CI: https://gitlab.com/samba-team/devel/samba/pipelines/38128181
Created attachment 14721 [details] Patch for 4.8 and 4.9 cherry-picked from master
Comment on attachment 14721 [details] Patch for 4.8 and 4.9 cherry-picked from master LGTM
Karolin, please add the patch to the relevant branches.
(In reply to Andreas Schneider from comment #9) Pushed to autobuild-v4-{9,8}-test.
Pushed to both branches. Closing out bug report. Thanks!