Bug 12164 - wbinfo --group-info 'NT AUTHORITY\System' does not work
Summary: wbinfo --group-info 'NT AUTHORITY\System' does not work
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.4.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-08-18 16:26 UTC by Stefan Metzmacher
Modified: 2018-12-11 09:53 UTC (History)
8 users (show)

See Also:

Patch for 4.8 and 4.9 cherry-picked from master (10.61 KB, patch)
2018-12-06 11:17 UTC, Ralph Böhme
asn: review+
slow: review? (jra)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-08-18 16:26:16 UTC
On a domain member:

wbinfo --name-to-sid  'NT AUTHORITY\System'

wbinfo --name-to-sid S-1-5-18
returns a name again

wbinfo --group-info 'NT AUTHORITY\System' 
does not work.
Comment 1 Ralph Böhme 2016-08-19 12:21:08 UTC
The message is in winbindd log is:

[2016/08/19 14:19:52.725686,  0, pid=27212] ../source3/winbindd/winbindd_group.c:45(fill_grent)
  Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains!
Comment 2 Louis 2016-12-01 10:58:20 UTC

I know you guys are very very busy. 
But is there a way i can help speed up this bug fix.
Due to this mismatch there are multiple things going wrong here.

This is mostly GPO related, but it has a big impact. 
Lots of setttings, policies etc, are applies as user "SYSTEM" but this fails. 

To test this follow these steps. 
1. Under "When running the task, use the following user account:", click "Change User or Group..." 

2. Click "Locations" 
3. Expand the [domain FQDN] and select the "Builtin" container, then click OK 
4. In the box labelled "Enter the object name to select:" type "system", then click OK 
5. You should see "NT AUTHORITY\System" in the box  
you wil see "DOMAIN\system" 

Now i need to set a GPO object with "NT AUTHORITY\System" as user, which im unable to. 

With above steps, when you enter the username, there is no sid mapping and it wil fail also. 

few tests On a member but i need it fixed in the ADDC. 
Running :  ( samba 4.4.5 Debian ) 

wbinfo --name-to-sid  'NT AUTHORITY\System'
S-1-5-18 SID_WKN_GROUP (5)

wbinfo --name-to-sid S-1-5-18
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name S-1-5-18

wbinfo --group-info 'NT AUTHORITY\System'
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group NT AUTHORITY\System

no errors in the logs, but default loglevels.

These are the four mapping which must be fixed, to make sure all basic windows thing work correct. 

Name for Local Service    NT AUTHORITY\LOCAL SERVICE
Name for Local System     NT AUTHORITY\SYSTEM
Name for Admin Group      BUILTIN\Administrators 

Not mentioned there is LocalSystem. 
The LocalSystem account is a predefined local account used by the service control manager.
This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. 
It has extensive privileges on the local computer, and acts as the computer on the network. 

>> Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; 
And these accounts have access to most system objects. << 

but these dont resolve, result, error.
Comment 3 Rowland Penny 2017-03-09 11:00:57 UTC
It would seem that whilst a group such as Domain Admins is mapped to 'ID_TYPE_BOTH' in idmap.ldb, the OS will only accept the group as a user by number, not by name.

i.e. 'chown Domain\ Admins:Domain\ Admins file.txt' will fail, but 'chown 3000013:Domain\ Admins file.txt' will succeed.

Note that '3000013' is the GID for Domain Admins:

getent group Domain\ Admins
SAMDOM\domain admins:x:3000013:SAMDOM\administrator,SAMDOM\rowland
Comment 4 Björn Jacke 2017-03-09 11:25:03 UTC
(In reply to Rowland Penny from comment #3)
this is a different bug, please open a new bug report for that and don't put that into this report, otherwise nobody will known who is talking about which issue if you mix different issues in here.
Comment 5 (mail address dead) 2017-08-08 15:40:05 UTC
I just want to point out, that for me the behavior is a little bit different. 
I get the same winbindd error, but 

# wbinfo --name-to-sid  'NT AUTHORITY\System'
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NT AUTHORITY\System

# wbinfo --name-to-sid S-1-5-18
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name S-1-5-18

# net cache list | grep 3000002
Key: IDMAP/UID2SID/3000002	 Timeout: Mon Aug 14 06:06:37 2017	 Value: S-1-5-18  
Key: IDMAP/SID2XID/S-1-5-18	 Timeout: Mon Aug 14 06:06:37 2017	 Value: 3000002:B  
Key: IDMAP/GID2SID/3000002	 Timeout: Mon Aug 14 06:06:37 2017	 Value: S-1-5-18

# samba-tool --version
Comment 7 Ralph Böhme 2018-12-06 11:17:48 UTC
Created attachment 14721 [details]
Patch for 4.8 and 4.9 cherry-picked from master
Comment 8 Andreas Schneider 2018-12-06 13:26:45 UTC
Comment on attachment 14721 [details]
Patch for 4.8 and 4.9 cherry-picked from master

Comment 9 Andreas Schneider 2018-12-06 13:27:58 UTC
Karolin, please add the patch to the relevant branches.
Comment 10 Karolin Seeger 2018-12-07 09:29:16 UTC
(In reply to Andreas Schneider from comment #9)
Pushed to autobuild-v4-{9,8}-test.
Comment 11 Karolin Seeger 2018-12-11 09:53:42 UTC
Pushed to both branches.
Closing out bug report.