Bug 12164 - wbinfo --group-info 'NT AUTHORITY\System' does not work
wbinfo --group-info 'NT AUTHORITY\System' does not work
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.4.5
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-18 16:26 UTC by Stefan Metzmacher
Modified: 2016-12-01 10:58 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-08-18 16:26:16 UTC
On a domain member:

wbinfo --name-to-sid  'NT AUTHORITY\System'
S-1-5-18

and
wbinfo --name-to-sid S-1-5-18
returns a name again

But 
wbinfo --group-info 'NT AUTHORITY\System' 
does not work.
Comment 1 Ralph Böhme 2016-08-19 12:21:08 UTC
The message is in winbindd log is:

[2016/08/19 14:19:52.725686,  0, pid=27212] ../source3/winbindd/winbindd_group.c:45(fill_grent)
  Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains!
Comment 2 Louis 2016-12-01 10:58:20 UTC
Hai, 

I know you guys are very very busy. 
But is there a way i can help speed up this bug fix.
Due to this mismatch there are multiple things going wrong here.

This is mostly GPO related, but it has a big impact. 
Lots of setttings, policies etc, are applies as user "SYSTEM" but this fails. 

To test this follow these steps. 
1. Under "When running the task, use the following user account:", click "Change User or Group..." 

2. Click "Locations" 
3. Expand the [domain FQDN] and select the "Builtin" container, then click OK 
4. In the box labelled "Enter the object name to select:" type "system", then click OK 
5. You should see "NT AUTHORITY\System" in the box  
you wil see "DOMAIN\system" 

Now i need to set a GPO object with "NT AUTHORITY\System" as user, which im unable to. 

With above steps, when you enter the username, there is no sid mapping and it wil fail also. 

few tests On a member but i need it fixed in the ADDC. 
Running :  ( samba 4.4.5 Debian ) 

wbinfo --name-to-sid  'NT AUTHORITY\System'
S-1-5-18 SID_WKN_GROUP (5)

wbinfo --name-to-sid S-1-5-18
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name S-1-5-18

wbinfo --group-info 'NT AUTHORITY\System'
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group NT AUTHORITY\System

no errors in the logs, but default loglevels.

These are the four mapping which must be fixed, to make sure all basic windows thing work correct. 

Name for Local Service    NT AUTHORITY\LOCAL SERVICE
Name for Network Service  NT AUTHORITY\NETWORK SERVICE
Name for Local System     NT AUTHORITY\SYSTEM
Name for Admin Group      BUILTIN\Administrators 

Not mentioned there is LocalSystem. 
The LocalSystem account is a predefined local account used by the service control manager.
This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. 
It has extensive privileges on the local computer, and acts as the computer on the network. 

>> Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; 
And these accounts have access to most system objects. << 

but these dont resolve, result, error.