Samba package 4.9.x samba smbd not playing with winbind.
Alexander Bokovoy
ab at samba.org
Sun Dec 2 11:20:39 UTC 2018
On su, 02 joulu 2018, Rowland Penny via samba-technical wrote:
> On Sun, 2 Dec 2018 10:06:31 +0200
> Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org>
> wrote:
>
> > On pe, 30 marras 2018, Andreas Hasenack via samba-technical wrote:
> > > On Tue, Sep 25, 2018 at 11:20 AM Alexander Bokovoy via
> > > samba-technical <samba-technical at lists.samba.org> wrote:
> > > >
> > > > On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > > > > @Rowland
> > > > > Now reboot your server.
> > > > > And smbd isnt started anymore at boot.
> > > > > Dont get fooled that it started before..
> > > > >
> > > > >
> > > > > @Alexander
> > > > > Now small comment on :
> > > > > > With 4.9.0 we expanded guest handling to differentiate
> > > > > > between anonymous and guest sessions. This required a proper
> > > > > > handling of BUILTIN\Guests and thus is now forces to be able
> > > > > > to have either writable backend or aliases configured
> > > > > > properly.
> > > > > >
> > > > > Yes, that is known.
> > > > >
> > > > > And sorry, but in my opinion this is not handled properly.
> > > > >
> > > > > A "stand alone" setup does not require BUILTIN\Guests maybe
> > > > > COMPUTERNAME\Guests S-1-5-32-546 != SID: S-1-5-21domain-514
> > > > > Guests Domain Guests
> > > > All is needed is BUILTIN\Guests, not Domain Guests.
> > > >
> > > > See e8dc55d2b969 and
> > > > https://bugzilla.samba.org/show_bug.cgi?id=13328
> > > >
> > > > > > Question is mostly what defaults we should have for
> > > > > > BUILTIN\Guests. Perhaps, we should always do the groupmap
> > > > > > rule I added...
> > > > > >
> > > > >
> > > > > Well, i just follow you Samba Devs.
> > > > This is was a question 'into an air' to trigger Metze's answer. ;)
> > > >
> > > > > Im just an it guy and i can't programm what your guys do..
> > > > > Respect for that!
> > > > >
> > > > > For now, i keep it simple an in sight for me in my smb.conf and
> > > > > i set the 2 : idmap * lines. I can add that simple in the
> > > > > smb.conf of my debian install, but its not nice. :-/
> > > > An issue I see is that, unlike 'net groupmap add ..' variant, we
> > > > cannot really default to a working default idmap configuration
> > > > without knowning in advance what ID range to use there.
> > >
> > > Why does it matter to smbd if winbind is running or not in a
> > > standalone-server config? In both scenarios it is started with the
> > > same standalone-server config. How does it solve the problem of not
> > > having a group mapping from BUILTIN\Guests to some local group when
> > > winbind isn't running?
> > The above is for a domain case, not standalone server. A default for
> > both 'server role' and 'security' settings are AUTO.
>
> Ah, but the default on Debian for server role is 'standalone server'
>
> >
> > In AUTO if 'domain logons' option is set, we consider this to be a
> > domain case (PDC or BDC). If not, we are standalone server.
> >
> > For standalone server config smbd uses passdb modules. If your passdb
> > module doesn't handle BUILTIN, how is it going to work? We default to
> > tdbsam and tdbsam by default is responsible for mapping BUILTIN, so it
> > should work.
>
> It doesn't
>
> This is the [global] section from the default Debian smb.conf (without
> all the comments):
>
> [global]
> workgroup = WORKGROUP
> log file = /var/log/samba/log.%m
> max log size = 1000
> logging = file
> panic action = /usr/share/samba/panic-action %d
> server role = standalone server
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> map to guest = bad user
> usershare allow guests = yes
>
> If you install Samba without winbind, the install tries to start smbd
> and it fails, this problem may have been there for some time, but was
> masked because Debian used to install (and start) winbind with Samba.
> This is no longer the case, you now have to install winbind separately.
Works for me in Fedora 29.
You need tdbsam configured to create builtins, not necessary winbind.
For example, the following is an example within a Fedora 29 container:
# podman container run --name samba-test -h fserver.samba.test -t -i registry.fedoraproject.org/fedora:29
[root at fserver /]# dnf -y install samba
Fedora Modular 29 - x86_64 490 kB/s | 1.5 MB 00:03
Fedora Modular 29 - x86_64 - Updates 1.5 MB/s | 1.6 MB 00:01
Fedora Modular 29 - x86_64 - Test Updates 1.5 MB/s | 1.9 MB 00:01
Fedora 29 - x86_64 - Test Updates 4.3 MB/s | 14 MB 00:03
Fedora 29 - x86_64 - Updates 3.5 MB/s | 15 MB 00:04
Fedora 29 - x86_64 8.0 MB/s | 62 MB 00:07
Dependencies resolved.
==============================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================
Installing:
samba x86_64 2:4.9.3-0.fc29 updates-testing 602 k
Installing dependencies:
libwbclient x86_64 2:4.9.3-0.fc29 updates-testing 43 k
samba-client-libs x86_64 2:4.9.3-0.fc29 updates-testing 4.8 M
samba-common noarch 2:4.9.3-0.fc29 updates-testing 141 k
samba-common-libs x86_64 2:4.9.3-0.fc29 updates-testing 99 k
samba-common-tools x86_64 2:4.9.3-0.fc29 updates-testing 379 k
samba-libs x86_64 2:4.9.3-0.fc29 updates-testing 102 k
cups-libs x86_64 1:2.2.8-6.fc29 updates 323 k
libldb x86_64 1.4.3-1.fc29 updates 151 k
lmdb-libs x86_64 0.9.22-4.fc29 updates 55 k
avahi-libs x86_64 0.7-16.fc29 fedora 59 k
jansson x86_64 2.11-2.fc29 fedora 43 k
libtalloc x86_64 2.1.14-2.fc29 fedora 42 k
libtdb x86_64 1.3.16-2.fc29 fedora 50 k
libtevent x86_64 0.9.37-2.fc29 fedora 42 k
Transaction Summary
==============================================================================================================================================================================================
Install 15 Packages
.....
Installed:
samba-2:4.9.3-0.fc29.x86_64 libwbclient-2:4.9.3-0.fc29.x86_64 samba-client-libs-2:4.9.3-0.fc29.x86_64 samba-common-2:4.9.3-0.fc29.noarch
samba-common-libs-2:4.9.3-0.fc29.x86_64 samba-common-tools-2:4.9.3-0.fc29.x86_64 samba-libs-2:4.9.3-0.fc29.x86_64 cups-libs-1:2.2.8-6.fc29.x86_64
libldb-1.4.3-1.fc29.x86_64 lmdb-libs-0.9.22-4.fc29.x86_64 avahi-libs-0.7-16.fc29.x86_64 jansson-2.11-2.fc29.x86_64
libtalloc-2.1.14-2.fc29.x86_64 libtdb-1.3.16-2.fc29.x86_64 libtevent-0.9.37-2.fc29.x86_64
Complete!
... [ create smb.conf corresponding to the one Rowland shown above ] ....
[root at fserver ~]# testparm -s
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
Processing section "[testshare]"
Loaded services file OK.
Server role: ROLE_STANDALONE
# Global parameters
[global]
log file = /var/log/samba/log.%m
logging = file
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
server role = standalone server
unix password sync = Yes
usershare allow guests = Yes
idmap config * : backend = tdb
[testshare]
path = /srv
read only = No
... [ set password for a user 'root' so that I could login to Samba ] ...
[root at fserver /]# smbpasswd -a root
New SMB password:
Retype new SMB password:
Added user root.
... [ install smbclient ] ...
[root at fserver /]# dnf -y install samba-client
....
Installed:
samba-client-2:4.9.3-0.fc29.x86_64 libsmbclient-2:4.9.3-0.fc29.x86_64 perl-Errno-1.29-425.fc29.x86_64 perl-File-Path-2.16-1.fc29.noarch
perl-IO-1.39-425.fc29.x86_64 perl-PathTools-3.75-1.fc29.x86_64 perl-interpreter-4:5.28.1-425.fc29.x86_64 perl-libs-4:5.28.1-425.fc29.x86_64
perl-macros-4:5.28.1-425.fc29.x86_64 perl-threads-shared-1.59-1.fc29.x86_64 perl-Carp-1.50-417.fc29.noarch perl-Exporter-5.73-418.fc29.noarch
perl-Scalar-List-Utils-3:1.50-417.fc29.x86_64 perl-Socket-4:2.027-417.fc29.x86_64 perl-Text-Tabs+Wrap-2013.0523-417.fc29.noarch perl-Unicode-Normalize-1.26-417.fc29.x86_64
perl-constant-1.33-418.fc29.noarch perl-parent-1:0.237-2.fc29.noarch perl-threads-1:2.22-417.fc29.x86_64
Complete!
... [ try to access Samba share as user 'root' and upload some file ] ...
[root at fserver /]# cd root
[root at fserver ~]# touch foobar
[root at fserver ~]# smbclient -U root%TestTest1234 //fserver.samba.test/testshare
Try "help" to get a list of possible commands.
smb: \> mput foobar
Put file foobar? y
putting file foobar as \foobar (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Sun Dec 2 11:02:54 2018
.. D 0 Sun Dec 2 10:55:08 2018
foobar A 0 Sun Dec 2 11:02:54 2018
8377344 blocks of size 1024. 2223704 blocks available
smb: \>
[root at fserver ~]# ps axf
PID TTY STAT TIME COMMAND
1 pts/0 Ss 0:00 /bin/bash
91 ? Ss 0:00 smbd
92 ? S 0:00 \_ smbd
93 ? S 0:00 \_ smbd
94 ? S 0:00 \_ smbd
134 pts/0 R+ 0:00 ps axf
I have no winbindd at all on the system:
[root at fserver ~]# rpm -qa|grep winbind
<empty output>
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list