Samba package 4.9.x samba smbd not playing with winbind.

Alexander Bokovoy ab at samba.org
Sun Dec 2 17:47:48 UTC 2018 

On su, 02 joulu 2018, Andreas Hasenack via samba-technical wrote:
> > I have no winbindd at all on the system:
> >
> > [root at fserver ~]# rpm -qa|grep winbind
> > <empty output>
> 
> Thanks for replying.
> 
> I think there has been a misunderstanding in this whole thread. Let me
> restate the issue.
> 
> In 4.9.x (at least .2 and .3), when winbind is running, smbd will fail
> to start in standalone mode ("security = user").
> 
> I think when people read that, and saw "winbind is running", they
> assumed domain security. This is not the case. It just so happens that
> winbind was installed and running.
> 
> And it fails in fedora29 too, I just tried:
> 
> andreas at nsnx:~$ lxc launch images:fedora/29 fedora29
> Creating fedora29
> Starting fedora29
> andreas at nsnx:~$ lxc exec fedora29 bash
> [root at fedora29 ~]# dnf update -y && dnf install -y samba-winbind
> samba-client samba
> ...
> [root at fedora29 ~]# service winbind start
> Redirecting to /bin/systemctl start winbind.service
> 
> [root at fedora29 ~]# systemctl start smb
> Job for smb.service failed because the control process exited with error code.
> See "systemctl status smb.service" and "journalctl -xe" for details.
> [root at fedora29 ~]# journalctl -u smb
> -- Logs begin at Sun 2018-12-02 12:30:19 UTC, end at Sun 2018-12-02
> 12:33:06 UTC. --
> Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed to reset
> devices.list: Operation not permitted
> Dec 02 12:33:06 fedora29 systemd[1]: Starting Samba SMB Daemon...
> Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278094,  0]
> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> Dec 02 12:33:06 fedora29 smbd[247]:   create_local_token failed:
> NT_STATUS_ACCESS_DENIED
> Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278480,  0]
> ../source3/smbd/server.c:2000(main)
> Dec 02 12:33:06 fedora29 smbd[247]:   ERROR: failed to setup guest info.
This is not due to winbindd running or not. This is due to inability to
set up guest and BUILTIN\Guests group information:

[2018/12/02 17:35:57.596884,  3] ../source3/groupdb/mapping.c:834(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not get a gid out of winbind
[2018/12/02 17:35:57.596924,  5] ../source3/passdb/pdb_util.c:201(create_builtin_guests)
  create_builtin_guests: Failed to create Guests
[2018/12/02 17:35:57.596968,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/12/02 17:35:57.596988,  2] ../source3/auth/token_util.c:774(finalize_local_nt_token)
  Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!  Can Winbind allocate gids?
[2018/12/02 17:35:57.597026,  3] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2018/12/02 17:35:57.597045,  0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2018/12/02 17:35:57.597304,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.

We discussed this in the beginning of the thread already. Samba 4.9
requires existence of BUILTIN\Guests mapping. If passdb backend is
responsible for builtins, we'll attempt to create BUILTIN\Guests there.
However, if there is no range set up, we cannot allocate the rid using
this idmap domain.

A solution was also posted in this thread:

net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list