Samba package 4.9.x samba smbd not playing with winbind.
Rowland Penny
rpenny at samba.org
Sun Dec 2 18:14:05 UTC 2018
On Sun, 2 Dec 2018 19:47:48 +0200
Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org>
wrote:
> On su, 02 joulu 2018, Andreas Hasenack via samba-technical wrote:
> > > I have no winbindd at all on the system:
> > >
> > > [root at fserver ~]# rpm -qa|grep winbind
> > > <empty output>
> >
> > Thanks for replying.
> >
> > I think there has been a misunderstanding in this whole thread. Let
> > me restate the issue.
> >
> > In 4.9.x (at least .2 and .3), when winbind is running, smbd will
> > fail to start in standalone mode ("security = user").
> >
> > I think when people read that, and saw "winbind is running", they
> > assumed domain security. This is not the case. It just so happens
> > that winbind was installed and running.
> >
> > And it fails in fedora29 too, I just tried:
> >
> > andreas at nsnx:~$ lxc launch images:fedora/29 fedora29
> > Creating fedora29
> > Starting fedora29
> > andreas at nsnx:~$ lxc exec fedora29 bash
> > [root at fedora29 ~]# dnf update -y && dnf install -y samba-winbind
> > samba-client samba
> > ...
> > [root at fedora29 ~]# service winbind start
> > Redirecting to /bin/systemctl start winbind.service
> >
> > [root at fedora29 ~]# systemctl start smb
> > Job for smb.service failed because the control process exited with
> > error code. See "systemctl status smb.service" and "journalctl -xe"
> > for details. [root at fedora29 ~]# journalctl -u smb
> > -- Logs begin at Sun 2018-12-02 12:30:19 UTC, end at Sun 2018-12-02
> > 12:33:06 UTC. --
> > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed to reset
> > devices.list: Operation not permitted
> > Dec 02 12:33:06 fedora29 systemd[1]: Starting Samba SMB Daemon...
> > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278094, 0]
> > ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > Dec 02 12:33:06 fedora29 smbd[247]: create_local_token failed:
> > NT_STATUS_ACCESS_DENIED
> > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278480, 0]
> > ../source3/smbd/server.c:2000(main)
> > Dec 02 12:33:06 fedora29 smbd[247]: ERROR: failed to setup guest
> > info.
> This is not due to winbindd running or not. This is due to inability
> to set up guest and BUILTIN\Guests group information:
>
> [2018/12/02 17:35:57.596884,
> 3] ../source3/groupdb/mapping.c:834(pdb_create_builtin_alias)
> pdb_create_builtin_alias: Could not get a gid out of winbind
> [2018/12/02 17:35:57.596924,
> 5] ../source3/passdb/pdb_util.c:201(create_builtin_guests)
> create_builtin_guests: Failed to create Guests [2018/12/02
> 17:35:57.596968, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/12/02
> 17:35:57.596988,
> 2] ../source3/auth/token_util.c:774(finalize_local_nt_token) Failed
> to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind
> allocate gids? [2018/12/02 17:35:57.597026,
> 3] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3)
> Failed to finalize nt token [2018/12/02 17:35:57.597045,
> 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> create_local_token failed: NT_STATUS_ACCESS_DENIED [2018/12/02
> 17:35:57.597304, 0] ../source3/smbd/server.c:2000(main) ERROR:
> failed to setup guest info.
>
> We discussed this in the beginning of the thread already. Samba 4.9
> requires existence of BUILTIN\Guests mapping. If passdb backend is
> responsible for builtins, we'll attempt to create BUILTIN\Guests
> there. However, if there is no range set up, we cannot allocate the
> rid using this idmap domain.
>
> A solution was also posted in this thread:
>
> net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
>
Excuse me, this would be on a Unix machine, wouldn't it ?
If so, why are suggesting mapping a a Windows group to a Unix user ?
Or, do you mean 'nogroup' instead of 'nobody' ?
Rowland
More information about the samba-technical
mailing list