Samba package 4.9.x samba smbd not playing with winbind.

Alexander Bokovoy ab at samba.org
Sun Dec 2 18:25:00 UTC 2018 

On su, 02 joulu 2018, Rowland Penny via samba-technical wrote:
> On Sun, 2 Dec 2018 19:47:48 +0200
> Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org>
> wrote:
> 
> > On su, 02 joulu 2018, Andreas Hasenack via samba-technical wrote:
> > > > I have no winbindd at all on the system:
> > > >
> > > > [root at fserver ~]# rpm -qa|grep winbind
> > > > <empty output>
> > > 
> > > Thanks for replying.
> > > 
> > > I think there has been a misunderstanding in this whole thread. Let
> > > me restate the issue.
> > > 
> > > In 4.9.x (at least .2 and .3), when winbind is running, smbd will
> > > fail to start in standalone mode ("security = user").
> > > 
> > > I think when people read that, and saw "winbind is running", they
> > > assumed domain security. This is not the case. It just so happens
> > > that winbind was installed and running.
> > > 
> > > And it fails in fedora29 too, I just tried:
> > > 
> > > andreas at nsnx:~$ lxc launch images:fedora/29 fedora29
> > > Creating fedora29
> > > Starting fedora29
> > > andreas at nsnx:~$ lxc exec fedora29 bash
> > > [root at fedora29 ~]# dnf update -y && dnf install -y samba-winbind
> > > samba-client samba
> > > ...
> > > [root at fedora29 ~]# service winbind start
> > > Redirecting to /bin/systemctl start winbind.service
> > > 
> > > [root at fedora29 ~]# systemctl start smb
> > > Job for smb.service failed because the control process exited with
> > > error code. See "systemctl status smb.service" and "journalctl -xe"
> > > for details. [root at fedora29 ~]# journalctl -u smb
> > > -- Logs begin at Sun 2018-12-02 12:30:19 UTC, end at Sun 2018-12-02
> > > 12:33:06 UTC. --
> > > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed to reset
> > > devices.list: Operation not permitted
> > > Dec 02 12:33:06 fedora29 systemd[1]: Starting Samba SMB Daemon...
> > > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278094,  0]
> > > ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > > Dec 02 12:33:06 fedora29 smbd[247]:   create_local_token failed:
> > > NT_STATUS_ACCESS_DENIED
> > > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278480,  0]
> > > ../source3/smbd/server.c:2000(main)
> > > Dec 02 12:33:06 fedora29 smbd[247]:   ERROR: failed to setup guest
> > > info.
> > This is not due to winbindd running or not. This is due to inability
> > to set up guest and BUILTIN\Guests group information:
> > 
> > [2018/12/02 17:35:57.596884,
> > 3] ../source3/groupdb/mapping.c:834(pdb_create_builtin_alias)
> > pdb_create_builtin_alias: Could not get a gid out of winbind
> > [2018/12/02 17:35:57.596924,
> > 5] ../source3/passdb/pdb_util.c:201(create_builtin_guests)
> > create_builtin_guests: Failed to create Guests [2018/12/02
> > 17:35:57.596968,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/12/02
> > 17:35:57.596988,
> > 2] ../source3/auth/token_util.c:774(finalize_local_nt_token) Failed
> > to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!  Can Winbind
> > allocate gids? [2018/12/02 17:35:57.597026,
> > 3] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3)
> > Failed to finalize nt token [2018/12/02 17:35:57.597045,
> > 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > create_local_token failed: NT_STATUS_ACCESS_DENIED [2018/12/02
> > 17:35:57.597304,  0] ../source3/smbd/server.c:2000(main) ERROR:
> > failed to setup guest info.
> > 
> > We discussed this in the beginning of the thread already. Samba 4.9
> > requires existence of BUILTIN\Guests mapping. If passdb backend is
> > responsible for builtins, we'll attempt to create BUILTIN\Guests
> > there. However, if there is no range set up, we cannot allocate the
> > rid using this idmap domain.
> > 
> > A solution was also posted in this thread:
> > 
> > net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
> > 
> 
> Excuse me, this would be on a Unix machine, wouldn't it ?
> If so, why are suggesting mapping a a Windows group to a Unix user ?
> Or, do you mean 'nogroup' instead of 'nobody' ?
Whatever is meant to be 'nobody' group on your particular UNIX machine.
Most Linux distributions use nobody:nobody combination.

$ getent group nobody
nobody:x:99:
$ getent passwd nobody
nobody:x:99:99:Nobody:/:/sbin/nologin

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list