Samba package 4.9.x samba smbd not playing with winbind.

Alexander Bokovoy ab at samba.org
Sun Dec 2 18:32:50 UTC 2018


On su, 02 joulu 2018, Alexander Bokovoy via samba-technical wrote:
> On su, 02 joulu 2018, Rowland Penny via samba-technical wrote:
> > On Sun, 2 Dec 2018 19:47:48 +0200
> > Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org>
> > wrote:
> > 
> > > On su, 02 joulu 2018, Andreas Hasenack via samba-technical wrote:
> > > > > I have no winbindd at all on the system:
> > > > >
> > > > > [root at fserver ~]# rpm -qa|grep winbind
> > > > > <empty output>
> > > > 
> > > > Thanks for replying.
> > > > 
> > > > I think there has been a misunderstanding in this whole thread. Let
> > > > me restate the issue.
> > > > 
> > > > In 4.9.x (at least .2 and .3), when winbind is running, smbd will
> > > > fail to start in standalone mode ("security = user").
> > > > 
> > > > I think when people read that, and saw "winbind is running", they
> > > > assumed domain security. This is not the case. It just so happens
> > > > that winbind was installed and running.
> > > > 
> > > > And it fails in fedora29 too, I just tried:
> > > > 
> > > > andreas at nsnx:~$ lxc launch images:fedora/29 fedora29
> > > > Creating fedora29
> > > > Starting fedora29
> > > > andreas at nsnx:~$ lxc exec fedora29 bash
> > > > [root at fedora29 ~]# dnf update -y && dnf install -y samba-winbind
> > > > samba-client samba
> > > > ...
> > > > [root at fedora29 ~]# service winbind start
> > > > Redirecting to /bin/systemctl start winbind.service
> > > > 
> > > > [root at fedora29 ~]# systemctl start smb
> > > > Job for smb.service failed because the control process exited with
> > > > error code. See "systemctl status smb.service" and "journalctl -xe"
> > > > for details. [root at fedora29 ~]# journalctl -u smb
> > > > -- Logs begin at Sun 2018-12-02 12:30:19 UTC, end at Sun 2018-12-02
> > > > 12:33:06 UTC. --
> > > > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed to reset
> > > > devices.list: Operation not permitted
> > > > Dec 02 12:33:06 fedora29 systemd[1]: Starting Samba SMB Daemon...
> > > > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278094,  0]
> > > > ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > > > Dec 02 12:33:06 fedora29 smbd[247]:   create_local_token failed:
> > > > NT_STATUS_ACCESS_DENIED
> > > > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278480,  0]
> > > > ../source3/smbd/server.c:2000(main)
> > > > Dec 02 12:33:06 fedora29 smbd[247]:   ERROR: failed to setup guest
> > > > info.
> > > This is not due to winbindd running or not. This is due to inability
> > > to set up guest and BUILTIN\Guests group information:
> > > 
> > > [2018/12/02 17:35:57.596884,
> > > 3] ../source3/groupdb/mapping.c:834(pdb_create_builtin_alias)
> > > pdb_create_builtin_alias: Could not get a gid out of winbind
> > > [2018/12/02 17:35:57.596924,
> > > 5] ../source3/passdb/pdb_util.c:201(create_builtin_guests)
> > > create_builtin_guests: Failed to create Guests [2018/12/02
> > > 17:35:57.596968,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/12/02
> > > 17:35:57.596988,
> > > 2] ../source3/auth/token_util.c:774(finalize_local_nt_token) Failed
> > > to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!  Can Winbind
> > > allocate gids? [2018/12/02 17:35:57.597026,
> > > 3] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3)
> > > Failed to finalize nt token [2018/12/02 17:35:57.597045,
> > > 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > > create_local_token failed: NT_STATUS_ACCESS_DENIED [2018/12/02
> > > 17:35:57.597304,  0] ../source3/smbd/server.c:2000(main) ERROR:
> > > failed to setup guest info.
> > > 
> > > We discussed this in the beginning of the thread already. Samba 4.9
> > > requires existence of BUILTIN\Guests mapping. If passdb backend is
> > > responsible for builtins, we'll attempt to create BUILTIN\Guests
> > > there. However, if there is no range set up, we cannot allocate the
> > > rid using this idmap domain.
> > > 
> > > A solution was also posted in this thread:
> > > 
> > > net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
> > > 
> > 
> > Excuse me, this would be on a Unix machine, wouldn't it ?
> > If so, why are suggesting mapping a a Windows group to a Unix user ?
> > Or, do you mean 'nogroup' instead of 'nobody' ?
> Whatever is meant to be 'nobody' group on your particular UNIX machine.
> Most Linux distributions use nobody:nobody combination.
> 
> $ getent group nobody
> nobody:x:99:
> $ getent passwd nobody
> nobody:x:99:99:Nobody:/:/sbin/nologin
... according to https://wiki.debian.org/SystemGroups, it is
nobody:nogroup combination on Debian-based systems.
-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list