Samba package 4.9.x samba smbd not playing with winbind.

Rowland Penny rpenny at samba.org
Sun Dec 2 18:40:32 UTC 2018


On Sun, 2 Dec 2018 20:25:00 +0200
Alexander Bokovoy <ab at samba.org> wrote:

> On su, 02 joulu 2018, Rowland Penny via samba-technical wrote:
> > On Sun, 2 Dec 2018 19:47:48 +0200
> > Alexander Bokovoy via samba-technical
> > <samba-technical at lists.samba.org> wrote:
> > 
> > > On su, 02 joulu 2018, Andreas Hasenack via samba-technical wrote:
> > > > > I have no winbindd at all on the system:
> > > > >
> > > > > [root at fserver ~]# rpm -qa|grep winbind
> > > > > <empty output>
> > > > 
> > > > Thanks for replying.
> > > > 
> > > > I think there has been a misunderstanding in this whole thread.
> > > > Let me restate the issue.
> > > > 
> > > > In 4.9.x (at least .2 and .3), when winbind is running, smbd
> > > > will fail to start in standalone mode ("security = user").
> > > > 
> > > > I think when people read that, and saw "winbind is running",
> > > > they assumed domain security. This is not the case. It just so
> > > > happens that winbind was installed and running.
> > > > 
> > > > And it fails in fedora29 too, I just tried:
> > > > 
> > > > andreas at nsnx:~$ lxc launch images:fedora/29 fedora29
> > > > Creating fedora29
> > > > Starting fedora29
> > > > andreas at nsnx:~$ lxc exec fedora29 bash
> > > > [root at fedora29 ~]# dnf update -y && dnf install -y samba-winbind
> > > > samba-client samba
> > > > ...
> > > > [root at fedora29 ~]# service winbind start
> > > > Redirecting to /bin/systemctl start winbind.service
> > > > 
> > > > [root at fedora29 ~]# systemctl start smb
> > > > Job for smb.service failed because the control process exited
> > > > with error code. See "systemctl status smb.service" and
> > > > "journalctl -xe" for details. [root at fedora29 ~]# journalctl -u
> > > > smb -- Logs begin at Sun 2018-12-02 12:30:19 UTC, end at Sun
> > > > 2018-12-02 12:33:06 UTC. --
> > > > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed to
> > > > reset devices.list: Operation not permitted
> > > > Dec 02 12:33:06 fedora29 systemd[1]: Starting Samba SMB
> > > > Daemon... Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02
> > > > 12:33:06.278094,
> > > > 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > > > Dec 02 12:33:06 fedora29 smbd[247]:   create_local_token
> > > > failed: NT_STATUS_ACCESS_DENIED Dec 02 12:33:06 fedora29
> > > > smbd[247]: [2018/12/02 12:33:06.278480,
> > > > 0] ../source3/smbd/server.c:2000(main) Dec 02 12:33:06 fedora29
> > > > smbd[247]:   ERROR: failed to setup guest info.
> > > This is not due to winbindd running or not. This is due to
> > > inability to set up guest and BUILTIN\Guests group information:
> > > 
> > > [2018/12/02 17:35:57.596884,
> > > 3] ../source3/groupdb/mapping.c:834(pdb_create_builtin_alias)
> > > pdb_create_builtin_alias: Could not get a gid out of winbind
> > > [2018/12/02 17:35:57.596924,
> > > 5] ../source3/passdb/pdb_util.c:201(create_builtin_guests)
> > > create_builtin_guests: Failed to create Guests [2018/12/02
> > > 17:35:57.596968,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/12/02
> > > 17:35:57.596988,
> > > 2] ../source3/auth/token_util.c:774(finalize_local_nt_token)
> > > Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!
> > > Can Winbind allocate gids? [2018/12/02 17:35:57.597026,
> > > 3] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3)
> > > Failed to finalize nt token [2018/12/02 17:35:57.597045,
> > > 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > > create_local_token failed: NT_STATUS_ACCESS_DENIED [2018/12/02
> > > 17:35:57.597304,  0] ../source3/smbd/server.c:2000(main) ERROR:
> > > failed to setup guest info.
> > > 
> > > We discussed this in the beginning of the thread already. Samba
> > > 4.9 requires existence of BUILTIN\Guests mapping. If passdb
> > > backend is responsible for builtins, we'll attempt to create
> > > BUILTIN\Guests there. However, if there is no range set up, we
> > > cannot allocate the rid using this idmap domain.
> > > 
> > > A solution was also posted in this thread:
> > > 
> > > net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
> > > 
> > 
> > Excuse me, this would be on a Unix machine, wouldn't it ?
> > If so, why are suggesting mapping a a Windows group to a Unix user ?
> > Or, do you mean 'nogroup' instead of 'nobody' ?
> Whatever is meant to be 'nobody' group on your particular UNIX
> machine. Most Linux distributions use nobody:nobody combination.

Only in the red-hat world:

root at dc4:~/debs# getent group nobody
root at dc4:~/debs# getent group nogroup
nogroup:x:65534:
root at dc4:~/debs# getent passwd nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

> 
> $ getent group nobody
> nobody:x:99:
> $ getent passwd nobody
> nobody:x:99:99:Nobody:/:/sbin/nologin
> 

So that's one stupid thing for Debian (using 65534 for the ID) and one
stupid thing for red-hat (using a username for a group). I call that a
tie ;-)

Rowland





More information about the samba-technical mailing list