Samba package 4.9.x samba smbd not playing with winbind.

Alexander Bokovoy ab at samba.org
Tue Sep 25 10:02:28 UTC 2018 

On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> hai, 
>  
> Im wondering, im having problem whil installing samba + winbind on a stand-alone setup. 
> Everything is the default setting.
>  
> I've reported it at debian. 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465 
>  
> Could someone have a look at this and tell me if im missing something here before im going in circles.. 
> To me this looks like a bug in samba itself and the detection of settings, in combination with detecting winbind itself. 
> Do note, im not a dev, just my thoughts here. 
There is a change 0b261dc4e3f2 in 4.9 that requires to have BUILTIN\Guests group always
to be mapped. We would map it automatically if our default idmap backend
is writable but if both group mapping and allocating IDs in a default
backend failed, we fail hard.

e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  736)         /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  737)          * Deal with the BUILTIN\Guests group.  If the SID can
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  738)          * be resolved then assume that the add_aliasmem( S-1-5-32 )
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  739)          * handled it.
e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  740)          */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  741)         status = pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  742)         if (!NT_STATUS_IS_OK(status)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  743) 
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  744)                 become_root();
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  745)                 status = create_builtin_guests(domain_sid);
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  746)                 unbecome_root();
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  747) 
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  748)                 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  749)                         /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  750)                          * Add BUILTIN\Guests directly to token.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  751)                          * But only if the token already indicates
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  752)                          * real guest access by:
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  753)                          * - local GUEST account
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  754)                          * - local GUESTS group
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  755)                          * - domain GUESTS group
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  756)                          *
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  757)                          * Even if a user was authenticated, it
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  758)                          * can be member of a guest related group.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  759)                          */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  760)                         status = add_builtin_guests(result, domain_sid);
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  761)                         if (!NT_STATUS_IS_OK(status)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  762)                                 DEBUG(3, ("Failed to check for local "
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  763)                                           "Guests membership (%s)\n",
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  764)                                           nt_errstr(status)));
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  765)                                 /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  766)                                  * This is a hard error.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  767)                                  */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  768)                                 return status;
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  769)                         }
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  770)                 } else if (!NT_STATUS_IS_OK(status)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  771)                         DEBUG(2, ("Failed to create "
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  772)                                   "BUILTIN\\Guests group %s!  Can "
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  773)                                   "Winbind allocate gids?\n",
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  774)                                   nt_errstr(status)));
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  775)                         /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  776)                          * This is a hard error.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  777)                          */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  778)                         return status;
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  779)                 }
e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  780)         }

An easy way to fix it is by running the following command:

   net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin



-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list