Samba package 4.9.x samba smbd not playing with winbind.

L.P.H. van Belle belle at bazuin.nl
Tue Sep 25 12:20:35 UTC 2018 

Hello Alexander.

Thank you for your reply also.. 
I had to push off Rowland first..   ;-) 


> There is a change 0b261dc4e3f2 in 4.9 that requires to have 
> BUILTIN\Guests group always
> to be mapped. We would map it automatically if our default 
> idmap backend
> is writable but if both group mapping and allocating IDs in a default
> backend failed, we fail hard.

Isnt it an option to add something like 
If "server role" = "standalone" then 
	Deal with the COMPUTERNAME\Guests
	And not BUILTIN\Guests 

I know the following. 
AD DC, has BUILTIN\
A domain joined member has BUILTIN\

Not domain joined server has COMPUTERNAME\
Not domain joined client (win7/win10) has COMPUTERNAME\

Samba Stand Alone (server/client) uses COMPUTERNAME ( at least should )

But again im not a dev, i just hope this helps you guys fixing it. 

Do note, 
This is in my opionon a major problem, because of the risk that smbd stops running. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: Alexander Bokovoy [mailto:ab at samba.org] 
> Verzonden: dinsdag 25 september 2018 12:02
> Aan: L.P.H. van Belle
> CC: samba-technical at lists.samba.org
> Onderwerp: Re: Samba package 4.9.x samba smbd not playing 
> with winbind.
> 
> On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > hai, 
> >  
> > Im wondering, im having problem whil installing samba + 
> winbind on a stand-alone setup. 
> > Everything is the default setting.
> >  
> > I've reported it at debian. 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465 
> >  
> > Could someone have a look at this and tell me if im missing 
> something here before im going in circles.. 
> > To me this looks like a bug in samba itself and the 
> detection of settings, in combination with detecting winbind itself. 
> > Do note, im not a dev, just my thoughts here. 
> There is a change 0b261dc4e3f2 in 4.9 that requires to have 
> BUILTIN\Guests group always
> to be mapped. We would map it automatically if our default 
> idmap backend
> is writable but if both group mapping and allocating IDs in a default
> backend failed, we fail hard.
> 
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 736)         /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 737)          * Deal with the BUILTIN\Guests group.  If the SID can
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 738)          * be resolved then assume that the 
> add_aliasmem( S-1-5-32 )
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 739)          * handled it.
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 740)          */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 741)         status = 
> pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 742)         if (!NT_STATUS_IS_OK(status)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  743) 
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 744)                 become_root();
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 745)                 status = create_builtin_guests(domain_sid);
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 746)                 unbecome_root();
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  747) 
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 748)                 if (NT_STATUS_EQUAL(status, 
> NT_STATUS_PROTOCOL_UNREACHABLE)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 749)                         /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 750)                          * Add BUILTIN\Guests directly to token.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 751)                          * But only if the token already 
> indicates
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 752)                          * real guest access by:
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 753)                          * - local GUEST account
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 754)                          * - local GUESTS group
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 755)                          * - domain GUESTS group
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 756)                          *
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 757)                          * Even if a user was authenticated, it
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 758)                          * can be member of a guest 
> related group.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 759)                          */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 760)                         status = 
> add_builtin_guests(result, domain_sid);
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 761)                         if (!NT_STATUS_IS_OK(status)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 762)                                 DEBUG(3, ("Failed to 
> check for local "
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 763)                                           "Guests 
> membership (%s)\n",
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 764)                                           nt_errstr(status)));
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 765)                                 /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 766)                                  * This is a hard error.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 767)                                  */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 768)                                 return status;
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 769)                         }
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 770)                 } else if (!NT_STATUS_IS_OK(status)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 771)                         DEBUG(2, ("Failed to create "
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 772)                                   "BUILTIN\\Guests group 
> %s!  Can "
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 773)                                   "Winbind allocate gids?\n",
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 774)                                   nt_errstr(status)));
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 775)                         /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 776)                          * This is a hard error.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 777)                          */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 778)                         return status;
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 779)                 }
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100  
> 780)         }
> 
> An easy way to fix it is by running the following command:
> 
>    net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
> 
> 
> 
> -- 
> / Alexander Bokovoy
> 
>

More information about the samba-technical mailing list