Samba package 4.9.x samba smbd not playing with winbind.
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 25 12:20:35 UTC 2018
Hello Alexander.
Thank you for your reply also..
I had to push off Rowland first.. ;-)
> There is a change 0b261dc4e3f2 in 4.9 that requires to have
> BUILTIN\Guests group always
> to be mapped. We would map it automatically if our default
> idmap backend
> is writable but if both group mapping and allocating IDs in a default
> backend failed, we fail hard.
Isnt it an option to add something like
If "server role" = "standalone" then
Deal with the COMPUTERNAME\Guests
And not BUILTIN\Guests
I know the following.
AD DC, has BUILTIN\
A domain joined member has BUILTIN\
Not domain joined server has COMPUTERNAME\
Not domain joined client (win7/win10) has COMPUTERNAME\
Samba Stand Alone (server/client) uses COMPUTERNAME ( at least should )
But again im not a dev, i just hope this helps you guys fixing it.
Do note,
This is in my opionon a major problem, because of the risk that smbd stops running.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Alexander Bokovoy [mailto:ab at samba.org]
> Verzonden: dinsdag 25 september 2018 12:02
> Aan: L.P.H. van Belle
> CC: samba-technical at lists.samba.org
> Onderwerp: Re: Samba package 4.9.x samba smbd not playing
> with winbind.
>
> On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > hai,
> >
> > Im wondering, im having problem whil installing samba +
> winbind on a stand-alone setup.
> > Everything is the default setting.
> >
> > I've reported it at debian.
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465
> >
> > Could someone have a look at this and tell me if im missing
> something here before im going in circles..
> > To me this looks like a bug in samba itself and the
> detection of settings, in combination with detecting winbind itself.
> > Do note, im not a dev, just my thoughts here.
> There is a change 0b261dc4e3f2 in 4.9 that requires to have
> BUILTIN\Guests group always
> to be mapped. We would map it automatically if our default
> idmap backend
> is writable but if both group mapping and allocating IDs in a default
> backend failed, we fail hard.
>
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 736) /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 737) * Deal with the BUILTIN\Guests group. If the SID can
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 738) * be resolved then assume that the
> add_aliasmem( S-1-5-32 )
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 739) * handled it.
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 740) */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 741) status =
> pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 742) if (!NT_STATUS_IS_OK(status)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 743)
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 744) become_root();
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 745) status = create_builtin_guests(domain_sid);
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 746) unbecome_root();
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 747)
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 748) if (NT_STATUS_EQUAL(status,
> NT_STATUS_PROTOCOL_UNREACHABLE)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 749) /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 750) * Add BUILTIN\Guests directly to token.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 751) * But only if the token already
> indicates
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 752) * real guest access by:
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 753) * - local GUEST account
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 754) * - local GUESTS group
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 755) * - domain GUESTS group
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 756) *
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 757) * Even if a user was authenticated, it
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 758) * can be member of a guest
> related group.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 759) */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 760) status =
> add_builtin_guests(result, domain_sid);
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 761) if (!NT_STATUS_IS_OK(status)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 762) DEBUG(3, ("Failed to
> check for local "
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 763) "Guests
> membership (%s)\n",
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 764) nt_errstr(status)));
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 765) /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 766) * This is a hard error.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 767) */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 768) return status;
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 769) }
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 770) } else if (!NT_STATUS_IS_OK(status)) {
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 771) DEBUG(2, ("Failed to create "
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 772) "BUILTIN\\Guests group
> %s! Can "
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 773) "Winbind allocate gids?\n",
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 774) nt_errstr(status)));
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 775) /*
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 776) * This is a hard error.
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 777) */
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 778) return status;
> 0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 779) }
> e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100
> 780) }
>
> An easy way to fix it is by running the following command:
>
> net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
>
>
>
> --
> / Alexander Bokovoy
>
>
More information about the samba-technical
mailing list