Samba package 4.9.x samba smbd not playing with winbind.

Rowland Penny rpenny at samba.org
Tue Sep 25 13:50:54 UTC 2018 

On Tue, 25 Sep 2018 15:37:18 +0300
Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org>
wrote:

> On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > Hello Alexander.
> > 
> > Thank you for your reply also.. 
> > I had to push off Rowland first..   ;-) 
> > 
> > 
> > > There is a change 0b261dc4e3f2 in 4.9 that requires to have 
> > > BUILTIN\Guests group always
> > > to be mapped. We would map it automatically if our default 
> > > idmap backend
> > > is writable but if both group mapping and allocating IDs in a
> > > default backend failed, we fail hard.
> > 
> > Isnt it an option to add something like 
> > If "server role" = "standalone" then 
> > 	Deal with the COMPUTERNAME\Guests
> > 	And not BUILTIN\Guests 
> > 
> > I know the following. 
> > AD DC, has BUILTIN\
> > A domain joined member has BUILTIN\
> > 
> > Not domain joined server has COMPUTERNAME\
> > Not domain joined client (win7/win10) has COMPUTERNAME\
> > 
> > Samba Stand Alone (server/client) uses COMPUTERNAME ( at least
> > should )
> > 
> > But again im not a dev, i just hope this helps you guys fixing it. 
> > 
> > Do note, 
> > This is in my opionon a major problem, because of the risk that
> > smbd stops running. 
> The behavior with failing when idmap configuration is incorrect was
> first introduced in 4.6.0:
> 
> https://www.samba.org/samba/history/samba-4.6.0.html
> -----
> ID Mapping
> ----------
> We discovered that the majority of users have an invalid or incorrect
> ID mapping configuration. We implemented checks in the 'testparm'
> tool to validate the ID mapping configuration. You should run it and
> check if it prints any warnings or errors after upgrading! If it does
> you should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS'
> section in the smb.conf manpage. There are some ID mapping backends
> which are not allowed to be used for the default backend. Winbind
> will no longer start if an invalid backend is configured as the
> default backend. -----
> 
> With 4.8.0 we demand working winbindd for 'security = domain|ads'
> https://www.samba.org/samba/history/samba-4.8.0.html
> -----
> Domain member setups require winbindd
> -------------------------------------
> 
> Setups with "security = domain" or "security = ads" require a
> running 'winbindd' now. The fallback that smbd directly contacts
> domain controllers is gone.
> -----
> 
> With 4.9.0 we expanded guest handling to differentiate between
> anonymous and guest sessions. This required a proper handling of
> BUILTIN\Guests and thus is now forces to be able to have either
> writable backend or aliases configured properly.
> 
> Question is mostly what defaults we should have for BUILTIN\Guests.
> Perhaps, we should always do the groupmap rule I added...
> 

This is a BIG FAT SAMBA bug:

On a default install, if you install winbind, the default smb.conf
gives you a standalone server and when smbd is started it fails
immediately because winbind is started first and you get this in the
log:

[2018/09/25 13:58:11.911669,  0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2018/09/25 13:58:11.911702,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.

Stop winbind and restart smbd and it works okay:

[2018/09/25 14:37:38.834479,  0] ../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections

Rowland

More information about the samba-technical mailing list