Samba package 4.9.x samba smbd not playing with winbind.
Rowland Penny
rpenny at samba.org
Tue Sep 25 13:50:54 UTC 2018
On Tue, 25 Sep 2018 15:37:18 +0300
Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org>
wrote:
> On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > Hello Alexander.
> >
> > Thank you for your reply also..
> > I had to push off Rowland first.. ;-)
> >
> >
> > > There is a change 0b261dc4e3f2 in 4.9 that requires to have
> > > BUILTIN\Guests group always
> > > to be mapped. We would map it automatically if our default
> > > idmap backend
> > > is writable but if both group mapping and allocating IDs in a
> > > default backend failed, we fail hard.
> >
> > Isnt it an option to add something like
> > If "server role" = "standalone" then
> > Deal with the COMPUTERNAME\Guests
> > And not BUILTIN\Guests
> >
> > I know the following.
> > AD DC, has BUILTIN\
> > A domain joined member has BUILTIN\
> >
> > Not domain joined server has COMPUTERNAME\
> > Not domain joined client (win7/win10) has COMPUTERNAME\
> >
> > Samba Stand Alone (server/client) uses COMPUTERNAME ( at least
> > should )
> >
> > But again im not a dev, i just hope this helps you guys fixing it.
> >
> > Do note,
> > This is in my opionon a major problem, because of the risk that
> > smbd stops running.
> The behavior with failing when idmap configuration is incorrect was
> first introduced in 4.6.0:
>
> https://www.samba.org/samba/history/samba-4.6.0.html
> -----
> ID Mapping
> ----------
> We discovered that the majority of users have an invalid or incorrect
> ID mapping configuration. We implemented checks in the 'testparm'
> tool to validate the ID mapping configuration. You should run it and
> check if it prints any warnings or errors after upgrading! If it does
> you should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS'
> section in the smb.conf manpage. There are some ID mapping backends
> which are not allowed to be used for the default backend. Winbind
> will no longer start if an invalid backend is configured as the
> default backend. -----
>
> With 4.8.0 we demand working winbindd for 'security = domain|ads'
> https://www.samba.org/samba/history/samba-4.8.0.html
> -----
> Domain member setups require winbindd
> -------------------------------------
>
> Setups with "security = domain" or "security = ads" require a
> running 'winbindd' now. The fallback that smbd directly contacts
> domain controllers is gone.
> -----
>
> With 4.9.0 we expanded guest handling to differentiate between
> anonymous and guest sessions. This required a proper handling of
> BUILTIN\Guests and thus is now forces to be able to have either
> writable backend or aliases configured properly.
>
> Question is mostly what defaults we should have for BUILTIN\Guests.
> Perhaps, we should always do the groupmap rule I added...
>
This is a BIG FAT SAMBA bug:
On a default install, if you install winbind, the default smb.conf
gives you a standalone server and when smbd is started it fails
immediately because winbind is started first and you get this in the
log:
[2018/09/25 13:58:11.911669, 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
create_local_token failed: NT_STATUS_ACCESS_DENIED
[2018/09/25 13:58:11.911702, 0] ../source3/smbd/server.c:2000(main)
ERROR: failed to setup guest info.
Stop winbind and restart smbd and it works okay:
[2018/09/25 14:37:38.834479, 0] ../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Rowland
More information about the samba-technical
mailing list