Samba package 4.9.x samba smbd not playing with winbind.

L.P.H. van Belle belle at bazuin.nl
Tue Sep 25 14:10:05 UTC 2018 

@Rowland 
Now reboot your server. 
And smbd isnt started anymore at boot. 
Dont get fooled that it started before..  


@Alexander 
Now small comment on :  
> With 4.9.0 we expanded guest handling to differentiate between anonymous and guest sessions. 
> This required a proper handling of BUILTIN\Guests and thus is now forces to be able 
> to have either writable backend or aliases configured properly.
> 
Yes, that is known. 

And sorry, but in my opinion this is not handled properly. 

A "stand alone" setup does not require BUILTIN\Guests maybe COMPUTERNAME\Guests
S-1-5-32-546 != SID: S-1-5-21domain-514 
Guests			Domain Guests 

> Question is mostly what defaults we should have for BUILTIN\Guests.
> Perhaps, we should always do the groupmap rule I added...
> 

Well, i just follow you Samba Devs. 
Im just an it guy and i can't programm what your guys do..  Respect for that! 

For now, i keep it simple an in sight for me in my smb.conf and i set the 2 : idmap *  lines. 
I can add that simple in the smb.conf of my debian install, but its not nice. :-/ 


Greetz, 

Louis



 

> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> Rowland Penny via samba-technical
> Verzonden: dinsdag 25 september 2018 15:51
> Aan: samba-technical at lists.samba.org
> Onderwerp: Re: Samba package 4.9.x samba smbd not playing 
> with winbind.
> 
> On Tue, 25 Sep 2018 15:37:18 +0300
> Alexander Bokovoy via samba-technical 
> <samba-technical at lists.samba.org>
> wrote:
> 
> > On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > > Hello Alexander.
> > > 
> > > Thank you for your reply also.. 
> > > I had to push off Rowland first..   ;-) 
> > > 
> > > 
> > > > There is a change 0b261dc4e3f2 in 4.9 that requires to have 
> > > > BUILTIN\Guests group always
> > > > to be mapped. We would map it automatically if our default 
> > > > idmap backend
> > > > is writable but if both group mapping and allocating IDs in a
> > > > default backend failed, we fail hard.
> > > 
> > > Isnt it an option to add something like 
> > > If "server role" = "standalone" then 
> > > 	Deal with the COMPUTERNAME\Guests
> > > 	And not BUILTIN\Guests 
> > > 
> > > I know the following. 
> > > AD DC, has BUILTIN\
> > > A domain joined member has BUILTIN\
> > > 
> > > Not domain joined server has COMPUTERNAME\
> > > Not domain joined client (win7/win10) has COMPUTERNAME\
> > > 
> > > Samba Stand Alone (server/client) uses COMPUTERNAME ( at least
> > > should )
> > > 
> > > But again im not a dev, i just hope this helps you guys 
> fixing it. 
> > > 
> > > Do note, 
> > > This is in my opionon a major problem, because of the risk that
> > > smbd stops running. 
> > The behavior with failing when idmap configuration is incorrect was
> > first introduced in 4.6.0:
> > 
> > https://www.samba.org/samba/history/samba-4.6.0.html
> > -----
> > ID Mapping
> > ----------
> > We discovered that the majority of users have an invalid or 
> incorrect
> > ID mapping configuration. We implemented checks in the 'testparm'
> > tool to validate the ID mapping configuration. You should run it and
> > check if it prints any warnings or errors after upgrading! 
> If it does
> > you should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS'
> > section in the smb.conf manpage. There are some ID mapping backends
> > which are not allowed to be used for the default backend. Winbind
> > will no longer start if an invalid backend is configured as the
> > default backend. -----
> > 
> > With 4.8.0 we demand working winbindd for 'security = domain|ads'
> > https://www.samba.org/samba/history/samba-4.8.0.html
> > -----
> > Domain member setups require winbindd
> > -------------------------------------
> > 
> > Setups with "security = domain" or "security = ads" require a
> > running 'winbindd' now. The fallback that smbd directly contacts
> > domain controllers is gone.
> > -----
> > 
> > With 4.9.0 we expanded guest handling to differentiate between
> > anonymous and guest sessions. This required a proper handling of
> > BUILTIN\Guests and thus is now forces to be able to have either
> > writable backend or aliases configured properly.
> > 
> > Question is mostly what defaults we should have for BUILTIN\Guests.
> > Perhaps, we should always do the groupmap rule I added...
> > 
> 
> This is a BIG FAT SAMBA bug:
> 
> On a default install, if you install winbind, the default smb.conf
> gives you a standalone server and when smbd is started it fails
> immediately because winbind is started first and you get this in the
> log:
> 
> [2018/09/25 13:58:11.911669,  0] 
> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
>   create_local_token failed: NT_STATUS_ACCESS_DENIED
> [2018/09/25 13:58:11.911702,  0] ../source3/smbd/server.c:2000(main)
>   ERROR: failed to setup guest info.
> 
> Stop winbind and restart smbd and it works okay:
> 
> [2018/09/25 14:37:38.834479,  0] 
> ../lib/util/become_daemon.c:138(daemon_ready)
>   daemon_ready: STATUS=daemon 'smbd' finished starting up and 
> ready to serve connections
> 
> Rowland
> 
>

More information about the samba-technical mailing list