Samba package 4.9.x samba smbd not playing with winbind.
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 25 14:10:05 UTC 2018
@Rowland
Now reboot your server.
And smbd isnt started anymore at boot.
Dont get fooled that it started before..
@Alexander
Now small comment on :
> With 4.9.0 we expanded guest handling to differentiate between anonymous and guest sessions.
> This required a proper handling of BUILTIN\Guests and thus is now forces to be able
> to have either writable backend or aliases configured properly.
>
Yes, that is known.
And sorry, but in my opinion this is not handled properly.
A "stand alone" setup does not require BUILTIN\Guests maybe COMPUTERNAME\Guests
S-1-5-32-546 != SID: S-1-5-21domain-514
Guests Domain Guests
> Question is mostly what defaults we should have for BUILTIN\Guests.
> Perhaps, we should always do the groupmap rule I added...
>
Well, i just follow you Samba Devs.
Im just an it guy and i can't programm what your guys do.. Respect for that!
For now, i keep it simple an in sight for me in my smb.conf and i set the 2 : idmap * lines.
I can add that simple in the smb.conf of my debian install, but its not nice. :-/
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens
> Rowland Penny via samba-technical
> Verzonden: dinsdag 25 september 2018 15:51
> Aan: samba-technical at lists.samba.org
> Onderwerp: Re: Samba package 4.9.x samba smbd not playing
> with winbind.
>
> On Tue, 25 Sep 2018 15:37:18 +0300
> Alexander Bokovoy via samba-technical
> <samba-technical at lists.samba.org>
> wrote:
>
> > On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > > Hello Alexander.
> > >
> > > Thank you for your reply also..
> > > I had to push off Rowland first.. ;-)
> > >
> > >
> > > > There is a change 0b261dc4e3f2 in 4.9 that requires to have
> > > > BUILTIN\Guests group always
> > > > to be mapped. We would map it automatically if our default
> > > > idmap backend
> > > > is writable but if both group mapping and allocating IDs in a
> > > > default backend failed, we fail hard.
> > >
> > > Isnt it an option to add something like
> > > If "server role" = "standalone" then
> > > Deal with the COMPUTERNAME\Guests
> > > And not BUILTIN\Guests
> > >
> > > I know the following.
> > > AD DC, has BUILTIN\
> > > A domain joined member has BUILTIN\
> > >
> > > Not domain joined server has COMPUTERNAME\
> > > Not domain joined client (win7/win10) has COMPUTERNAME\
> > >
> > > Samba Stand Alone (server/client) uses COMPUTERNAME ( at least
> > > should )
> > >
> > > But again im not a dev, i just hope this helps you guys
> fixing it.
> > >
> > > Do note,
> > > This is in my opionon a major problem, because of the risk that
> > > smbd stops running.
> > The behavior with failing when idmap configuration is incorrect was
> > first introduced in 4.6.0:
> >
> > https://www.samba.org/samba/history/samba-4.6.0.html
> > -----
> > ID Mapping
> > ----------
> > We discovered that the majority of users have an invalid or
> incorrect
> > ID mapping configuration. We implemented checks in the 'testparm'
> > tool to validate the ID mapping configuration. You should run it and
> > check if it prints any warnings or errors after upgrading!
> If it does
> > you should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS'
> > section in the smb.conf manpage. There are some ID mapping backends
> > which are not allowed to be used for the default backend. Winbind
> > will no longer start if an invalid backend is configured as the
> > default backend. -----
> >
> > With 4.8.0 we demand working winbindd for 'security = domain|ads'
> > https://www.samba.org/samba/history/samba-4.8.0.html
> > -----
> > Domain member setups require winbindd
> > -------------------------------------
> >
> > Setups with "security = domain" or "security = ads" require a
> > running 'winbindd' now. The fallback that smbd directly contacts
> > domain controllers is gone.
> > -----
> >
> > With 4.9.0 we expanded guest handling to differentiate between
> > anonymous and guest sessions. This required a proper handling of
> > BUILTIN\Guests and thus is now forces to be able to have either
> > writable backend or aliases configured properly.
> >
> > Question is mostly what defaults we should have for BUILTIN\Guests.
> > Perhaps, we should always do the groupmap rule I added...
> >
>
> This is a BIG FAT SAMBA bug:
>
> On a default install, if you install winbind, the default smb.conf
> gives you a standalone server and when smbd is started it fails
> immediately because winbind is started first and you get this in the
> log:
>
> [2018/09/25 13:58:11.911669, 0]
> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> create_local_token failed: NT_STATUS_ACCESS_DENIED
> [2018/09/25 13:58:11.911702, 0] ../source3/smbd/server.c:2000(main)
> ERROR: failed to setup guest info.
>
> Stop winbind and restart smbd and it works okay:
>
> [2018/09/25 14:37:38.834479, 0]
> ../lib/util/become_daemon.c:138(daemon_ready)
> daemon_ready: STATUS=daemon 'smbd' finished starting up and
> ready to serve connections
>
> Rowland
>
>
More information about the samba-technical
mailing list