Samba package 4.9.x samba smbd not playing with winbind.

L.P.H. van Belle belle at bazuin.nl
Tue Sep 25 15:14:44 UTC 2018 

Hai, 

Thank for the links to the other bug reports, i've check them and this is all the same ( almost then ) 
But almost all of these are related to this. 

> > S-1-5-32-546 != SID: S-1-5-21domain-514 
> > Guests			Domain Guests 
> All is needed is BUILTIN\Guests, not Domain Guests.
> 
> See e8dc55d2b969 and https://bugzilla.samba.org/show_bug.cgi?id=13328


Sorry potato tomato imo. 
Bugreport says :   Windows 10 cannot logon on Samba NT4 domain  
I want         :   Windows 10 cannot connect to Samba Stand-Alone server. 
Thats why i pointed at :  S-1-5-32-546 != SID: S-1-5-21domain-514 

>> Guests                        Domain Guests
> All is needed is BUILTIN\Guests, not Domain Guests.
>
> See e8dc55d2b969 and https://bugzilla.samba.org/show_bug.cgi?id=13328

But that's not the point. (@Richard.)

> Yes. The BUILTIN groups should be implemented by all SMB servers these days.
If you say 'should be implemented by all SMB servers' , then im asking, what kind of "servers" standalone, member or ADDC. 
Because these are 3 diffent servers with diffent outcomes. 

If you look at your windows pc that is NOT domain joined, what you need to login ( remotely )
COMPUTERNAME\user or .\user ( where . = the computername ) 
Which is the same in, a Windows 2016 AD server, does function other way then a Windows 10 NOT DOMAIN JOIN pc does.

In my opionion, MS is not clear on the BUILTIN\ groups. At least not what i quick could find. 
At one point these are "local" group at other moment these are "Aliasses" 


> > For now, i keep it simple an in sight for me in my smb.conf 
> and i set the 2 : idmap *  lines. 
> > I can add that simple in the smb.conf of my debian install, 
> but its not nice. :-/ 
> An issue I see is that, unlike 'net groupmap add ..' variant, 
> we cannot
> really default to a working default idmap configuration 
> without knowning  in advance what ID range to use there.

Your here totaly right.  Only the distro packagers and set "some" of defaults. 

But THANK YOU ALL for having a look. 
At least i know this problem is/was not me. :-) 

I'll step to the side and let you guy think about the fix. 


Best regards everybody. 

Louis





> -----Oorspronkelijk bericht-----
> Van: Alexander Bokovoy [mailto:ab at samba.org] 
> Verzonden: dinsdag 25 september 2018 16:20
> Aan: L.P.H. van Belle
> CC: samba-technical at lists.samba.org
> Onderwerp: Re: Samba package 4.9.x samba smbd not playing 
> with winbind.
> 
> On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > @Rowland 
> > Now reboot your server. 
> > And smbd isnt started anymore at boot. 
> > Dont get fooled that it started before..  
> > 
> > 
> > @Alexander 
> > Now small comment on :  
> > > With 4.9.0 we expanded guest handling to differentiate 
> between anonymous and guest sessions. 
> > > This required a proper handling of BUILTIN\Guests and 
> thus is now forces to be able 
> > > to have either writable backend or aliases configured properly.
> > > 
> > Yes, that is known. 
> > 
> > And sorry, but in my opinion this is not handled properly. 
> > 
> > A "stand alone" setup does not require BUILTIN\Guests maybe 
> COMPUTERNAME\Guests
> > S-1-5-32-546 != SID: S-1-5-21domain-514 
> > Guests			Domain Guests 
> All is needed is BUILTIN\Guests, not Domain Guests.
> 
> See e8dc55d2b969 and https://bugzilla.samba.org/show_bug.cgi?id=13328
> 
> > > Question is mostly what defaults we should have for 
> BUILTIN\Guests.
> > > Perhaps, we should always do the groupmap rule I added...
> > > 
> > 
> > Well, i just follow you Samba Devs. 
> This is was a question 'into an air' to trigger Metze's answer. ;)
> 
> > Im just an it guy and i can't programm what your guys do..  
> Respect for that! 
> > 
> > For now, i keep it simple an in sight for me in my smb.conf 
> and i set the 2 : idmap *  lines. 
> > I can add that simple in the smb.conf of my debian install, 
> but its not nice. :-/ 
> An issue I see is that, unlike 'net groupmap add ..' variant, 
> we cannot
> really default to a working default idmap configuration 
> without knowning
> in advance what ID range to use there.
> 
> -- 
> / Alexander Bokovoy
> 
>

More information about the samba-technical mailing list