[Samba] Problem with AD/Samba and too many AD groups

dwhitlow1 at wi.rr.com dwhitlow1 at wi.rr.com
Thu Aug 11 14:30:08 GMT 2005 

I have a Redhat Enterprise Linux (v3.0) box running Samba 3.0.9-1.3E.3. 
This box only has two Samba shares created on it, each of them with a 
single "valid user" entry. The relevant smb.conf information is 
included below.

The problem is that when user1 tries to connect to \\server\user1 and 
authenticate via AD, the connection fails with a "unknown username or 
bad password" error on their Windows box. On the Samba server, the 
error in the logs relates to NT_STATUS_WRONG_PASSWORD. Here's the catch 
though. When I remove that account from a couple of AD groups, the 
connection succeeds. It appears there is some limit on the number of 
groups that user1 can be a member of. wbinfo -G DOMAIN\\USER1 returns 
~423 AD groups. When I get that number down under ~400, the connection 
works fine. As an aside, user2 belongs to ~180 groups and has no 
problems connecting.

Is there some limit within Samba that can be increased to allow for a 
user to be a member of >400 AD groups? I don't want to remove the user 
from the groups they are a member of if at all possible. Some are dis 
lists, others needed for security and so on.

NGROUPS_MAX is set to 32, but we are obviously way past that limit for 
both accounts, so I don't know if that setting comes into play or not.

Any help on this would be greatly appreciated. Thanks in advance,

Don


# Global parameters
[global]
        workgroup = QG
        realm = QG.COM
        security = ADS
        log file = /var/log/samba/%m.log
        dns proxy = no
        ldap ssl = no
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        winbind cache time = 60
        winbind enum users = no
        winbind enum groups = no
        log level = 3

[user1]
        path = /user1
        valid users = DOMAIN\USER1
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No

[user2]
        path = /user2
        valid users = DOMAIN\USER2
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No


------ Log file output

[2005/08/11 09:27:14, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [domain]
\[user1]@[machinename] with the new password interface
[2005/08/11 09:27:14, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [domain]\[user1]@[machinename]
[2005/08/11 09:27:14, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/08/11 09:27:14, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/08/11 09:27:14, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/08/11 09:27:14, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/08/11 09:27:14, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [user1] -> [user1] 
FAILED
with error NT_STATUS_WRONG_PASSWORD
[2005/08/11 09:27:17, 3] smbd/process.c:process_smb(1091)
  Transaction 5 of length 16626

More information about the samba mailing list