[Samba] Share permission problem if user is member in more than 16 groups on AD

Marcis Lielturks marcis.lielturks at gmail.com
Thu Jul 15 07:53:42 MDT 2010

Compiled 3.5.4 successfully, but new binaries seem to be defective or 
missing something. I get errors about PKCS 11 library calls when trying 
to join domain. I've seen these errors with "original" Samba 3.0.37 in 
"log.winbindd" and "log.wb-DOMAIN", but besides that, 3.0.37 worked and 
could join domain.

# ./net -U 'Administrator%password' ads join
[2010/07/15 16:17:48.692586,  0] libads/sasl.c:818(ads_sasl_spnego_bind)
   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Error in the 
PKCS 11 library calls
Failed to join domain: failed to connect to AD: Error in the PKCS 11 
library calls

I'm using Sun's cc for compilation and gnu make (configure didn't 
generate Makefile, until gmake was not installed).

   1. I installed openldap stable 20100219 with
         1. ./configure --disable-slapd --prefix=/opt/samba"
   2. Installed Samba with
         1. export CFLAGS="-I/usr/include/kerberosv5 -I/usr/include/gssapi"
         2. export LDFLAGS="-lsasl -lgss"
         3. ./configure --prefix=/opt/samba --with-ads --with-krb5=/usr
            --with-aio-support --with-static
            modules=vfs_zfsacl,idmap_rid,idmap_hash --with-automount

Where to look next? Maybe I have compiled with wrong options? Should I 
try using only gnu build tools? What about openldap compilation, I've 
red somewhere that it may leave some important header files and/or 
libraries and --enable-null option should be used, if I don't need 
daemon. Should I try that?

I also attached "smbd -b" output differences between original 3.0.37 and 
my 3.5.4 samba versions. I don't like the line which tells that new 
version doesn't have "HAVE_KRB5_MIT" option.



On 07/15/10 12:28 AM, Jeremy Allison wrote:
> On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote:
>> Thanks, machine wont provide NFS or ssh login services, so fiddling with max
>> groups should do no harm!
>> I googled a bit at found that samba should be recompiled to take advantage
>> of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is
>> evaluated only at compile time.
> Yep. Recompilation should do the trick once the kernel understands
> large numbers of groups.
>> Can anybody share experience on compiling samba on OpenSolaris? What's the
>> most painless way? I'm considering to use latest 3.5.5 but maybe I should
>> use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2
>> servers, which already replicate storage, so ID mapping must be consistent
>> between both Samba servers. Servers have to provide shares also to trusted
>> domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not
>> supported to provide mappings for more than one domain, so anything newer
>> than 3.0.37 sounds like the right choice.
> The only reason they use 3.0.x is they're still unable to cope
> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle
> Linux has been shipping GPLv3 Samba for a while. But it's a big
> company, you can't expect one part to know what another part is
> up to :-).
> Jeremy.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: diff_smbd_minus_b_3.0.37.txt_smbd_minus_b_3.5.4_build3.txt
URL: <http://lists.samba.org/pipermail/samba/attachments/20100715/5c55e615/attachment.txt>

More information about the samba mailing list