[Samba] Share permission problem if user is member in more than 16 groups on AD
Marcis Lielturks
marcis.lielturks at gmail.com
Thu Jul 15 07:53:42 MDT 2010
Compiled 3.5.4 successfully, but new binaries seem to be defective or
missing something. I get errors about PKCS 11 library calls when trying
to join domain. I've seen these errors with "original" Samba 3.0.37 in
"log.winbindd" and "log.wb-DOMAIN", but besides that, 3.0.37 worked and
could join domain.
# ./net -U 'Administrator%password' ads join
[2010/07/15 16:17:48.692586, 0] libads/sasl.c:818(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Error in the
PKCS 11 library calls
Failed to join domain: failed to connect to AD: Error in the PKCS 11
library calls
I'm using Sun's cc for compilation and gnu make (configure didn't
generate Makefile, until gmake was not installed).
1. I installed openldap stable 20100219 with
1. ./configure --disable-slapd --prefix=/opt/samba"
2. Installed Samba with
1. export CFLAGS="-I/usr/include/kerberosv5 -I/usr/include/gssapi"
2. export LDFLAGS="-lsasl -lgss"
3. ./configure --prefix=/opt/samba --with-ads --with-krb5=/usr
--with-aio-support --with-static
modules=vfs_zfsacl,idmap_rid,idmap_hash --with-automount
Where to look next? Maybe I have compiled with wrong options? Should I
try using only gnu build tools? What about openldap compilation, I've
red somewhere that it may leave some important header files and/or
libraries and --enable-null option should be used, if I don't need
daemon. Should I try that?
I also attached "smbd -b" output differences between original 3.0.37 and
my 3.5.4 samba versions. I don't like the line which tells that new
version doesn't have "HAVE_KRB5_MIT" option.
Thanks!
MMM
On 07/15/10 12:28 AM, Jeremy Allison wrote:
> On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote:
>
>> Thanks, machine wont provide NFS or ssh login services, so fiddling with max
>> groups should do no harm!
>>
>> I googled a bit at found that samba should be recompiled to take advantage
>> of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is
>> evaluated only at compile time.
>>
> Yep. Recompilation should do the trick once the kernel understands
> large numbers of groups.
>
>
>> Can anybody share experience on compiling samba on OpenSolaris? What's the
>> most painless way? I'm considering to use latest 3.5.5 but maybe I should
>> use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2
>> servers, which already replicate storage, so ID mapping must be consistent
>> between both Samba servers. Servers have to provide shares also to trusted
>> domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not
>> supported to provide mappings for more than one domain, so anything newer
>> than 3.0.37 sounds like the right choice.
>>
> The only reason they use 3.0.x is they're still unable to cope
> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle
> Linux has been shipping GPLv3 Samba for a while. But it's a big
> company, you can't expect one part to know what another part is
> up to :-).
>
> Jeremy.
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: diff_smbd_minus_b_3.0.37.txt_smbd_minus_b_3.5.4_build3.txt
URL: <http://lists.samba.org/pipermail/samba/attachments/20100715/5c55e615/attachment.txt>
More information about the samba
mailing list