[Samba] Share permission problem if user is member in more than 16 groups on AD
Marcis Lielturks
marcis.lielturks at gmail.com
Fri Jul 16 03:29:22 MDT 2010
Hi!
First of all, thanks for replies to all ;)!
Using GCC was a fail for me - too much errors and 2 additional things
must be compiled (tdb & talloc) . I only managed to compile using Sun's
cc and gmake and will stick to them. I'm a bit further now. Now I don't
get PKCS 11 erros, when trying to do "net ads join". I recompiled
openldap with slapd (but with null backend) and "-lpkcs11" in LDFLAGS (I
think this is what helped). However now I'm getting following when doing
"net ads join"
[2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex)
lp_load_ex: refreshing parameters
[2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals)
Initialising global parameters
[2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files)
rlimit_max: rlimit_max (256) below minimum Windows limit (16384)
[2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process)
params.c:pm_process() - Processing configuration file
"/opt/samba/lib/smb.conf"
[2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section)
Processing section "[global]"
[2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface)
added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255
netmask=255.255.255.0
[2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'SAMBA-DEV'
domain_name : *
domain_name : 'mydomain.COM'
account_ou : NULL
admin_account : 'Administrator'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
[2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon)
cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT
[2010/07/16 12:17:00.141661, 3]
libsmb/cliconnect.c:2201(cli_start_connection)
Connecting to host=BORED.mydomain.com
[2010/07/16 12:17:00.141828, 3] lib/util_sock.c:974(open_socket_out_send)
Connecting to 192.168.0.94 at port 445
[2010/07/16 12:17:00.143207, 3]
libsmb/cliconnect.c:991(cli_session_setup_spnego)
Doing spnego session setup (blob length=107)
[2010/07/16 12:17:00.143274, 3]
libsmb/cliconnect.c:1019(cli_session_setup_spnego)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2010/07/16 12:17:00.143302, 3]
libsmb/cliconnect.c:1029(cli_session_setup_spnego)
got principal=bored$@mydomain.COM
[2010/07/16 12:17:00.143856, 3]
libsmb/ntlmssp.c:1101(ntlmssp_client_challenge)
Got challenge flags:
[2010/07/16 12:17:00.143870, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2010/07/16 12:17:00.143883, 3]
libsmb/ntlmssp.c:1123(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2010/07/16 12:17:00.143894, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x60088215
[2010/07/16 12:17:00.143984, 3]
libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
NTLMSSP Sign/Seal - Initialising with flags:
[2010/07/16 12:17:00.143997, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x60088215
[2010/07/16 12:17:00.177128, 3] libsmb/cliconnect.c:1249(cli_session_setup)
SPNEGO login failed: Logon failure
[2010/07/16 12:17:00.177159, 1]
libsmb/cliconnect.c:2307(cli_full_connection)
failed session setup with NT_STATUS_LOGON_FAILURE
[2010/07/16 12:17:00.177271, 1] libnet/libnet_join.c:1978(libnet_Join)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for
domain 'mydomain.COM' over rpc: Logon failure'
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
[2010/07/16 12:17:00.177442, 2] utils/net.c:916(main)
Intersting is that if I supply wrong username output doesn't differ
much. Below you can see differences (I stripped time to be able to use
diff).
--- pass_ok_stripped.txt 2010-07-16 12:19:11.869234402 +0300
+++ pass_wrong_stripped.txt 2010-07-16 12:19:22.318101275 +0300
@@ -19,7 +19,7 @@
domain_name : *
domain_name : 'mydomain.COM'
account_ou : NULL
- admin_account : 'Administrator'
+ admin_account : 'Adminisdgasgasdtor'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
@@ -43,8 +43,6 @@
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
- libads/cldap.c:97(ads_cldap_netlogon)
- cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT
libsmb/cliconnect.c:2201(cli_start_connection)
Connecting to host=BORED.ProServe.com
lib/util_sock.c:974(open_socket_out_send)
Maybe I'm missing some rpc things? "smbd -b | tail -2" says:
Builtin modules:
pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam rpc_lsarpc rpc_winreg
rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl rpc_ntsvcs
rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog rpc_samr
idmap_ldap idmap_tdb idmap_passdb idmap_nss idmap_rid idmap_hash
nss_info_template auth_sam auth_unix auth_winbind auth_wbc auth_server
auth_domain auth_builtin auth_netlogond vfs_default vfs_solarisacl
vfs_zfsacl
MMM
On 07/15/10 04:32 PM, Gaiseric Vandal wrote:
> I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc
> with two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support
> Windows 7 clients (don't have any yet but it is probably inevitable)
> and doesn't seem to support trusts with Windows 2003 Native domains
> (at least it didn't for me.)
>
>
> If you following the opensolaris forums it seems unlikely that there
> will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or
> OpenSolaris in the near future. I don't think it really is a
> licensing or even major technical issue. There is seems to more
> interest in CIFS project as an alternative to Samba. Oracle/Sun
> sells a NAS server that runs on opensolaris and users CIFS so I don't
> think they have much interest in Samba. I don't see Oracle/Sun paying
> any one work on Samba 3.4.x or 3.5.x integration when they have
> "better" solutions and more important priorities.
>
> To be specific, Samba doesn't require OpenLDAP but it does require
> LDAP with certain functionality. The Solaris-bundled Samba does use
> OpenLDAP. But if you are compiling it yourself OpenLDAP is the way
> to do it. Easiest to just get the openldap precompiled from
> blastwave or sunfreeware.com. And there is precompiled Samba
> available from Sunfreeware and Blastwave but it may lack the features
> you need, so you probably need to compile anyway.
>
> If you don't need AD support, then then the Sun ldap client
> functionality should be sufficient.
>
>
> I didn't know about the NGROUPS_MAX option. I would have disabled it
> if I had known, since I am subject to the 16 group NFS v3 limit.
> (What I really need to do is switch to NFS v4 and use kerberos
> authentication for NFS clients.)
>
> The OpenSolaris developer build (from earlier this year- not the
> official release from last year- has updated GCC and other tools that
> may make compiling easier. Gcc from Sun (and even Sunfreeware) use
> "/usr/ccs/bin/ld" as the linker. You may need to renamed the file
> and symlink it to gld (gnu linker.) Samba compiling also requires
> that you get set the CPPFLAGS and LDFLAGS as well.
>
> e.g.
>
>
> PATH=/usr/swf/bin:/usr/ccs/bin:$PATH
> PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH
> LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH
> LD_LIBRARY_PATH=/usr/local/samba- 3.4.5:$LD_LIBRARY_PATH
>
> export LD_LIBRARY_PATH
> export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include
> -I/usr/include"
> export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib
> -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib"
>
>
>
>
> I posted questions/results to the list earlier this year about my
> experiences.
>
>
>
>
>
>
>
>
>
>
>
> On 07/14/2010 05:38 PM, Mārcis Lielturks wrote:
>>
>>
>> On 15 July 2010 00:28, Jeremy Allison <jra at samba.org
>> <mailto:jra at samba.org>> wrote:
>>
>> On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote:
>> > Thanks, machine wont provide NFS or ssh login services, so
>> fiddling with max
>> > groups should do no harm!
>> >
>> > I googled a bit at found that samba should be recompiled to take
>> advantage
>> > of new NGROUPS_MAX. "./configure" logs also suggested that
>> NGROUPS_MAX is
>> > evaluated only at compile time.
>>
>> Yep. Recompilation should do the trick once the kernel understands
>> large numbers of groups.
>>
>> > Can anybody share experience on compiling samba on OpenSolaris?
>> What's the
>> > most painless way? I'm considering to use latest 3.5.5 but maybe
>> I should
>> > use same version Sun (Oracle) is using - 3.0.37? I have to set
>> up Samba on 2
>> > servers, which already replicate storage, so ID mapping must be
>> consistent
>> > between both Samba servers. Servers have to provide shares also
>> to trusted
>> > domains, but 3.0.37 doesn't have idmap_hash and seems that
>> idmap_rid is not
>> > supported to provide mappings for more than one domain, so
>> anything newer
>> > than 3.0.37 sounds like the right choice.
>>
>> The only reason they use 3.0.x is they're still unable to cope
>> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle
>> Linux has been shipping GPLv3 Samba for a while. But it's a big
>> company, you can't expect one part to know what another part is
>> up to :-).
>>
>> Yeah, I read about that, but still, I was thinking that as they ship
>> 3.0.37, it should also be easier to compile because OS has all that's
>> necessary for 3.0.37. Newer Samba versions may have some dependencies
>> (new libs or newer version of libs), that might be harder to satisfy.
>> I have never compiled samba so far and all I know at the moment (from
>> documentation) is that AD support requires krb5 and openldap
>> development libraries and files.
>>
>>
>> Jeremy.
>>
>>
>>
>>
>> --
>> ML
>
More information about the samba
mailing list