[Samba] Samba 3.6.4 on Solaris - groups for user inconsistent

Toby Riddell toby.riddell at gmail.com
Thu Apr 12 11:21:13 MDT 2012


Hi all,

I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
with a Windows Server 2008 domain controller. I should state early on
that I do not believe this is a manifestation of the Solaris 16 group
limit - the number of groups is well below 16.

Winbind seems to be working fine - I can use wbinfo -r to check the
groups that a user is a member of, it returns the list of Active
Directory groups that the userid belongs to:

# /opt/samba/bin/wbinfo -r triddel
5000
10501
10000
10586
20001

(You'll note that the above list differs from the lists below - this
is because some of the groups have no NIS domain defined in AD.)

What I see is smbd panicking when initialising groups for a user, it
seems to be trying (and failing) to set one of the groups to  -1:

[2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 11 supplementary groups
  Group[  0]: 5000
  Group[  1]: -1
  Group[  2]: 10501
  Group[  3]: 10000
  Group[  4]: 10586
  Group[  5]: 10590
  Group[  6]: 10505
  Group[  7]: 20002
  Group[  8]: 20003
  Group[  9]: 20004
  Group[ 10]: 20001

The corresponding truss output looks like this:

6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
6114:            20001

The group with gid -1 corresponds to a group defined in /etc/group,
the rest come from Active Directory.

Occasionally smbd works correctly, and I see this in the log:

[2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 10 supplementary groups
  Group[  0]: 5000
  Group[  1]: 10501
  Group[  2]: 10000
  Group[  3]: 10586
  Group[  4]: 10590
  Group[  5]: 10505
  Group[  6]: 20002
  Group[  7]: 20003
  Group[  8]: 20004
  Group[  9]: 20001

This may not be relevant, but I also see the list of groups being shuffled:

[2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 11 supplementary groups
  Group[  0]: 5000
  Group[  1]: 10501
  Group[  2]: 10000
  Group[  3]: 10586
  Group[  4]: -1
  Group[  5]: 10590
  Group[  6]: 10505
  Group[  7]: 20002
  Group[  8]: 20003
  Group[  9]: 20004
  Group[ 10]: 20001

The Samba config. looks like this:

[global]
disable spoolss = Yes
disable netbios = yes
show add printer wizard = No
security = ADS
log level = 10
realm = FOO.BAR.COM
password server = *
kerberos method = system keytab
workgroup = INTRA
client lanman auth = no
client ntlmv2 auth = yes
max protocol = SMB2

winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind cache time = 15

idmap config * : range = 20000-30000
idmap config * : backend = tdb
idmap config INTRA : backend = ad
idmap config INTRA : range = 1000-20000
idmap config INTRA : schema_mode = rfc3207

[foo]
path = /live/home/triddel
read only = no
force create mode = 0600
force directory mode = 2700
browsable = no

Can anyone shed any light on this?

Thanks.

Toby


More information about the samba mailing list