[Samba] Samba 3.6.4 on Solaris - groups for user inconsistent
Toby Riddell
toby.riddell at gmail.com
Thu Apr 12 11:21:13 MDT 2012
Hi all,
I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
with a Windows Server 2008 domain controller. I should state early on
that I do not believe this is a manifestation of the Solaris 16 group
limit - the number of groups is well below 16.
Winbind seems to be working fine - I can use wbinfo -r to check the
groups that a user is a member of, it returns the list of Active
Directory groups that the userid belongs to:
# /opt/samba/bin/wbinfo -r triddel
5000
10501
10000
10586
20001
(You'll note that the above list differs from the lists below - this
is because some of the groups have no NIS domain defined in AD.)
What I see is smbd panicking when initialising groups for a user, it
seems to be trying (and failing) to set one of the groups to -1:
[2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10017
Primary group is 5000 and contains 11 supplementary groups
Group[ 0]: 5000
Group[ 1]: -1
Group[ 2]: 10501
Group[ 3]: 10000
Group[ 4]: 10586
Group[ 5]: 10590
Group[ 6]: 10505
Group[ 7]: 20002
Group[ 8]: 20003
Group[ 9]: 20004
Group[ 10]: 20001
The corresponding truss output looks like this:
6114: setgroups(11, 0x08933B50) Err#22 EINVAL
6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004
6114: 20001
The group with gid -1 corresponds to a group defined in /etc/group,
the rest come from Active Directory.
Occasionally smbd works correctly, and I see this in the log:
[2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10017
Primary group is 5000 and contains 10 supplementary groups
Group[ 0]: 5000
Group[ 1]: 10501
Group[ 2]: 10000
Group[ 3]: 10586
Group[ 4]: 10590
Group[ 5]: 10505
Group[ 6]: 20002
Group[ 7]: 20003
Group[ 8]: 20004
Group[ 9]: 20001
This may not be relevant, but I also see the list of groups being shuffled:
[2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10017
Primary group is 5000 and contains 11 supplementary groups
Group[ 0]: 5000
Group[ 1]: 10501
Group[ 2]: 10000
Group[ 3]: 10586
Group[ 4]: -1
Group[ 5]: 10590
Group[ 6]: 10505
Group[ 7]: 20002
Group[ 8]: 20003
Group[ 9]: 20004
Group[ 10]: 20001
The Samba config. looks like this:
[global]
disable spoolss = Yes
disable netbios = yes
show add printer wizard = No
security = ADS
log level = 10
realm = FOO.BAR.COM
password server = *
kerberos method = system keytab
workgroup = INTRA
client lanman auth = no
client ntlmv2 auth = yes
max protocol = SMB2
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind cache time = 15
idmap config * : range = 20000-30000
idmap config * : backend = tdb
idmap config INTRA : backend = ad
idmap config INTRA : range = 1000-20000
idmap config INTRA : schema_mode = rfc3207
[foo]
path = /live/home/triddel
read only = no
force create mode = 0600
force directory mode = 2700
browsable = no
Can anyone shed any light on this?
Thanks.
Toby
More information about the samba
mailing list