[Samba] Samba 3.6.4 on Solaris - groups for user inconsistent
Bart Janssens
biajanssens at gmail.com
Thu Apr 12 12:44:50 MDT 2012
From the Solaris man page of
http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html
...
The setgroups() function will fail if:
EINVAL
The value of /ngroups/ is greater than {NGROUPS_MAX}.
...
According to your truss setgroups returns EINVAL.
Solaris (10) no longer has the 16 group limitation
Starting from Solaris 10 Update 10 or starting with the patch bundle
144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07
<http://wesunsolve.net/patch/id/144501-07> (x86)
one can set ngroups_max up to 1024 in /etc/system.(a reboot is required)
I recommend you to upgrade to Solaris 10 update 10.
HTH,
Bart
On 12/04/12 19:21, Toby Riddell wrote:
> Hi all,
>
> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
> with a Windows Server 2008 domain controller. I should state early on
> that I do not believe this is a manifestation of the Solaris 16 group
> limit - the number of groups is well below 16.
>
> Winbind seems to be working fine - I can use wbinfo -r to check the
> groups that a user is a member of, it returns the list of Active
> Directory groups that the userid belongs to:
>
> # /opt/samba/bin/wbinfo -r triddel
> 5000
> 10501
> 10000
> 10586
> 20001
>
> (You'll note that the above list differs from the lists below - this
> is because some of the groups have no NIS domain defined in AD.)
>
> What I see is smbd panicking when initialising groups for a user, it
> seems to be trying (and failing) to set one of the groups to -1:
>
> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
> UNIX token of user 10017
> Primary group is 5000 and contains 11 supplementary groups
> Group[ 0]: 5000
> Group[ 1]: -1
> Group[ 2]: 10501
> Group[ 3]: 10000
> Group[ 4]: 10586
> Group[ 5]: 10590
> Group[ 6]: 10505
> Group[ 7]: 20002
> Group[ 8]: 20003
> Group[ 9]: 20004
> Group[ 10]: 20001
>
> The corresponding truss output looks like this:
>
> 6114: setgroups(11, 0x08933B50) Err#22 EINVAL
> 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004
> 6114: 20001
>
> The group with gid -1 corresponds to a group defined in /etc/group,
> the rest come from Active Directory.
>
> Occasionally smbd works correctly, and I see this in the log:
>
> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
> UNIX token of user 10017
> Primary group is 5000 and contains 10 supplementary groups
> Group[ 0]: 5000
> Group[ 1]: 10501
> Group[ 2]: 10000
> Group[ 3]: 10586
> Group[ 4]: 10590
> Group[ 5]: 10505
> Group[ 6]: 20002
> Group[ 7]: 20003
> Group[ 8]: 20004
> Group[ 9]: 20001
>
> This may not be relevant, but I also see the list of groups being shuffled:
>
> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
> UNIX token of user 10017
> Primary group is 5000 and contains 11 supplementary groups
> Group[ 0]: 5000
> Group[ 1]: 10501
> Group[ 2]: 10000
> Group[ 3]: 10586
> Group[ 4]: -1
> Group[ 5]: 10590
> Group[ 6]: 10505
> Group[ 7]: 20002
> Group[ 8]: 20003
> Group[ 9]: 20004
> Group[ 10]: 20001
>
> The Samba config. looks like this:
>
> [global]
> disable spoolss = Yes
> disable netbios = yes
> show add printer wizard = No
> security = ADS
> log level = 10
> realm = FOO.BAR.COM
> password server = *
> kerberos method = system keytab
> workgroup = INTRA
> client lanman auth = no
> client ntlmv2 auth = yes
> max protocol = SMB2
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind cache time = 15
>
> idmap config * : range = 20000-30000
> idmap config * : backend = tdb
> idmap config INTRA : backend = ad
> idmap config INTRA : range = 1000-20000
> idmap config INTRA : schema_mode = rfc3207
>
> [foo]
> path = /live/home/triddel
> read only = no
> force create mode = 0600
> force directory mode = 2700
> browsable = no
>
> Can anyone shed any light on this?
>
> Thanks.
>
> Toby
More information about the samba
mailing list