[Samba] Samba 3.6.4 on Solaris - groups for user inconsistent

Bart Janssens biajanssens at gmail.com
Thu Apr 12 12:44:50 MDT 2012


 From the Solaris man page of

http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html

...

The setgroups() function will fail if:

EINVAL

    The value of /ngroups/ is greater than {NGROUPS_MAX}.

...

According to your truss setgroups returns EINVAL.

Solaris (10) no longer has the 16 group limitation
Starting from Solaris 10 Update 10 or starting with the patch bundle 
144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07 
<http://wesunsolve.net/patch/id/144501-07> (x86)
one can set ngroups_max up to 1024 in /etc/system.(a reboot is required)
I recommend you to upgrade to Solaris 10 update 10.


HTH,

Bart
On 12/04/12 19:21, Toby Riddell wrote:
> Hi all,
>
> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
> with a Windows Server 2008 domain controller. I should state early on
> that I do not believe this is a manifestation of the Solaris 16 group
> limit - the number of groups is well below 16.
>
> Winbind seems to be working fine - I can use wbinfo -r to check the
> groups that a user is a member of, it returns the list of Active
> Directory groups that the userid belongs to:
>
> # /opt/samba/bin/wbinfo -r triddel
> 5000
> 10501
> 10000
> 10586
> 20001
>
> (You'll note that the above list differs from the lists below - this
> is because some of the groups have no NIS domain defined in AD.)
>
> What I see is smbd panicking when initialising groups for a user, it
> seems to be trying (and failing) to set one of the groups to  -1:
>
> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 11 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: -1
>    Group[  2]: 10501
>    Group[  3]: 10000
>    Group[  4]: 10586
>    Group[  5]: 10590
>    Group[  6]: 10505
>    Group[  7]: 20002
>    Group[  8]: 20003
>    Group[  9]: 20004
>    Group[ 10]: 20001
>
> The corresponding truss output looks like this:
>
> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
> 6114:            20001
>
> The group with gid -1 corresponds to a group defined in /etc/group,
> the rest come from Active Directory.
>
> Occasionally smbd works correctly, and I see this in the log:
>
> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 10 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: 10501
>    Group[  2]: 10000
>    Group[  3]: 10586
>    Group[  4]: 10590
>    Group[  5]: 10505
>    Group[  6]: 20002
>    Group[  7]: 20003
>    Group[  8]: 20004
>    Group[  9]: 20001
>
> This may not be relevant, but I also see the list of groups being shuffled:
>
> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 11 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: 10501
>    Group[  2]: 10000
>    Group[  3]: 10586
>    Group[  4]: -1
>    Group[  5]: 10590
>    Group[  6]: 10505
>    Group[  7]: 20002
>    Group[  8]: 20003
>    Group[  9]: 20004
>    Group[ 10]: 20001
>
> The Samba config. looks like this:
>
> [global]
> disable spoolss = Yes
> disable netbios = yes
> show add printer wizard = No
> security = ADS
> log level = 10
> realm = FOO.BAR.COM
> password server = *
> kerberos method = system keytab
> workgroup = INTRA
> client lanman auth = no
> client ntlmv2 auth = yes
> max protocol = SMB2
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind cache time = 15
>
> idmap config * : range = 20000-30000
> idmap config * : backend = tdb
> idmap config INTRA : backend = ad
> idmap config INTRA : range = 1000-20000
> idmap config INTRA : schema_mode = rfc3207
>
> [foo]
> path = /live/home/triddel
> read only = no
> force create mode = 0600
> force directory mode = 2700
> browsable = no
>
> Can anyone shed any light on this?
>
> Thanks.
>
> Toby



More information about the samba mailing list