[Samba] Samba 3.6.4 on Solaris - groups for user inconsistent

Toby Riddell toby.riddell at gmail.com
Thu Apr 12 19:44:21 MDT 2012 

Bart,

Thanks for the reply.

However I don't think I'm hitting NGROUPS_MAX. As can be seen in the
snippet of truss output, ngroups is 11.

However, it looks like it might be time for an upgrade just to see if
it fixes the problem.

Regards,

Toby

On 12 April 2012 19:44, Bart Janssens <biajanssens at gmail.com> wrote:
> From the Solaris man page of
>
> http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html
>
> ...
>
> The setgroups() function will fail if:
>
> EINVAL
>
>   The value of /ngroups/ is greater than {NGROUPS_MAX}.
>
> ...
>
> According to your truss setgroups returns EINVAL.
>
> Solaris (10) no longer has the 16 group limitation
> Starting from Solaris 10 Update 10 or starting with the patch bundle
> 144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07
> <http://wesunsolve.net/patch/id/144501-07> (x86)
> one can set ngroups_max up to 1024 in /etc/system.(a reboot is required)
> I recommend you to upgrade to Solaris 10 update 10.
>
>
> HTH,
>
> Bart
>
> On 12/04/12 19:21, Toby Riddell wrote:
>>
>> Hi all,
>>
>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
>> with a Windows Server 2008 domain controller. I should state early on
>> that I do not believe this is a manifestation of the Solaris 16 group
>> limit - the number of groups is well below 16.
>>
>> Winbind seems to be working fine - I can use wbinfo -r to check the
>> groups that a user is a member of, it returns the list of Active
>> Directory groups that the userid belongs to:
>>
>> # /opt/samba/bin/wbinfo -r triddel
>> 5000
>> 10501
>> 10000
>> 10586
>> 20001
>>
>> (You'll note that the above list differs from the lists below - this
>> is because some of the groups have no NIS domain defined in AD.)
>>
>> What I see is smbd panicking when initialising groups for a user, it
>> seems to be trying (and failing) to set one of the groups to  -1:
>>
>> [2012/04/12 18:01:20.950498, 10]
>> auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: -1
>>   Group[  2]: 10501
>>   Group[  3]: 10000
>>   Group[  4]: 10586
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The corresponding truss output looks like this:
>>
>> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
>> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003
>> 20004
>> 6114:            20001
>>
>> The group with gid -1 corresponds to a group defined in /etc/group,
>> the rest come from Active Directory.
>>
>> Occasionally smbd works correctly, and I see this in the log:
>>
>> [2012/04/12 17:57:58.790716, 10]
>> auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 10 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: 10590
>>   Group[  5]: 10505
>>   Group[  6]: 20002
>>   Group[  7]: 20003
>>   Group[  8]: 20004
>>   Group[  9]: 20001
>>
>> This may not be relevant, but I also see the list of groups being
>> shuffled:
>>
>> [2012/04/12 18:01:17.915485, 10]
>> auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: -1
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The Samba config. looks like this:
>>
>> [global]
>> disable spoolss = Yes
>> disable netbios = yes
>> show add printer wizard = No
>> security = ADS
>> log level = 10
>> realm = FOO.BAR.COM
>> password server = *
>> kerberos method = system keytab
>> workgroup = INTRA
>> client lanman auth = no
>> client ntlmv2 auth = yes
>> max protocol = SMB2
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind separator = +
>> winbind use default domain = yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = yes
>> winbind cache time = 15
>>
>> idmap config * : range = 20000-30000
>> idmap config * : backend = tdb
>> idmap config INTRA : backend = ad
>> idmap config INTRA : range = 1000-20000
>> idmap config INTRA : schema_mode = rfc3207
>>
>> [foo]
>> path = /live/home/triddel
>> read only = no
>> force create mode = 0600
>> force directory mode = 2700
>> browsable = no
>>
>> Can anyone shed any light on this?
>>
>> Thanks.
>>
>> Toby
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list