[Samba] Samba 3.6.4 on Solaris - groups for user inconsistent
Dale Schroeder
dale at BriannasSaladDressing.com
Fri Apr 13 11:49:15 MDT 2012
Toby,
This may or may not be relevant for you ==>
There are some winbind issues in 3.6.x. The one affecting me can be
found here:
https://bugzilla.samba.org/show_bug.cgi?id=8676
Maybe something there will look familiar to you.
idmap_ad issue from last week in 3.6.x:
http://lists-archives.com/samba/63876-resolved-ctdb-and-pacemaker-last-mile-ctdb-complains-cluster-ip-is-not-a-public-address.html
Good luck,
Dale
On 04/12/2012 8:41 PM, Toby Riddell wrote:
> I'd like to avoid adding a group mapping if possible.
>
> "groups triddel" returns 6 groups.
>
> The strange this is that with version Samba 3.5.8 everything was working fine...
>
> On 12 April 2012 22:00, Gaiseric Vandal<gaiseric.vandal at gmail.com> wrote:
>> Can you add a group mapping for your "unix" group to a Windows group?
>> ("net groupmap add ....")
>>
>> If you do a "groups triddel" on the unix command line, how many groups
>> are you in? Unix groups mapped to Windows groups get double-counted,
>> which can push you over 16 groups. My environment is Samba 3.x. PDC's
>> so not the same as yours.
>>
>> FYI The latest (as of a few months back) Solaris 10 kernels finally let
>> you set ngroups_max=1024.
>>
>> 147441-10 (x86_84)
>> 147440-10 (sparc)
>>
>> Most previous ones allowed ngroups_max=32. Except 147441-09 /147441-09
>> actually rolled it back to ngroups_max=16.
>>
>>
>>
>>
>> On 04/12/12 13:21, Toby Riddell wrote:
>>> Hi all,
>>>
>>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
>>> with a Windows Server 2008 domain controller. I should state early on
>>> that I do not believe this is a manifestation of the Solaris 16 group
>>> limit - the number of groups is well below 16.
>>>
>>> Winbind seems to be working fine - I can use wbinfo -r to check the
>>> groups that a user is a member of, it returns the list of Active
>>> Directory groups that the userid belongs to:
>>>
>>> # /opt/samba/bin/wbinfo -r triddel
>>> 5000
>>> 10501
>>> 10000
>>> 10586
>>> 20001
>>>
>>> (You'll note that the above list differs from the lists below - this
>>> is because some of the groups have no NIS domain defined in AD.)
>>>
>>> What I see is smbd panicking when initialising groups for a user, it
>>> seems to be trying (and failing) to set one of the groups to -1:
>>>
>>> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>>> UNIX token of user 10017
>>> Primary group is 5000 and contains 11 supplementary groups
>>> Group[ 0]: 5000
>>> Group[ 1]: -1
>>> Group[ 2]: 10501
>>> Group[ 3]: 10000
>>> Group[ 4]: 10586
>>> Group[ 5]: 10590
>>> Group[ 6]: 10505
>>> Group[ 7]: 20002
>>> Group[ 8]: 20003
>>> Group[ 9]: 20004
>>> Group[ 10]: 20001
>>>
>>> The corresponding truss output looks like this:
>>>
>>> 6114: setgroups(11, 0x08933B50) Err#22 EINVAL
>>> 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004
>>> 6114: 20001
>>>
>>> The group with gid -1 corresponds to a group defined in /etc/group,
>>> the rest come from Active Directory.
>>>
>>> Occasionally smbd works correctly, and I see this in the log:
>>>
>>> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>>> UNIX token of user 10017
>>> Primary group is 5000 and contains 10 supplementary groups
>>> Group[ 0]: 5000
>>> Group[ 1]: 10501
>>> Group[ 2]: 10000
>>> Group[ 3]: 10586
>>> Group[ 4]: 10590
>>> Group[ 5]: 10505
>>> Group[ 6]: 20002
>>> Group[ 7]: 20003
>>> Group[ 8]: 20004
>>> Group[ 9]: 20001
>>>
>>> This may not be relevant, but I also see the list of groups being shuffled:
>>>
>>> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>>> UNIX token of user 10017
>>> Primary group is 5000 and contains 11 supplementary groups
>>> Group[ 0]: 5000
>>> Group[ 1]: 10501
>>> Group[ 2]: 10000
>>> Group[ 3]: 10586
>>> Group[ 4]: -1
>>> Group[ 5]: 10590
>>> Group[ 6]: 10505
>>> Group[ 7]: 20002
>>> Group[ 8]: 20003
>>> Group[ 9]: 20004
>>> Group[ 10]: 20001
>>>
>>> The Samba config. looks like this:
>>>
>>> [global]
>>> disable spoolss = Yes
>>> disable netbios = yes
>>> show add printer wizard = No
>>> security = ADS
>>> log level = 10
>>> realm = FOO.BAR.COM
>>> password server = *
>>> kerberos method = system keytab
>>> workgroup = INTRA
>>> client lanman auth = no
>>> client ntlmv2 auth = yes
>>> max protocol = SMB2
>>>
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind separator = +
>>> winbind use default domain = yes
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = yes
>>> winbind cache time = 15
>>>
>>> idmap config * : range = 20000-30000
>>> idmap config * : backend = tdb
>>> idmap config INTRA : backend = ad
>>> idmap config INTRA : range = 1000-20000
>>> idmap config INTRA : schema_mode = rfc3207
>>>
>>> [foo]
>>> path = /live/home/triddel
>>> read only = no
>>> force create mode = 0600
>>> force directory mode = 2700
>>> browsable = no
>>>
>>> Can anyone shed any light on this?
>>>
>>> Thanks.
>>>
>>> Toby
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list