[Samba] Samba 3.6.4 on Solaris - groups for user inconsistent

Dale Schroeder dale at BriannasSaladDressing.com
Fri Apr 13 11:49:15 MDT 2012 

Toby,

This may or may not be relevant for you ==>

There are some winbind issues in 3.6.x.  The one affecting me can be 
found here:
https://bugzilla.samba.org/show_bug.cgi?id=8676

Maybe something there will look familiar to you.

idmap_ad issue from last week in 3.6.x:
http://lists-archives.com/samba/63876-resolved-ctdb-and-pacemaker-last-mile-ctdb-complains-cluster-ip-is-not-a-public-address.html

Good luck,
Dale


On 04/12/2012 8:41 PM, Toby Riddell wrote:
> I'd like to avoid adding a group mapping if possible.
>
> "groups triddel" returns 6 groups.
>
> The strange this is that with version Samba 3.5.8 everything was working fine...
>
> On 12 April 2012 22:00, Gaiseric Vandal<gaiseric.vandal at gmail.com>  wrote:
>> Can you add a group mapping for your "unix" group to a Windows group?
>> ("net groupmap add ....")
>>
>> If you do a "groups triddel" on the unix command line, how many groups
>> are you in?    Unix groups mapped to Windows groups get double-counted,
>> which can push you over 16 groups.    My environment is Samba 3.x. PDC's
>> so not the same as yours.
>>
>> FYI The latest (as of a few months back) Solaris 10 kernels finally let
>> you set ngroups_max=1024.
>>
>> 147441-10 (x86_84)
>> 147440-10 (sparc)
>>
>> Most previous ones allowed ngroups_max=32.  Except 147441-09 /147441-09
>> actually rolled it back to ngroups_max=16.
>>
>>
>>
>>
>> On 04/12/12 13:21, Toby Riddell wrote:
>>> Hi all,
>>>
>>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
>>> with a Windows Server 2008 domain controller. I should state early on
>>> that I do not believe this is a manifestation of the Solaris 16 group
>>> limit - the number of groups is well below 16.
>>>
>>> Winbind seems to be working fine - I can use wbinfo -r to check the
>>> groups that a user is a member of, it returns the list of Active
>>> Directory groups that the userid belongs to:
>>>
>>> # /opt/samba/bin/wbinfo -r triddel
>>> 5000
>>> 10501
>>> 10000
>>> 10586
>>> 20001
>>>
>>> (You'll note that the above list differs from the lists below - this
>>> is because some of the groups have no NIS domain defined in AD.)
>>>
>>> What I see is smbd panicking when initialising groups for a user, it
>>> seems to be trying (and failing) to set one of the groups to  -1:
>>>
>>> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>>>    UNIX token of user 10017
>>>    Primary group is 5000 and contains 11 supplementary groups
>>>    Group[  0]: 5000
>>>    Group[  1]: -1
>>>    Group[  2]: 10501
>>>    Group[  3]: 10000
>>>    Group[  4]: 10586
>>>    Group[  5]: 10590
>>>    Group[  6]: 10505
>>>    Group[  7]: 20002
>>>    Group[  8]: 20003
>>>    Group[  9]: 20004
>>>    Group[ 10]: 20001
>>>
>>> The corresponding truss output looks like this:
>>>
>>> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
>>> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
>>> 6114:            20001
>>>
>>> The group with gid -1 corresponds to a group defined in /etc/group,
>>> the rest come from Active Directory.
>>>
>>> Occasionally smbd works correctly, and I see this in the log:
>>>
>>> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>>>    UNIX token of user 10017
>>>    Primary group is 5000 and contains 10 supplementary groups
>>>    Group[  0]: 5000
>>>    Group[  1]: 10501
>>>    Group[  2]: 10000
>>>    Group[  3]: 10586
>>>    Group[  4]: 10590
>>>    Group[  5]: 10505
>>>    Group[  6]: 20002
>>>    Group[  7]: 20003
>>>    Group[  8]: 20004
>>>    Group[  9]: 20001
>>>
>>> This may not be relevant, but I also see the list of groups being shuffled:
>>>
>>> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>>>    UNIX token of user 10017
>>>    Primary group is 5000 and contains 11 supplementary groups
>>>    Group[  0]: 5000
>>>    Group[  1]: 10501
>>>    Group[  2]: 10000
>>>    Group[  3]: 10586
>>>    Group[  4]: -1
>>>    Group[  5]: 10590
>>>    Group[  6]: 10505
>>>    Group[  7]: 20002
>>>    Group[  8]: 20003
>>>    Group[  9]: 20004
>>>    Group[ 10]: 20001
>>>
>>> The Samba config. looks like this:
>>>
>>> [global]
>>> disable spoolss = Yes
>>> disable netbios = yes
>>> show add printer wizard = No
>>> security = ADS
>>> log level = 10
>>> realm = FOO.BAR.COM
>>> password server = *
>>> kerberos method = system keytab
>>> workgroup = INTRA
>>> client lanman auth = no
>>> client ntlmv2 auth = yes
>>> max protocol = SMB2
>>>
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind separator = +
>>> winbind use default domain = yes
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = yes
>>> winbind cache time = 15
>>>
>>> idmap config * : range = 20000-30000
>>> idmap config * : backend = tdb
>>> idmap config INTRA : backend = ad
>>> idmap config INTRA : range = 1000-20000
>>> idmap config INTRA : schema_mode = rfc3207
>>>
>>> [foo]
>>> path = /live/home/triddel
>>> read only = no
>>> force create mode = 0600
>>> force directory mode = 2700
>>> browsable = no
>>>
>>> Can anyone shed any light on this?
>>>
>>> Thanks.
>>>
>>> Toby
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list