[Samba] why does add_local_groups come up in only one system's logs?

L.P.H. van Belle belle at bazuin.nl
Tue Aug 9 14:15:53 UTC 2016 

In addition.

UID 4294967295  =  nobody 
So in my options the bug "report" is not a bug. 
Its a mis configuration. 

You can test this .. 

Set in smb.conf 
Guest account = nobody 

And check again, what happens now? 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 9 augustus 2016 15:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] why does add_local_groups come up in only one
> system's logs?
> 
> Hai,
> 
> If you want to try to avoid that bug.
> Go here http://downloads.van-belle.nl/samba4/
> Get the 4.4.5 packages for jessie there.
> Read the readme.txt and install them.
> 
> And see if you problem is still there.
> 
> The are compiled with the lated ldb from debian stretch.
> Which should fix your problem.
> 
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens francis picabia
> > Verzonden: dinsdag 9 augustus 2016 15:43
> > Aan: Rowland Penny
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] why does add_local_groups come up in only one
> > system's logs?
> >
> > On Mon, Aug 8, 2016 at 4:16 PM, Rowland Penny <rpenny at samba.org> wrote:
> >
> > > On Mon, 8 Aug 2016 15:27:44 -0300
> > > francis picabia <fpicabia at gmail.com> wrote:
> > >
> > > > OK, that was my bad for copy/pasting some config lines I found with
> > > > a report of "this works!" on a bug report (only the second login
> > > > connects bug).
> > > >
> > > > I've included the domain and fixed the range so it won't overlap
> with
> > > > Unix IDs.
> > > >
> > > > #  grep idmap /etc/samba/smb.conf
> > > >    idmap config MYDOM : backend = rid
> > > >    idmap config MYDOM : range = 70000-99999999
> > > >
> > > > I eliminated the "valid users =" line from the homes section.
> > > >
> > > > On Debian, there are a couple of difference services.  I read that
> > > > with 4.2, it can
> > > > run its own winbind service.  So I wondered if that can make a
> > > > difference.
> > >
> > > I think you could be getting confused here. If you run Samba as a DC,
> > > then yes, from 4.2.0, the separate winbindd binary is used instead of
> > > the 'winbind' built into the samba binary.
> > > On a domain member that is joined to AD, you will need to run
> > > the winbindd binary as well.
> > >
> > > >
> > > > If I stop winbind, and restart samba...
> > > >
> > > > # /etc/init.d/samba restart
> > > > [ ok ] Restarting nmbd (via systemctl): nmbd.service.
> > > > [ ok ] Restarting smbd (via systemctl): smbd.service.
> > > > [ ok ] Restarting samba-ad-dc (via systemctl): samba-ad-dc.service.
> > > > # ps auxww | grep winbind
> > > > root     19867  0.0  0.0  12764   948 pts/0    S+   14:13   0:00
> grep
> > > > winbind
> > > >
> > >
> > > This shows that 'winbindd' isn't running, if I run a similar command
> on
> > > a domain member:
> > >
> > > rowland at devstation:~$ ps ax | grep winbind
> > >  2334 ?        Ss     0:11 /usr/local/samba/sbin/winbindd
> > >  2532 ?        S      0:00 /usr/local/samba/sbin/winbindd
> > >  2535 ?        S      0:00 /usr/local/samba/sbin/winbindd
> > >  2536 ?        S      0:01 /usr/local/samba/sbin/winbindd
> > >  4731 ?        S      0:00 /usr/local/samba/sbin/winbindd
> > > 17044 pts/7    S+     0:00 grep winbind
> > >
> > > > Then I can connect with smbclient to the system where I never could
> > > > before. That would be fine except that ssh requires winbind.
> > > > If I stop /etc/init.d/samba and launch nmbd, smbd and winbind as
> > > > services on their own, then ssh login with AD credentials works,
> > > > but I cannot connect with smbclient.
> > >
> > > If try to connect from a DC to devstation with smbclient, I get this:
> > >
> > > root at dc1:~# smbclient -L //devstation -UAdministrator
> > > Enter Administrator's password:
> > > Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
> > >
> > >         Sharename       Type      Comment
> > >         ---------       ----      -------
> > >         homes           Disk
> > >         data2           Disk
> > >         IPC$            IPC       IPC Service (Samba 4 Client
> > devstation)
> > >         root            Disk      Home directory of root
> > > Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
> > >
> > >         Server               Comment
> > >         ---------            -------
> > >         DESKTOP-GVRV8IE
> > >         DEVSTATION           Samba 4 Client devstation
> > >
> > >         Workgroup            Master
> > >         ---------            -------
> > >         SAMDOM               DESKTOP-GVRV8IE
> > >
> > > > The other system running with winbind allows both smbclient
> > > > and ssh connections.
> > > >
> > > > On the problem system:
> > > >
> > > > Winbind on, and smbclient fails.
> > > > Winbind off, and smbclient connects.
> > > >
> > > > It doesn't matter if winbind is in /etc/nsswitch.conf
> > > > The good working system does not have winbind in the nsswitch.conf
> > > >
> > > > Both systems have the same packages containing winbind in the name.
> > > >
> > >
> > > I would check everything, if they are running the same OS and Samba
> > > version etc, then you should get the same results etc, provided Samba
> > > is running as the same thing i.e. a domain member
> > >
> > >
> > I'm fairly certain I'm encountering this bug:
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=10604
> >
> > On the first server which was "working properly", it actually fails once
> > with the getpwuid(4294967295) failed type of error, and on the second
> > auth attempt, it works.
> >
> > On the second server which never works while winbind is running,
> > I'm always seeing the getpwuid failed error.
> >
> > Just like the bug report, I find the second server works if winbind
> stops.
> > My symptoms and error match this bug report very well.
> >
> > There were some users chiming in who said their drive mapping
> > always failed rather than only in the first auth attempt.
> >
> > This samba bug report was where I got the previous range values starting
> > at
> > 1000
> > as a supposed fix.
> >
> > In fact, the Debian bug report says this magic set of idmap values is a
> > workaround:
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803001
> >
> > I don't believe in magic.
> >
> > Maybe I'll need to take this up on a Debian group
> > unless there is a better suggestion on a solution.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list