[Samba] why does add_local_groups come up in only one system's logs?

francis picabia fpicabia at gmail.com
Tue Aug 9 14:41:51 UTC 2016 

On Tue, Aug 9, 2016 at 11:15 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:

> In addition.
>
> UID 4294967295  =  nobody
> So in my options the bug "report" is not a bug.
> Its a mis configuration.
>
> You can test this ..
>
> Set in smb.conf
> Guest account = nobody
>
> And check again, what happens now?
>
>
> Greetz,
>
> Louis
>
>
The problem does not change with that addition and restart of services.

Log still ends with:

[2016/08/09 11:31:54.615106,  1] ../source3/auth/token_util.c:
430(add_local_groups)
  SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/09 11:31:54.615166,  3] ../source3/auth/token_util.c:
316(create_local_nt_token_from_info3)
  Failed to finalize nt token

The user nobody is not set up in AD.

I can do something like:

smbclient -L //servername -U nobody

But this doesn't involve authentication.



>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> > Verzonden: dinsdag 9 augustus 2016 15:58
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] why does add_local_groups come up in only one
> > system's logs?
> >
> > Hai,
> >
> > If you want to try to avoid that bug.
> > Go here http://downloads.van-belle.nl/samba4/
> > Get the 4.4.5 packages for jessie there.
> > Read the readme.txt and install them.
> >
> > And see if you problem is still there.
> >
> > The are compiled with the lated ldb from debian stretch.
> > Which should fix your problem.
> >
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens francis
> picabia
> > > Verzonden: dinsdag 9 augustus 2016 15:43
> > > Aan: Rowland Penny
> > > CC: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] why does add_local_groups come up in only one
> > > system's logs?
> > >
> > > On Mon, Aug 8, 2016 at 4:16 PM, Rowland Penny <rpenny at samba.org>
> wrote:
> > >
> > > > On Mon, 8 Aug 2016 15:27:44 -0300
> > > > francis picabia <fpicabia at gmail.com> wrote:
> > > >
> > > > > OK, that was my bad for copy/pasting some config lines I found with
> > > > > a report of "this works!" on a bug report (only the second login
> > > > > connects bug).
> > > > >
> > > > > I've included the domain and fixed the range so it won't overlap
> > with
> > > > > Unix IDs.
> > > > >
> > > > > #  grep idmap /etc/samba/smb.conf
> > > > >    idmap config MYDOM : backend = rid
> > > > >    idmap config MYDOM : range = 70000-99999999
> > > > >
> > > > > I eliminated the "valid users =" line from the homes section.
> > > > >
> > > > > On Debian, there are a couple of difference services.  I read that
> > > > > with 4.2, it can
> > > > > run its own winbind service.  So I wondered if that can make a
> > > > > difference.
> > > >
> > > > I think you could be getting confused here. If you run Samba as a DC,
> > > > then yes, from 4.2.0, the separate winbindd binary is used instead of
> > > > the 'winbind' built into the samba binary.
> > > > On a domain member that is joined to AD, you will need to run
> > > > the winbindd binary as well.
> > > >
> > > > >
> > > > > If I stop winbind, and restart samba...
> > > > >
> > > > > # /etc/init.d/samba restart
> > > > > [ ok ] Restarting nmbd (via systemctl): nmbd.service.
> > > > > [ ok ] Restarting smbd (via systemctl): smbd.service.
> > > > > [ ok ] Restarting samba-ad-dc (via systemctl): samba-ad-dc.service.
> > > > > # ps auxww | grep winbind
> > > > > root     19867  0.0  0.0  12764   948 pts/0    S+   14:13   0:00
> > grep
> > > > > winbind
> > > > >
> > > >
> > > > This shows that 'winbindd' isn't running, if I run a similar command
> > on
> > > > a domain member:
> > > >
> > > > rowland at devstation:~$ ps ax | grep winbind
> > > >  2334 ?        Ss     0:11 /usr/local/samba/sbin/winbindd
> > > >  2532 ?        S      0:00 /usr/local/samba/sbin/winbindd
> > > >  2535 ?        S      0:00 /usr/local/samba/sbin/winbindd
> > > >  2536 ?        S      0:01 /usr/local/samba/sbin/winbindd
> > > >  4731 ?        S      0:00 /usr/local/samba/sbin/winbindd
> > > > 17044 pts/7    S+     0:00 grep winbind
> > > >
> > > > > Then I can connect with smbclient to the system where I never could
> > > > > before. That would be fine except that ssh requires winbind.
> > > > > If I stop /etc/init.d/samba and launch nmbd, smbd and winbind as
> > > > > services on their own, then ssh login with AD credentials works,
> > > > > but I cannot connect with smbclient.
> > > >
> > > > If try to connect from a DC to devstation with smbclient, I get this:
> > > >
> > > > root at dc1:~# smbclient -L //devstation -UAdministrator
> > > > Enter Administrator's password:
> > > > Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
> > > >
> > > >         Sharename       Type      Comment
> > > >         ---------       ----      -------
> > > >         homes           Disk
> > > >         data2           Disk
> > > >         IPC$            IPC       IPC Service (Samba 4 Client
> > > devstation)
> > > >         root            Disk      Home directory of root
> > > > Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
> > > >
> > > >         Server               Comment
> > > >         ---------            -------
> > > >         DESKTOP-GVRV8IE
> > > >         DEVSTATION           Samba 4 Client devstation
> > > >
> > > >         Workgroup            Master
> > > >         ---------            -------
> > > >         SAMDOM               DESKTOP-GVRV8IE
> > > >
> > > > > The other system running with winbind allows both smbclient
> > > > > and ssh connections.
> > > > >
> > > > > On the problem system:
> > > > >
> > > > > Winbind on, and smbclient fails.
> > > > > Winbind off, and smbclient connects.
> > > > >
> > > > > It doesn't matter if winbind is in /etc/nsswitch.conf
> > > > > The good working system does not have winbind in the nsswitch.conf
> > > > >
> > > > > Both systems have the same packages containing winbind in the name.
> > > > >
> > > >
> > > > I would check everything, if they are running the same OS and Samba
> > > > version etc, then you should get the same results etc, provided Samba
> > > > is running as the same thing i.e. a domain member
> > > >
> > > >
> > > I'm fairly certain I'm encountering this bug:
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=10604
> > >
> > > On the first server which was "working properly", it actually fails
> once
> > > with the getpwuid(4294967295) failed type of error, and on the second
> > > auth attempt, it works.
> > >
> > > On the second server which never works while winbind is running,
> > > I'm always seeing the getpwuid failed error.
> > >
> > > Just like the bug report, I find the second server works if winbind
> > stops.
> > > My symptoms and error match this bug report very well.
> > >
> > > There were some users chiming in who said their drive mapping
> > > always failed rather than only in the first auth attempt.
> > >
> > > This samba bug report was where I got the previous range values
> starting
> > > at
> > > 1000
> > > as a supposed fix.
> > >
> > > In fact, the Debian bug report says this magic set of idmap values is a
> > > workaround:
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803001
> > >
> > > I don't believe in magic.
> > >
> > > Maybe I'll need to take this up on a Debian group
> > > unless there is a better suggestion on a solution.
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list