[Samba] samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization
Stanislav N. aka pztrn
pztrn at pztrn.name
Thu Jul 6 19:13:16 UTC 2017
Hello list.
I’m using samba4 authorization with debian 8 without any problems. But in debian 9 very same config causes problems - unable to change GID. Here is my smb.conf:
[global]
netbios name = testvm
security = ADS
workgroup = WRKGRP
realm = EXAMPLE.COM
password server = 172.24.0.253
wins server = 172.24.0.253
wins proxy = no
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/zsh
client use spnego = yes
winbind use default domain = yes
encrypt passwords = yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nested groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
inherit acls = Yes
acl group control = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config <win domain>:backend = ad
idmap config <win domain>:schema_mode = rfc2307
idmap config <win domain>:range = 3000000-4000000
socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
With this configuraion on debian 8 domain user successfully logged in. On debian 9 domain user failed to log in. Relevant lines in auth.log:
Jul 6 18:58:58 testvm login[1230]: pam_winbind(login:auth): getting password (0x00000000)
Jul 6 18:59:02 testvm login[1230]: pam_winbind(login:auth): user ‘domainuser' granted access
Jul 6 18:59:02 testvm login[1230]: pam_winbind(login:account): user ‘domainuser' granted access
Jul 6 18:59:02 testvm login[1230]: pam_mail(login:session): pam_modutil_drop_priv: change_gid failed: Success
Jul 6 18:59:02 testvm login[1230]: pam_keyinit(login:session): Unable to change GID to 70005 temporarily
Jul 6 18:59:02 testvm login[1230]: pam_unix(login:session): session opened for user domainuser by LOGIN(uid=0)
Jul 6 18:59:02 testvm mkhomedir_helper: PAM unable to change perms on copy /home/domainuser/.profile: Invalid argument
Jul 6 18:59:02 testvm login[1230]: pam_systemd(login:session): Failed to create session: Seat has no VTs but VT number not 0
Jul 6 18:59:02 testvm login[1230]: Permission denied
GID 70005 is «domain admins» group.
AD DC is running in samba 4.2.14 on Gentoo. Client OS is running within LXC container, if it matters.
Any ideas?
--
With best regards,
Stanislav N. aka pztrn
Jabber: pztrn at pztrn.name
E-Mail: pztrn at pztrn.name
Blog: http://pztrn.name && http://en.pztrn.name
Telegram: @pztrn
Key ID: B3E1F07E
More information about the samba
mailing list