[Samba] samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization

Stanislav N. aka pztrn pztrn at pztrn.name
Thu Jul 6 19:13:16 UTC 2017 

Hello list.

I’m using samba4 authorization with debian 8 without any problems. But in debian 9 very same config causes problems - unable to change GID. Here is my smb.conf:

[global]
        netbios name = testvm
        security = ADS
        workgroup = WRKGRP
        realm = EXAMPLE.COM
        password server = 172.24.0.253
        wins server = 172.24.0.253
        wins proxy = no
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/zsh
        client use spnego = yes
        winbind use default domain = yes
        encrypt passwords = yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind nested groups = yes

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        inherit acls = Yes
        acl group control = yes

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000
        idmap config <win domain>:backend = ad
        idmap config <win domain>:schema_mode = rfc2307
        idmap config <win domain>:range = 3000000-4000000

        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY

With this configuraion on debian 8 domain user successfully logged in. On debian 9 domain user failed to log in. Relevant lines in auth.log:

Jul  6 18:58:58 testvm login[1230]: pam_winbind(login:auth): getting password (0x00000000)
Jul  6 18:59:02 testvm login[1230]: pam_winbind(login:auth): user ‘domainuser' granted access
Jul  6 18:59:02 testvm login[1230]: pam_winbind(login:account): user ‘domainuser' granted access
Jul  6 18:59:02 testvm login[1230]: pam_mail(login:session): pam_modutil_drop_priv: change_gid failed: Success
Jul  6 18:59:02 testvm login[1230]: pam_keyinit(login:session): Unable to change GID to 70005 temporarily
Jul  6 18:59:02 testvm login[1230]: pam_unix(login:session): session opened for user domainuser by LOGIN(uid=0)
Jul  6 18:59:02 testvm mkhomedir_helper: PAM unable to change perms on copy /home/domainuser/.profile: Invalid argument
Jul  6 18:59:02 testvm login[1230]: pam_systemd(login:session): Failed to create session: Seat has no VTs but VT number not 0
Jul  6 18:59:02 testvm login[1230]: Permission denied

GID 70005 is «domain admins» group.

AD DC is running in samba 4.2.14 on Gentoo. Client OS is running within LXC container, if it matters.

Any ideas?

--
With best regards, 
Stanislav N. aka pztrn
Jabber: pztrn at pztrn.name
E-Mail: pztrn at pztrn.name
Blog: http://pztrn.name && http://en.pztrn.name
Telegram: @pztrn
Key ID: B3E1F07E

More information about the samba mailing list