[Samba] sys_setgroups failed on Solaris 11

[Gaiseric Vandal]

If you have an Oracle support contract, the Solaris 11 updates should 
bring you up to samba 4.6.x or 4.7.x.      You may get warnings about 
NGROUPS_MAX  exceeding 16 but it should not cause samba to crash (I have 
several Solaris 11 machines.)   This should have been fixed since Samba 
3.6.x if not earlier.


My /etc/nsswitch.conf file includes

     passwd: files ldap winbind
     group:  files ldap winbind



This does mean that "getent" shows double users, but this is not a 
problem if the uidNumber and gidNumber is set.

    # getent passwd | grep myname
    myname:x:123:518::/home/myname:/bin/bash
    MYDOMAIN\mydomain:*:123:518:Firstname
    Lastname:/home/MYDOMAIN/myname:/bin/false


My smb.conf includes

    idmap config MYDOMAIN:backend = ad
    idmap config MYDOMAIN:schema_mode = rfc2307
    idmap config MYDOMAIN:range = 100-1999



This allows us to have consistent permissions  between NFS and Windows 
clients.


Originally we were in a classic domain (Samba domain controllers with 
Oracle's LDAP server as the backend for unix and samba accounts.)  We 
reconfigured as an AD domain, with Windows servers as domain 
controllers.  But it shouldn't change the unix-to-windows mapping approach.








On 06/07/18 11:28, Jean-Christophe Delaye via samba wrote:
> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:
>> Hi,
>> I'm trying to create a new Samba server to share files. We currently have an instance of Samba 3.6 on another server which we are using but need to retire that server.
>>
>> I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. There are two domain controllers. Most of the PCs are joined to this AD domain.
>>
>> Our user accounts and group memberships are maintained in an LDAP directory. On our Linux servers SSSD is used to authenticate and authorize and Solaris servers use nsswitch ldap directly.
>>
>> I've followed the instructions here to join the new Samba server (Samba 4.4.14 on Solaris 11.3) to the AD domain.
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> My hope is to use AD for authentication, but for the users & groups to be read by the Samba server OS as if our users were on Unix/Linux directly. Our current Samba 3.6 works this way. We assign permissions in Unix. We don't assign permissions using Windows.
>>
>> Anyways, when I connect it seems work when I authenticate but then it bails on sys_setgroups.
>>
>> Not sure what to look for now. What information should I provide for help?
> Samba may panic when user is a member of more then NGROUPS_MAX Active
> Directory groups.
>
> set ngroups_max to at least the maximum number of groups a Active
> Directory user belongs to.
>
> As an example, the following line in /etc/system will set ngroups_max to
> 128:
>
> set ngroups_max = 128
>
>   (a reboot is required after changing /etc/system).
>
>
>> #
>> # smb.conf
>> #======================= Global Settings =====================================
>> [global]
>> security = ADS
>> workgroup = MYDOMAIN-AD
>> server string = Samba Server on LEX
>> server role = standalone server
>> log file = /var/samba/log/log.%m
>> max log size = 50
>> realm = MYDOMAIN-AD.CTG.QUEENSU.CA
>> passdb backend = tdbsam
>>
>> interfaces = 10.1.21.220/16
>> bind interfaces only = yes
>> wins support = no
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>>
>> idmap config MYDOMAIN-AD : backend = nss
>> idmap config MYDOMAIn-AD : range = 100000-999999
>>
>> #
>> #
>> # some output from: smbd -i -d3
>> ....snip...
>> ldb_wrap open of secrets.ldb
>> check_ntlm_password: winbind authentication for user [teddy] succeeded
>> check_ntlm_password: authentication for user [teddy] -> [teddy] -> [teddy] succeeded
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xe2088215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xe2088215
>> Adding homes service for user 'teddy' using home directory: '/home/teddy'
>> adding home's share [teddy] for user 'teddy' at '/home/teddy'
>> Allowed connection from 10.0.61.1 (10.0.61.1)
>> Connect path is '/tmp' for service [IPC$]
>> Initialising default vfs hooks
>> Initialising custom vfs hooks from [/[Default VFS]/]
>> PANIC (pid 23738): sys_setgroups failed
>> BACKTRACE: 22 stack frames:
>> ....snip....
>>
>