[Samba] sys_setgroups failed on Solaris 11
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Jun 7 15:55:49 UTC 2018
If you have an Oracle support contract, the Solaris 11 updates should
bring you up to samba 4.6.x or 4.7.x. You may get warnings about
NGROUPS_MAX exceeding 16 but it should not cause samba to crash (I have
several Solaris 11 machines.) This should have been fixed since Samba
3.6.x if not earlier.
My /etc/nsswitch.conf file includes
passwd: files ldap winbind
group: files ldap winbind
This does mean that "getent" shows double users, but this is not a
problem if the uidNumber and gidNumber is set.
# getent passwd | grep myname
myname:x:123:518::/home/myname:/bin/bash
MYDOMAIN\mydomain:*:123:518:Firstname
Lastname:/home/MYDOMAIN/myname:/bin/false
My smb.conf includes
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 100-1999
This allows us to have consistent permissions between NFS and Windows
clients.
Originally we were in a classic domain (Samba domain controllers with
Oracle's LDAP server as the backend for unix and samba accounts.) We
reconfigured as an AD domain, with Windows servers as domain
controllers. But it shouldn't change the unix-to-windows mapping approach.
On 06/07/18 11:28, Jean-Christophe Delaye via samba wrote:
> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:
>> Hi,
>> I'm trying to create a new Samba server to share files. We currently have an instance of Samba 3.6 on another server which we are using but need to retire that server.
>>
>> I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. There are two domain controllers. Most of the PCs are joined to this AD domain.
>>
>> Our user accounts and group memberships are maintained in an LDAP directory. On our Linux servers SSSD is used to authenticate and authorize and Solaris servers use nsswitch ldap directly.
>>
>> I've followed the instructions here to join the new Samba server (Samba 4.4.14 on Solaris 11.3) to the AD domain.
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> My hope is to use AD for authentication, but for the users & groups to be read by the Samba server OS as if our users were on Unix/Linux directly. Our current Samba 3.6 works this way. We assign permissions in Unix. We don't assign permissions using Windows.
>>
>> Anyways, when I connect it seems work when I authenticate but then it bails on sys_setgroups.
>>
>> Not sure what to look for now. What information should I provide for help?
> Samba may panic when user is a member of more then NGROUPS_MAX Active
> Directory groups.
>
> set ngroups_max to at least the maximum number of groups a Active
> Directory user belongs to.
>
> As an example, the following line in /etc/system will set ngroups_max to
> 128:
>
> set ngroups_max = 128
>
> (a reboot is required after changing /etc/system).
>
>
>> #
>> # smb.conf
>> #======================= Global Settings =====================================
>> [global]
>> security = ADS
>> workgroup = MYDOMAIN-AD
>> server string = Samba Server on LEX
>> server role = standalone server
>> log file = /var/samba/log/log.%m
>> max log size = 50
>> realm = MYDOMAIN-AD.CTG.QUEENSU.CA
>> passdb backend = tdbsam
>>
>> interfaces = 10.1.21.220/16
>> bind interfaces only = yes
>> wins support = no
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>>
>> idmap config MYDOMAIN-AD : backend = nss
>> idmap config MYDOMAIn-AD : range = 100000-999999
>>
>> #
>> #
>> # some output from: smbd -i -d3
>> ....snip...
>> ldb_wrap open of secrets.ldb
>> check_ntlm_password: winbind authentication for user [teddy] succeeded
>> check_ntlm_password: authentication for user [teddy] -> [teddy] -> [teddy] succeeded
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xe2088215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xe2088215
>> Adding homes service for user 'teddy' using home directory: '/home/teddy'
>> adding home's share [teddy] for user 'teddy' at '/home/teddy'
>> Allowed connection from 10.0.61.1 (10.0.61.1)
>> Connect path is '/tmp' for service [IPC$]
>> Initialising default vfs hooks
>> Initialising custom vfs hooks from [/[Default VFS]/]
>> PANIC (pid 23738): sys_setgroups failed
>> BACKTRACE: 22 stack frames:
>> ....snip....
>>
>
More information about the samba
mailing list