[Samba] sys_setgroups failed on Solaris 11

Rowland Penny rpenny at samba.org
Thu Jun 7 16:04:06 UTC 2018 

On Thu, 7 Jun 2018 17:28:43 +0200
Jean-Christophe Delaye via samba <samba at lists.samba.org> wrote:

> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:
> > Hi, 
> > I'm trying to create a new Samba server to share files. We
> > currently have an instance of Samba 3.6 on another server which we
> > are using but need to retire that server. 
> > 
> > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04.
> > There are two domain controllers. Most of the PCs are joined to
> > this AD domain. 
> > 
> > Our user accounts and group memberships are maintained in an LDAP
> > directory. On our Linux servers SSSD is used to authenticate and
> > authorize and Solaris servers use nsswitch ldap directly. 
> > 
> > I've followed the instructions here to join the new Samba server
> > (Samba 4.4.14 on Solaris 11.3) to the AD domain.
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> > 
> > My hope is to use AD for authentication, but for the users & groups
> > to be read by the Samba server OS as if our users were on
> > Unix/Linux directly. Our current Samba 3.6 works this way. We
> > assign permissions in Unix. We don't assign permissions using
> > Windows. 
> > 
> > Anyways, when I connect it seems work when I authenticate but then
> > it bails on sys_setgroups. 
> > 
> > Not sure what to look for now. What information should I provide
> > for help? 
> Samba may panic when user is a member of more then NGROUPS_MAX Active
> Directory groups.
> 
> set ngroups_max to at least the maximum number of groups a Active
> Directory user belongs to.
> 
> As an example, the following line in /etc/system will set ngroups_max
> to 128:
> 
> set ngroups_max = 128
> 
>  (a reboot is required after changing /etc/system).
> 
> 
> > 
> > # 
> > # smb.conf 
> > #======================= Global Settings
> > ===================================== [global] 
> > security = ADS 
> > workgroup = MYDOMAIN-AD 
> > server string = Samba Server on LEX 
> > server role = standalone server 
> > log file = /var/samba/log/log.%m 
> > max log size = 50 
> > realm = MYDOMAIN-AD.CTG.QUEENSU.CA 
> > passdb backend = tdbsam 
> > 
> > interfaces = 10.1.21.220/16 
> > bind interfaces only = yes 
> > wins support = no 
> > 
> > idmap config * : backend = tdb 
> > idmap config * : range = 3000-7999 
> > 
> > idmap config MYDOMAIN-AD : backend = nss 
> > idmap config MYDOMAIn-AD : range = 100000-999999 
> > 
> > # 
> > # 
> > # some output from: smbd -i -d3 
> > ....snip... 
> > ldb_wrap open of secrets.ldb 
> > check_ntlm_password: winbind authentication for user [teddy]
> > succeeded check_ntlm_password: authentication for user [teddy] ->
> > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with
> > flags: Got NTLMSSP neg_flags=0xe2088215 
> > NTLMSSP Sign/Seal - Initialising with flags: 
> > Got NTLMSSP neg_flags=0xe2088215 
> > Adding homes service for user 'teddy' using home directory:
> > '/home/teddy' adding home's share [teddy] for user 'teddy' at
> > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) 
> > Connect path is '/tmp' for service [IPC$] 
> > Initialising default vfs hooks 
> > Initialising custom vfs hooks from [/[Default VFS]/] 
> > PANIC (pid 23738): sys_setgroups failed 
> > BACKTRACE: 22 stack frames: 
> > ....snip.... 
> > 
> 
> 

Did you actually read the OP's smb.conf ?
It is for a Unix domain member and the OP has explicitly set 'server
role = standalone server' and the wrong winbind backend for a Unix
domain member.
I am also unsure, but I think he may be trying to use the users in the
ldap machine in AD, this is never going to work.

I hope he is just testing at this time, if he is , I would suggest
upgrading Ubuntu to 18.04 and provision Samba on the DC again, but this
time read this first:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Then setup a new Unix member server following this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Migrate all the users and groups from the ldap server (or carry out a
classicupgrade, see here:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
)

Rowland

More information about the samba mailing list