[Samba] sys_setgroups failed on Solaris 11
Rowland Penny
rpenny at samba.org
Thu Jun 7 16:04:06 UTC 2018
On Thu, 7 Jun 2018 17:28:43 +0200
Jean-Christophe Delaye via samba <samba at lists.samba.org> wrote:
> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:
> > Hi,
> > I'm trying to create a new Samba server to share files. We
> > currently have an instance of Samba 3.6 on another server which we
> > are using but need to retire that server.
> >
> > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04.
> > There are two domain controllers. Most of the PCs are joined to
> > this AD domain.
> >
> > Our user accounts and group memberships are maintained in an LDAP
> > directory. On our Linux servers SSSD is used to authenticate and
> > authorize and Solaris servers use nsswitch ldap directly.
> >
> > I've followed the instructions here to join the new Samba server
> > (Samba 4.4.14 on Solaris 11.3) to the AD domain.
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> > My hope is to use AD for authentication, but for the users & groups
> > to be read by the Samba server OS as if our users were on
> > Unix/Linux directly. Our current Samba 3.6 works this way. We
> > assign permissions in Unix. We don't assign permissions using
> > Windows.
> >
> > Anyways, when I connect it seems work when I authenticate but then
> > it bails on sys_setgroups.
> >
> > Not sure what to look for now. What information should I provide
> > for help?
> Samba may panic when user is a member of more then NGROUPS_MAX Active
> Directory groups.
>
> set ngroups_max to at least the maximum number of groups a Active
> Directory user belongs to.
>
> As an example, the following line in /etc/system will set ngroups_max
> to 128:
>
> set ngroups_max = 128
>
> (a reboot is required after changing /etc/system).
>
>
> >
> > #
> > # smb.conf
> > #======================= Global Settings
> > ===================================== [global]
> > security = ADS
> > workgroup = MYDOMAIN-AD
> > server string = Samba Server on LEX
> > server role = standalone server
> > log file = /var/samba/log/log.%m
> > max log size = 50
> > realm = MYDOMAIN-AD.CTG.QUEENSU.CA
> > passdb backend = tdbsam
> >
> > interfaces = 10.1.21.220/16
> > bind interfaces only = yes
> > wins support = no
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> >
> > idmap config MYDOMAIN-AD : backend = nss
> > idmap config MYDOMAIn-AD : range = 100000-999999
> >
> > #
> > #
> > # some output from: smbd -i -d3
> > ....snip...
> > ldb_wrap open of secrets.ldb
> > check_ntlm_password: winbind authentication for user [teddy]
> > succeeded check_ntlm_password: authentication for user [teddy] ->
> > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with
> > flags: Got NTLMSSP neg_flags=0xe2088215
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0xe2088215
> > Adding homes service for user 'teddy' using home directory:
> > '/home/teddy' adding home's share [teddy] for user 'teddy' at
> > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1)
> > Connect path is '/tmp' for service [IPC$]
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > PANIC (pid 23738): sys_setgroups failed
> > BACKTRACE: 22 stack frames:
> > ....snip....
> >
>
>
Did you actually read the OP's smb.conf ?
It is for a Unix domain member and the OP has explicitly set 'server
role = standalone server' and the wrong winbind backend for a Unix
domain member.
I am also unsure, but I think he may be trying to use the users in the
ldap machine in AD, this is never going to work.
I hope he is just testing at this time, if he is , I would suggest
upgrading Ubuntu to 18.04 and provision Samba on the DC again, but this
time read this first:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Then setup a new Unix member server following this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Migrate all the users and groups from the ldap server (or carry out a
classicupgrade, see here:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
)
Rowland
More information about the samba
mailing list