[Samba] sys_setgroups failed on Solaris 11

Teddy Brown tbrown at ctg.queensu.ca
Thu Jun 7 19:21:22 UTC 2018 

Thanks for the feedback. This is not a testing environment. We deployed the Samba AD environment for our office PCs about one year ago. I am now trying to get the Samba file sharing into AD. 

We use our mixed Linux/Unix environment heavily. All permissions and ACLs are set in Solaris using NFS4 ACLs on a ZFS filesystem. Our users are in active directory but the groups are not. 

My understanding is that Winbind lets Linux see the users & group membership in AD, is this correct? The groups we have in AD are defined for use with GPOs. All file permissions are set on the filesystem directly. Our current Samba 3.6 file server seems to map my user "Samba teddy" == "Unix teddy" which is what I'd like for AD. Somehow just use "AD Teddy" = "Unix teddy" and give my Samba account the same access to the files that Unix teddy has. 


From: "samba" <samba at lists.samba.org> 
To: "samba" <samba at lists.samba.org> 
Sent: Thursday, June 7, 2018 12:04:06 PM 
Subject: Re: [Samba] sys_setgroups failed on Solaris 11 

On Thu, 7 Jun 2018 17:28:43 +0200 
Jean-Christophe Delaye via samba <samba at lists.samba.org> wrote: 

> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote: 
> > Hi, 
> > I'm trying to create a new Samba server to share files. We 
> > currently have an instance of Samba 3.6 on another server which we 
> > are using but need to retire that server. 
> > 
> > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. 
> > There are two domain controllers. Most of the PCs are joined to 
> > this AD domain. 
> > 
> > Our user accounts and group memberships are maintained in an LDAP 
> > directory. On our Linux servers SSSD is used to authenticate and 
> > authorize and Solaris servers use nsswitch ldap directly. 
> > 
> > I've followed the instructions here to join the new Samba server 
> > (Samba 4.4.14 on Solaris 11.3) to the AD domain. 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> > 
> > My hope is to use AD for authentication, but for the users & groups 
> > to be read by the Samba server OS as if our users were on 
> > Unix/Linux directly. Our current Samba 3.6 works this way. We 
> > assign permissions in Unix. We don't assign permissions using 
> > Windows. 
> > 
> > Anyways, when I connect it seems work when I authenticate but then 
> > it bails on sys_setgroups. 
> > 
> > Not sure what to look for now. What information should I provide 
> > for help? 
> Samba may panic when user is a member of more then NGROUPS_MAX Active 
> Directory groups. 
> 
> set ngroups_max to at least the maximum number of groups a Active 
> Directory user belongs to. 
> 
> As an example, the following line in /etc/system will set ngroups_max 
> to 128: 
> 
> set ngroups_max = 128 
> 
> (a reboot is required after changing /etc/system). 
> 
> 
> > 
> > # 
> > # smb.conf 
> > #======================= Global Settings 
> > ===================================== [global] 
> > security = ADS 
> > workgroup = MYDOMAIN-AD 
> > server string = Samba Server on LEX 
> > server role = standalone server 
> > log file = /var/samba/log/log.%m 
> > max log size = 50 
> > realm = MYDOMAIN-AD.CTG.QUEENSU.CA 
> > passdb backend = tdbsam 
> > 
> > interfaces = 10.1.21.220/16 
> > bind interfaces only = yes 
> > wins support = no 
> > 
> > idmap config * : backend = tdb 
> > idmap config * : range = 3000-7999 
> > 
> > idmap config MYDOMAIN-AD : backend = nss 
> > idmap config MYDOMAIn-AD : range = 100000-999999 
> > 
> > # 
> > # 
> > # some output from: smbd -i -d3 
> > ....snip... 
> > ldb_wrap open of secrets.ldb 
> > check_ntlm_password: winbind authentication for user [teddy] 
> > succeeded check_ntlm_password: authentication for user [teddy] -> 
> > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with 
> > flags: Got NTLMSSP neg_flags=0xe2088215 
> > NTLMSSP Sign/Seal - Initialising with flags: 
> > Got NTLMSSP neg_flags=0xe2088215 
> > Adding homes service for user 'teddy' using home directory: 
> > '/home/teddy' adding home's share [teddy] for user 'teddy' at 
> > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) 
> > Connect path is '/tmp' for service [IPC$] 
> > Initialising default vfs hooks 
> > Initialising custom vfs hooks from [/[Default VFS]/] 
> > PANIC (pid 23738): sys_setgroups failed 
> > BACKTRACE: 22 stack frames: 
> > ....snip.... 
> > 
> 
> 

Did you actually read the OP's smb.conf ? 
It is for a Unix domain member and the OP has explicitly set 'server 
role = standalone server' and the wrong winbind backend for a Unix 
domain member. 
I am also unsure, but I think he may be trying to use the users in the 
ldap machine in AD, this is never going to work. 

I hope he is just testing at this time, if he is , I would suggest 
upgrading Ubuntu to 18.04 and provision Samba on the DC again, but this 
time read this first: 

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 

Then setup a new Unix member server following this: 

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 

Migrate all the users and groups from the ldap server (or carry out a 
classicupgrade, see here: 
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) 
) 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 

-- 
Teddy Brown 
Senior Applications Developer 
Systems Analyst 
Canadian Cancer Trials Group 
Queen's University 
10 Stuart St, Kingston ON, K7L 3N6 
(613) 533-6430 
Follow us: [ https://twitter.com/CDNCancerTrials ] [ https://www.linkedin.com/company/canadiancancertrialsgroup |   ] [ http://www.cctg.ca/ |  cctg.ca  ]

More information about the samba mailing list