[Samba] Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?
lejeczek
peljasz at yahoo.co.uk
Sat Oct 5 14:20:08 UTC 2019
On 05/10/2019 14:10, Rowland penny via samba wrote:
> On 05/10/2019 13:41, lejeczek via samba wrote:
>> hi everyone,
>>
>> I believe a resolution is there -
>> https://access.redhat.com/solutions/4367771
> Which is behind a paywall ;-)
>>
>> But what I'm hoping for is an expert would comment how
>> would this apply
>> to Samba with LDAP backend?
>
> What do you mean 'Samba with LDAP backend' ????
>
> You really shouldn't be running Samba with LDAP any more
> and the problem only occurred on a standalone server and
> was fixed here:
> https://bugzilla.samba.org/show_bug.cgi?id=13697
>
> Rowland
>
>>
>> many thanks, L.
>>
>
>
It's not a paywall, suffices to register with Redhat and to
this content access if free of charge.
Here:
Environment
Red Hat Enterprise Linux 7
Issue
After upgrading to samba-4.9.1, samba failed to restart with
error messages like:
Raw
Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
10:00:00.000000, 0]
../source3/auth/auth_util.c:1382(make_new_session_info_guest)
Nov 09 10:00:00 example.com smbd[13641]:
create_local_token failed: NT_STATUS_ACCESS_DENIED
Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
10:00:00.000200, 0] ../source3/smbd/server.c:2000(main)
Nov 09 10:00:00 example.com smbd[13641]: ERROR: failed to
setup guest info.
Resolution
1) Ensure the id map is configured in smb.conf, like:
Raw
[global]
...
idmap config * : backend = tdb
idmap config * : range 10000-199999
idmap config DOMAIN : backend = autorid
idmap config DOMAIN : range = 200000-2147483647
2) Map group BUILTIN\Guests to group nobody with following
command:
Raw
# net -s /dev/null groupmap add sid=S-1-5-32-546
unixgroup=nobody type=builtin
3) Restart samba services and replicate the issue:
Raw
# systemctl restart {smb,nmb,winbind}
# smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10
Root Cause
samba-4.9.x expands guest handling to differentiate
between anonymous and guest sessions. This required a proper
handling of BUILTIN\Guests.
Old-style configuration does not handle BUILTIN\Guest.
Thus samba fails after upgrade when administrators unaware
of this change.
Diagnostic Steps
Ensure the id map is configured in smb.conf, like:
Raw
[global]
...
idmap config * : backend = tdb
idmap config * : range 10000-199999
idmap config DOMAIN : backend = autorid
idmap config DOMAIN : range = 200000-2147483647
Ensure the BUILTIN\Guests is mapped
Raw
net groupman list sid=S-1-5-32-546
Does not bother me shoulds and shouldnots, I'm doing it, and
facing a problem which I'd hope can be solved without
changing a lot. User db is in LDAP and winbind is not used.
many thanks, L.
More information about the samba
mailing list