[Samba] Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?

Sat Oct 5 14:20:08 UTC 2019

On 05/10/2019 14:10, Rowland penny via samba wrote:
> On 05/10/2019 13:41, lejeczek via samba wrote:
>> hi everyone,
>>
>> I believe a resolution is there -
>> https://access.redhat.com/solutions/4367771
> Which is behind a paywall ;-)
>>
>> But what I'm hoping for is an expert would comment how
>> would this apply
>> to Samba with LDAP backend?
>
> What do you mean 'Samba with LDAP backend' ????
>
> You really shouldn't be running Samba with LDAP any more
> and the problem only occurred on a standalone server and
> was fixed here:
> https://bugzilla.samba.org/show_bug.cgi?id=13697
>
> Rowland
>
>>
>> many thanks, L.
>>
>
>
It's not a paywall, suffices to register with Redhat and to
this content access if free of charge.
Here:

Environment

    Red Hat Enterprise Linux 7

Issue

After upgrading to samba-4.9.1, samba failed to restart with
error messages like:
Raw

Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
10:00:00.000000,  0]
../source3/auth/auth_util.c:1382(make_new_session_info_guest)
Nov 09 10:00:00 example.com smbd[13641]:  
create_local_token failed: NT_STATUS_ACCESS_DENIED
Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
10:00:00.000200,  0] ../source3/smbd/server.c:2000(main)
Nov 09 10:00:00 example.com smbd[13641]:   ERROR: failed to
setup guest info.

Resolution

1) Ensure the id map is configured in smb.conf, like:
Raw

    [global]
      ...
      idmap config * : backend = tdb
      idmap config * : range 10000-199999
      idmap config DOMAIN : backend = autorid
      idmap config DOMAIN : range = 200000-2147483647

2) Map group BUILTIN\Guests to group nobody with following
command:
Raw

    # net -s /dev/null groupmap add sid=S-1-5-32-546
unixgroup=nobody type=builtin

3) Restart samba services and replicate the issue:
Raw

    # systemctl restart {smb,nmb,winbind}
    # smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10

Root Cause

    samba-4.9.x expands guest handling to differentiate
between anonymous and guest sessions. This required a proper
handling of BUILTIN\Guests.
    Old-style configuration does not handle BUILTIN\Guest.
Thus samba fails after upgrade when administrators unaware
of this change.

Diagnostic Steps

    Ensure the id map is configured in smb.conf, like:
    Raw

    [global]
      ...
      idmap config * : backend = tdb
      idmap config * : range 10000-199999
      idmap config DOMAIN : backend = autorid
      idmap config DOMAIN : range = 200000-2147483647

    Ensure the BUILTIN\Guests is mapped
    Raw

    net groupman list sid=S-1-5-32-546

Does not bother me shoulds and shouldnots, I'm doing it, and
facing a problem which I'd hope can be solved without
changing a lot. User db is in LDAP and winbind is not used.
many thanks, L.