[Samba] Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?

lejeczek peljasz at yahoo.co.uk
Mon Oct 7 08:19:49 UTC 2019


On 05/10/2019 15:20, lejeczek via samba wrote:
>
> On 05/10/2019 14:10, Rowland penny via samba wrote:
>> On 05/10/2019 13:41, lejeczek via samba wrote:
>>> hi everyone,
>>>
>>> I believe a resolution is there -
>>> https://access.redhat.com/solutions/4367771
>> Which is behind a paywall ;-)
>>> But what I'm hoping for is an expert would comment how
>>> would this apply
>>> to Samba with LDAP backend?
>> What do you mean 'Samba with LDAP backend' ????
>>
>> You really shouldn't be running Samba with LDAP any more
>> and the problem only occurred on a standalone server and
>> was fixed here:
>> https://bugzilla.samba.org/show_bug.cgi?id=13697
>>
>> Rowland
>>
>>> many thanks, L.
>>>
>>
> It's not a paywall, suffices to register with Redhat and to
> this content access if free of charge.
> Here:
>
> Environment
>
>     Red Hat Enterprise Linux 7
>
> Issue
>
> After upgrading to samba-4.9.1, samba failed to restart with
> error messages like:
> Raw
>
> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
> 10:00:00.000000,  0]
> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> Nov 09 10:00:00 example.com smbd[13641]:  
> create_local_token failed: NT_STATUS_ACCESS_DENIED
> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
> 10:00:00.000200,  0] ../source3/smbd/server.c:2000(main)
> Nov 09 10:00:00 example.com smbd[13641]:   ERROR: failed to
> setup guest info.
>
> Resolution
>
> 1) Ensure the id map is configured in smb.conf, like:
> Raw
>
>     [global]
>       ...
>       idmap config * : backend = tdb
>       idmap config * : range 10000-199999
>       idmap config DOMAIN : backend = autorid
>       idmap config DOMAIN : range = 200000-2147483647
>
> 2) Map group BUILTIN\Guests to group nobody with following
> command:
> Raw
>
>     # net -s /dev/null groupmap add sid=S-1-5-32-546
> unixgroup=nobody type=builtin
>
> 3) Restart samba services and replicate the issue:
> Raw
>
>     # systemctl restart {smb,nmb,winbind}
>     # smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10
>
> Root Cause
>
>     samba-4.9.x expands guest handling to differentiate
> between anonymous and guest sessions. This required a proper
> handling of BUILTIN\Guests.
>     Old-style configuration does not handle BUILTIN\Guest.
> Thus samba fails after upgrade when administrators unaware
> of this change.
>
> Diagnostic Steps
>
>     Ensure the id map is configured in smb.conf, like:
>     Raw
>
>     [global]
>       ...
>       idmap config * : backend = tdb
>       idmap config * : range 10000-199999
>       idmap config DOMAIN : backend = autorid
>       idmap config DOMAIN : range = 200000-2147483647
>
>     Ensure the BUILTIN\Guests is mapped
>     Raw
>
>     net groupman list sid=S-1-5-32-546
>
>
> Does not bother me shoulds and shouldnots, I'm doing it, and
> facing a problem which I'd hope can be solved without
> changing a lot. User db is in LDAP and winbind is not used.
> many thanks, L.
>
>
>
any experts roaming around?

To make it a bit bizarre - it only happens to one of the three Sambas
which re virtually identical(same versions on the same Centoses). LDAP
user db replicates so all three Sambas see the same stuff yet only one
fails spitting errors as in the subject.

Would there be someting outside of LDAP which might be different on the
one Samba which is the root problem?

many thanks, L.



More information about the samba mailing list