Samba package 4.9.x samba smbd not playing with winbind.
Alexander Bokovoy
ab at samba.org
Tue Sep 25 10:02:28 UTC 2018
On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> hai,
>
> Im wondering, im having problem whil installing samba + winbind on a stand-alone setup.
> Everything is the default setting.
>
> I've reported it at debian.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465
>
> Could someone have a look at this and tell me if im missing something here before im going in circles..
> To me this looks like a bug in samba itself and the detection of settings, in combination with detecting winbind itself.
> Do note, im not a dev, just my thoughts here.
There is a change 0b261dc4e3f2 in 4.9 that requires to have BUILTIN\Guests group always
to be mapped. We would map it automatically if our default idmap backend
is writable but if both group mapping and allocating IDs in a default
backend failed, we fail hard.
e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 736) /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 737) * Deal with the BUILTIN\Guests group. If the SID can
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 738) * be resolved then assume that the add_aliasmem( S-1-5-32 )
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 739) * handled it.
e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 740) */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 741) status = pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 742) if (!NT_STATUS_IS_OK(status)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 743)
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 744) become_root();
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 745) status = create_builtin_guests(domain_sid);
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 746) unbecome_root();
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 747)
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 748) if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 749) /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 750) * Add BUILTIN\Guests directly to token.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 751) * But only if the token already indicates
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 752) * real guest access by:
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 753) * - local GUEST account
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 754) * - local GUESTS group
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 755) * - domain GUESTS group
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 756) *
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 757) * Even if a user was authenticated, it
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 758) * can be member of a guest related group.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 759) */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 760) status = add_builtin_guests(result, domain_sid);
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 761) if (!NT_STATUS_IS_OK(status)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 762) DEBUG(3, ("Failed to check for local "
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 763) "Guests membership (%s)\n",
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 764) nt_errstr(status)));
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 765) /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 766) * This is a hard error.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 767) */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 768) return status;
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 769) }
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 770) } else if (!NT_STATUS_IS_OK(status)) {
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 771) DEBUG(2, ("Failed to create "
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 772) "BUILTIN\\Guests group %s! Can "
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 773) "Winbind allocate gids?\n",
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 774) nt_errstr(status)));
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 775) /*
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 776) * This is a hard error.
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 777) */
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 778) return status;
0b261dc4e3f2 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 779) }
e8dc55d2b969 (Stefan Metzmacher 2018-03-06 23:26:28 +0100 780) }
An easy way to fix it is by running the following command:
net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list