Web lists-archives.com

Re: [Samba] sys_setgroups failed on Solaris 11




On Thu, 7 Jun 2018 10:04:41 -0400 (EDT)
Teddy Brown via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi, 
> I'm trying to create a new Samba server to share files. We currently
> have an instance of Samba 3.6 on another server which we are using
> but need to retire that server. 
> 
> I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04.
> There are two domain controllers. Most of the PCs are joined to this
> AD domain. 
> 

Another one, sigh ;-)
If it is new AD Domain, why use an EOL version of Samba ???
you would have been better off using 18.04 with Samba 4.7.6


> Our user accounts and group memberships are maintained in an LDAP
> directory. On our Linux servers SSSD is used to authenticate and
> authorize

Around here 'sssd' is a dirty word, it has nothing to do with Samba ;-)

> and Solaris servers use nsswitch ldap directly.

Why not use winbind ?
 
> 
> I've followed the instructions here to join the new Samba server
> (Samba 4.4.14 on Solaris 11.3) to the AD domain.
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> 
> My hope is to use AD for authentication, but for the users & groups
> to be read by the Samba server OS as if our users were on Unix/Linux
> directly. Our current Samba 3.6 works this way. We assign permissions
> in Unix. We don't assign permissions using Windows. 
> 
> Anyways, when I connect it seems work when I authenticate but then it
> bails on sys_setgroups. 
> 
> Not sure what to look for now. What information should I provide for
> help? 
> 
> # 
> # smb.conf 
> #======================= Global Settings
> ===================================== [global] 
> security = ADS 
> workgroup = MYDOMAIN-AD 
> server string = Samba Server on LEX 
> server role = standalone server

It cannot be a 'standalone server' and use 'security = ADS'
 
> log file = /var/samba/log/log.%m 
> max log size = 50 
> realm = MYDOMAIN-AD.CTG.QUEENSU.CA 
> passdb backend = tdbsam 
> 
> interfaces = 10.1.21.220/16 
> bind interfaces only = yes 
> wins support = no 
> 
> idmap config * : backend = tdb 
> idmap config * : range = 3000-7999 
> 
> idmap config MYDOMAIN-AD : backend = nss 
> idmap config MYDOMAIn-AD : range = 100000-999999 

Why the 'nss' backend if you have added uidNumber & gidNumber
attributes to AD ? 
It should be 'ad'

> 
> # 
> # 
> # some output from: smbd -i -d3 
> ....snip... 
> ldb_wrap open of secrets.ldb 
> check_ntlm_password: winbind authentication for user [teddy]
> succeeded check_ntlm_password: authentication for user [teddy] ->
> [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with
> flags: Got NTLMSSP neg_flags=0xe2088215 
> NTLMSSP Sign/Seal - Initialising with flags: 
> Got NTLMSSP neg_flags=0xe2088215 
> Adding homes service for user 'teddy' using home directory:
> '/home/teddy' adding home's share [teddy] for user 'teddy' at
> '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) 
> Connect path is '/tmp' for service [IPC$] 
> Initialising default vfs hooks 
> Initialising custom vfs hooks from [/[Default VFS]/] 
> PANIC (pid 23738): sys_setgroups failed 
> BACKTRACE: 22 stack frames: 
> ....snip.... 
> 

Try setting your Unix domain member's smb.conf correctly ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba