Re: [Samba] sys_setgroups failed on Solaris 11
- Date: Thu, 7 Jun 2018 15:32:25 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] sys_setgroups failed on Solaris 11
On Thu, 7 Jun 2018 10:04:41 -0400 (EDT)
Teddy Brown via samba <samba@xxxxxxxxxxxxxxx> wrote:
> I'm trying to create a new Samba server to share files. We currently
> have an instance of Samba 3.6 on another server which we are using
> but need to retire that server.
> I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04.
> There are two domain controllers. Most of the PCs are joined to this
> AD domain.
Another one, sigh ;-)
If it is new AD Domain, why use an EOL version of Samba ???
you would have been better off using 18.04 with Samba 4.7.6
> Our user accounts and group memberships are maintained in an LDAP
> directory. On our Linux servers SSSD is used to authenticate and
Around here 'sssd' is a dirty word, it has nothing to do with Samba ;-)
> and Solaris servers use nsswitch ldap directly.
Why not use winbind ?
> I've followed the instructions here to join the new Samba server
> (Samba 4.4.14 on Solaris 11.3) to the AD domain.
> My hope is to use AD for authentication, but for the users & groups
> to be read by the Samba server OS as if our users were on Unix/Linux
> directly. Our current Samba 3.6 works this way. We assign permissions
> in Unix. We don't assign permissions using Windows.
> Anyways, when I connect it seems work when I authenticate but then it
> bails on sys_setgroups.
> Not sure what to look for now. What information should I provide for
> # smb.conf
> #======================= Global Settings
> ===================================== [global]
> security = ADS
> workgroup = MYDOMAIN-AD
> server string = Samba Server on LEX
> server role = standalone server
It cannot be a 'standalone server' and use 'security = ADS'
> log file = /var/samba/log/log.%m
> max log size = 50
> realm = MYDOMAIN-AD.CTG.QUEENSU.CA
> passdb backend = tdbsam
> interfaces = 10.1.21.220/16
> bind interfaces only = yes
> wins support = no
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYDOMAIN-AD : backend = nss
> idmap config MYDOMAIn-AD : range = 100000-999999
Why the 'nss' backend if you have added uidNumber & gidNumber
attributes to AD ?
It should be 'ad'
> # some output from: smbd -i -d3
> ldb_wrap open of secrets.ldb
> check_ntlm_password: winbind authentication for user [teddy]
> succeeded check_ntlm_password: authentication for user [teddy] ->
> [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with
> flags: Got NTLMSSP neg_flags=0xe2088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0xe2088215
> Adding homes service for user 'teddy' using home directory:
> '/home/teddy' adding home's share [teddy] for user 'teddy' at
> '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1)
> Connect path is '/tmp' for service [IPC$]
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> PANIC (pid 23738): sys_setgroups failed
> BACKTRACE: 22 stack frames:
Try setting your Unix domain member's smb.conf correctly ;-)
To unsubscribe from this list go to the following URL and read the