Web lists-archives.com

Re: [Samba] sys_setgroups failed on Solaris 11




On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:
> Hi, 
> I'm trying to create a new Samba server to share files. We currently have an instance of Samba 3.6 on another server which we are using but need to retire that server. 
> 
> I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. There are two domain controllers. Most of the PCs are joined to this AD domain. 
> 
> Our user accounts and group memberships are maintained in an LDAP directory. On our Linux servers SSSD is used to authenticate and authorize and Solaris servers use nsswitch ldap directly. 
> 
> I've followed the instructions here to join the new Samba server (Samba 4.4.14 on Solaris 11.3) to the AD domain. 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> 
> My hope is to use AD for authentication, but for the users & groups to be read by the Samba server OS as if our users were on Unix/Linux directly. Our current Samba 3.6 works this way. We assign permissions in Unix. We don't assign permissions using Windows. 
> 
> Anyways, when I connect it seems work when I authenticate but then it bails on sys_setgroups. 
> 
> Not sure what to look for now. What information should I provide for help? 
Samba may panic when user is a member of more then NGROUPS_MAX Active
Directory groups.

set ngroups_max to at least the maximum number of groups a Active
Directory user belongs to.

As an example, the following line in /etc/system will set ngroups_max to
128:

set ngroups_max = 128

 (a reboot is required after changing /etc/system).


> 
> # 
> # smb.conf 
> #======================= Global Settings ===================================== 
> [global] 
> security = ADS 
> workgroup = MYDOMAIN-AD 
> server string = Samba Server on LEX 
> server role = standalone server 
> log file = /var/samba/log/log.%m 
> max log size = 50 
> realm = MYDOMAIN-AD.CTG.QUEENSU.CA 
> passdb backend = tdbsam 
> 
> interfaces = 10.1.21.220/16 
> bind interfaces only = yes 
> wins support = no 
> 
> idmap config * : backend = tdb 
> idmap config * : range = 3000-7999 
> 
> idmap config MYDOMAIN-AD : backend = nss 
> idmap config MYDOMAIn-AD : range = 100000-999999 
> 
> # 
> # 
> # some output from: smbd -i -d3 
> ....snip... 
> ldb_wrap open of secrets.ldb 
> check_ntlm_password: winbind authentication for user [teddy] succeeded 
> check_ntlm_password: authentication for user [teddy] -> [teddy] -> [teddy] succeeded 
> NTLMSSP Sign/Seal - Initialising with flags: 
> Got NTLMSSP neg_flags=0xe2088215 
> NTLMSSP Sign/Seal - Initialising with flags: 
> Got NTLMSSP neg_flags=0xe2088215 
> Adding homes service for user 'teddy' using home directory: '/home/teddy' 
> adding home's share [teddy] for user 'teddy' at '/home/teddy' 
> Allowed connection from 10.0.61.1 (10.0.61.1) 
> Connect path is '/tmp' for service [IPC$] 
> Initialising default vfs hooks 
> Initialising custom vfs hooks from [/[Default VFS]/] 
> PANIC (pid 23738): sys_setgroups failed 
> BACKTRACE: 22 stack frames: 
> ....snip.... 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba