Re: [Samba] sys_setgroups failed on Solaris 11
- Date: Thu, 7 Jun 2018 11:55:49 -0400
- From: Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] sys_setgroups failed on Solaris 11
If you have an Oracle support contract, the Solaris 11 updates should bring you up to samba 4.6.x or 4.7.x. You may get warnings about NGROUPS_MAX exceeding 16 but it should not cause samba to crash (I have several Solaris 11 machines.) This should have been fixed since Samba 3.6.x if not earlier.
My /etc/nsswitch.conf file includes passwd: files ldap winbind group: files ldap winbindThis does mean that "getent" shows double users, but this is not a problem if the uidNumber and gidNumber is set.
# getent passwd | grep myname myname:x:123:518::/home/myname:/bin/bash MYDOMAIN\mydomain:*:123:518:Firstname Lastname:/home/MYDOMAIN/myname:/bin/false My smb.conf includes idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 100-1999This allows us to have consistent permissions between NFS and Windows clients.
Originally we were in a classic domain (Samba domain controllers with Oracle's LDAP server as the backend for unix and samba accounts.) We reconfigured as an AD domain, with Windows servers as domain controllers. But it shouldn't change the unix-to-windows mapping approach.
On 06/07/18 11:28, Jean-Christophe Delaye via samba wrote:
On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:Hi, I'm trying to create a new Samba server to share files. We currently have an instance of Samba 3.6 on another server which we are using but need to retire that server. I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. There are two domain controllers. Most of the PCs are joined to this AD domain. Our user accounts and group memberships are maintained in an LDAP directory. On our Linux servers SSSD is used to authenticate and authorize and Solaris servers use nsswitch ldap directly. I've followed the instructions here to join the new Samba server (Samba 4.4.14 on Solaris 11.3) to the AD domain. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member My hope is to use AD for authentication, but for the users & groups to be read by the Samba server OS as if our users were on Unix/Linux directly. Our current Samba 3.6 works this way. We assign permissions in Unix. We don't assign permissions using Windows. Anyways, when I connect it seems work when I authenticate but then it bails on sys_setgroups. Not sure what to look for now. What information should I provide for help?Samba may panic when user is a member of more then NGROUPS_MAX Active Directory groups. set ngroups_max to at least the maximum number of groups a Active Directory user belongs to. As an example, the following line in /etc/system will set ngroups_max to 128: set ngroups_max = 128 (a reboot is required after changing /etc/system).# # smb.conf #======================= Global Settings ===================================== [global] security = ADS workgroup = MYDOMAIN-AD server string = Samba Server on LEX server role = standalone server log file = /var/samba/log/log.%m max log size = 50 realm = MYDOMAIN-AD.CTG.QUEENSU.CA passdb backend = tdbsam interfaces = 10.1.21.220/16 bind interfaces only = yes wins support = no idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYDOMAIN-AD : backend = nss idmap config MYDOMAIn-AD : range = 100000-999999 # # # some output from: smbd -i -d3 ....snip... ldb_wrap open of secrets.ldb check_ntlm_password: winbind authentication for user [teddy] succeeded check_ntlm_password: authentication for user [teddy] -> [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0xe2088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0xe2088215 Adding homes service for user 'teddy' using home directory: '/home/teddy' adding home's share [teddy] for user 'teddy' at '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) Connect path is '/tmp' for service [IPC$] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] PANIC (pid 23738): sys_setgroups failed BACKTRACE: 22 stack frames: ....snip....
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba