Web lists-archives.com

Re: [Samba] sys_setgroups failed on Solaris 11




If you have an Oracle support contract, the Solaris 11 updates should bring you up to samba 4.6.x or 4.7.x.      You may get warnings about NGROUPS_MAX  exceeding 16 but it should not cause samba to crash (I have several Solaris 11 machines.)   This should have been fixed since Samba 3.6.x if not earlier.


My /etc/nsswitch.conf file includes

    passwd: files ldap winbind
    group:  files ldap winbind



This does mean that "getent" shows double users, but this is not a problem if the uidNumber and gidNumber is set.

   # getent passwd | grep myname
   myname:x:123:518::/home/myname:/bin/bash
   MYDOMAIN\mydomain:*:123:518:Firstname
   Lastname:/home/MYDOMAIN/myname:/bin/false


My smb.conf includes

   idmap config MYDOMAIN:backend = ad
   idmap config MYDOMAIN:schema_mode = rfc2307
   idmap config MYDOMAIN:range = 100-1999



This allows us to have consistent permissions  between NFS and Windows clients.


Originally we were in a classic domain (Samba domain controllers with Oracle's LDAP server as the backend for unix and samba accounts.)  We reconfigured as an AD domain, with Windows servers as domain controllers.  But it shouldn't change the unix-to-windows mapping approach.








On 06/07/18 11:28, Jean-Christophe Delaye via samba wrote:
On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:
Hi,
I'm trying to create a new Samba server to share files. We currently have an instance of Samba 3.6 on another server which we are using but need to retire that server.

I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. There are two domain controllers. Most of the PCs are joined to this AD domain.

Our user accounts and group memberships are maintained in an LDAP directory. On our Linux servers SSSD is used to authenticate and authorize and Solaris servers use nsswitch ldap directly.

I've followed the instructions here to join the new Samba server (Samba 4.4.14 on Solaris 11.3) to the AD domain.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

My hope is to use AD for authentication, but for the users & groups to be read by the Samba server OS as if our users were on Unix/Linux directly. Our current Samba 3.6 works this way. We assign permissions in Unix. We don't assign permissions using Windows.

Anyways, when I connect it seems work when I authenticate but then it bails on sys_setgroups.

Not sure what to look for now. What information should I provide for help?
Samba may panic when user is a member of more then NGROUPS_MAX Active
Directory groups.

set ngroups_max to at least the maximum number of groups a Active
Directory user belongs to.

As an example, the following line in /etc/system will set ngroups_max to
128:

set ngroups_max = 128

  (a reboot is required after changing /etc/system).


#
# smb.conf
#======================= Global Settings =====================================
[global]
security = ADS
workgroup = MYDOMAIN-AD
server string = Samba Server on LEX
server role = standalone server
log file = /var/samba/log/log.%m
max log size = 50
realm = MYDOMAIN-AD.CTG.QUEENSU.CA
passdb backend = tdbsam

interfaces = 10.1.21.220/16
bind interfaces only = yes
wins support = no

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config MYDOMAIN-AD : backend = nss
idmap config MYDOMAIn-AD : range = 100000-999999

#
#
# some output from: smbd -i -d3
....snip...
ldb_wrap open of secrets.ldb
check_ntlm_password: winbind authentication for user [teddy] succeeded
check_ntlm_password: authentication for user [teddy] -> [teddy] -> [teddy] succeeded
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xe2088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xe2088215
Adding homes service for user 'teddy' using home directory: '/home/teddy'
adding home's share [teddy] for user 'teddy' at '/home/teddy'
Allowed connection from 10.0.61.1 (10.0.61.1)
Connect path is '/tmp' for service [IPC$]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
PANIC (pid 23738): sys_setgroups failed
BACKTRACE: 22 stack frames:
....snip....



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba