Web lists-archives.com

Re: [Samba] sys_setgroups failed on Solaris 11




I'm using an EOL version of Samba because it was at the time of installation the latest versions available from Solaris 11.3 (which is the server which has the files and permissions on a ZFS filesystem with NFS4 ACLs) and Ubuntu 16.04 (which is running our domain controllers). 

It appears 4.4 is the latest version available from Oracle. 

We have 3 of the Ubuntu servers with role "active directory domain controller". If I upgrade them one-by-one to 18.04 what effect will this have on the domain environment? Will I need to take any action on the Samba AD? 


From: "samba" <samba@xxxxxxxxxxxxxxx> 
To: "samba" <samba@xxxxxxxxxxxxxxx> 
Sent: Thursday, June 7, 2018 10:32:25 AM 
Subject: Re: [Samba] sys_setgroups failed on Solaris 11 

On Thu, 7 Jun 2018 10:04:41 -0400 (EDT) 
Teddy Brown via samba <samba@xxxxxxxxxxxxxxx> wrote: 

> Hi, 
> I'm trying to create a new Samba server to share files. We currently 
> have an instance of Samba 3.6 on another server which we are using 
> but need to retire that server. 
> 
> I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. 
> There are two domain controllers. Most of the PCs are joined to this 
> AD domain. 
> 

Another one, sigh ;-) 
If it is new AD Domain, why use an EOL version of Samba ??? 
you would have been better off using 18.04 with Samba 4.7.6 


> Our user accounts and group memberships are maintained in an LDAP 
> directory. On our Linux servers SSSD is used to authenticate and 
> authorize 

Around here 'sssd' is a dirty word, it has nothing to do with Samba ;-) 

> and Solaris servers use nsswitch ldap directly. 

Why not use winbind ? 

> 
> I've followed the instructions here to join the new Samba server 
> (Samba 4.4.14 on Solaris 11.3) to the AD domain. 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> 
> My hope is to use AD for authentication, but for the users & groups 
> to be read by the Samba server OS as if our users were on Unix/Linux 
> directly. Our current Samba 3.6 works this way. We assign permissions 
> in Unix. We don't assign permissions using Windows. 
> 
> Anyways, when I connect it seems work when I authenticate but then it 
> bails on sys_setgroups. 
> 
> Not sure what to look for now. What information should I provide for 
> help? 
> 
> # 
> # smb.conf 
> #======================= Global Settings 
> ===================================== [global] 
> security = ADS 
> workgroup = MYDOMAIN-AD 
> server string = Samba Server on LEX 
> server role = standalone server 

It cannot be a 'standalone server' and use 'security = ADS' 

> log file = /var/samba/log/log.%m 
> max log size = 50 
> realm = MYDOMAIN-AD.CTG.QUEENSU.CA 
> passdb backend = tdbsam 
> 
> interfaces = 10.1.21.220/16 
> bind interfaces only = yes 
> wins support = no 
> 
> idmap config * : backend = tdb 
> idmap config * : range = 3000-7999 
> 
> idmap config MYDOMAIN-AD : backend = nss 
> idmap config MYDOMAIn-AD : range = 100000-999999 

Why the 'nss' backend if you have added uidNumber & gidNumber 
attributes to AD ? 
It should be 'ad' 

> 
> # 
> # 
> # some output from: smbd -i -d3 
> ....snip... 
> ldb_wrap open of secrets.ldb 
> check_ntlm_password: winbind authentication for user [teddy] 
> succeeded check_ntlm_password: authentication for user [teddy] -> 
> [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with 
> flags: Got NTLMSSP neg_flags=0xe2088215 
> NTLMSSP Sign/Seal - Initialising with flags: 
> Got NTLMSSP neg_flags=0xe2088215 
> Adding homes service for user 'teddy' using home directory: 
> '/home/teddy' adding home's share [teddy] for user 'teddy' at 
> '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) 
> Connect path is '/tmp' for service [IPC$] 
> Initialising default vfs hooks 
> Initialising custom vfs hooks from [/[Default VFS]/] 
> PANIC (pid 23738): sys_setgroups failed 
> BACKTRACE: 22 stack frames: 
> ....snip.... 
> 

Try setting your Unix domain member's smb.conf correctly ;-) 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 

-- 
Teddy Brown 
Senior Applications Developer 
Systems Analyst 
Canadian Cancer Trials Group 
Queen's University 
10 Stuart St, Kingston ON, K7L 3N6 
(613) 533-6430 
Follow us: [ https://twitter.com/CDNCancerTrials ] [ https://www.linkedin.com/company/canadiancancertrialsgroup |   ] [ http://www.cctg.ca/ |  cctg.ca  ] 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba