I'd like to avoid adding a group mapping if possible. "groups triddel" returns 6 groups. The strange this is that with version Samba 3.5.8 everything was working fine... On 12 April 2012 22:00, Gaiseric Vandal <gaiseric.vandal@xxxxxxxxx> wrote: > Can you add a group mapping for your "unix" group to a Windows group? > ("net groupmap add ....") > > If you do a "groups triddel" on the unix command line, how many groups > are you in? Unix groups mapped to Windows groups get double-counted, > which can push you over 16 groups. My environment is Samba 3.x. PDC's > so not the same as yours. > > FYI The latest (as of a few months back) Solaris 10 kernels finally let > you set ngroups_max=1024. > > 147441-10 (x86_84) > 147440-10 (sparc) > > Most previous ones allowed ngroups_max=32. Except 147441-09 /147441-09 > actually rolled it back to ngroups_max=16. > > > > > On 04/12/12 13:21, Toby Riddell wrote: >> Hi all, >> >> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory >> with a Windows Server 2008 domain controller. I should state early on >> that I do not believe this is a manifestation of the Solaris 16 group >> limit - the number of groups is well below 16. >> >> Winbind seems to be working fine - I can use wbinfo -r to check the >> groups that a user is a member of, it returns the list of Active >> Directory groups that the userid belongs to: >> >> # /opt/samba/bin/wbinfo -r triddel >> 5000 >> 10501 >> 10000 >> 10586 >> 20001 >> >> (You'll note that the above list differs from the lists below - this >> is because some of the groups have no NIS domain defined in AD.) >> >> What I see is smbd panicking when initialising groups for a user, it >> seems to be trying (and failing) to set one of the groups to -1: >> >> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 11 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: -1 >> Group[ 2]: 10501 >> Group[ 3]: 10000 >> Group[ 4]: 10586 >> Group[ 5]: 10590 >> Group[ 6]: 10505 >> Group[ 7]: 20002 >> Group[ 8]: 20003 >> Group[ 9]: 20004 >> Group[ 10]: 20001 >> >> The corresponding truss output looks like this: >> >> 6114: setgroups(11, 0x08933B50) Err#22 EINVAL >> 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004 >> 6114: 20001 >> >> The group with gid -1 corresponds to a group defined in /etc/group, >> the rest come from Active Directory. >> >> Occasionally smbd works correctly, and I see this in the log: >> >> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 10 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: 10501 >> Group[ 2]: 10000 >> Group[ 3]: 10586 >> Group[ 4]: 10590 >> Group[ 5]: 10505 >> Group[ 6]: 20002 >> Group[ 7]: 20003 >> Group[ 8]: 20004 >> Group[ 9]: 20001 >> >> This may not be relevant, but I also see the list of groups being shuffled: >> >> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 11 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: 10501 >> Group[ 2]: 10000 >> Group[ 3]: 10586 >> Group[ 4]: -1 >> Group[ 5]: 10590 >> Group[ 6]: 10505 >> Group[ 7]: 20002 >> Group[ 8]: 20003 >> Group[ 9]: 20004 >> Group[ 10]: 20001 >> >> The Samba config. looks like this: >> >> [global] >> disable spoolss = Yes >> disable netbios = yes >> show add printer wizard = No >> security = ADS >> log level = 10 >> realm = FOO.BAR.COM >> password server = * >> kerberos method = system keytab >> workgroup = INTRA >> client lanman auth = no >> client ntlmv2 auth = yes >> max protocol = SMB2 >> >> winbind enum users = yes >> winbind enum groups = yes >> winbind separator = + >> winbind use default domain = yes >> winbind nss info = rfc2307 >> winbind refresh tickets = yes >> winbind cache time = 15 >> >> idmap config * : range = 20000-30000 >> idmap config * : backend = tdb >> idmap config INTRA : backend = ad >> idmap config INTRA : range = 1000-20000 >> idmap config INTRA : schema_mode = rfc3207 >> >> [foo] >> path = /live/home/triddel >> read only = no >> force create mode = 0600 >> force directory mode = 2700 >> browsable = no >> >> Can anyone shed any light on this? >> >> Thanks. >> >> Toby > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba