Re: Samba 3.6.4 on Solaris - groups for user inconsistent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'd like to avoid adding a group mapping if possible.

"groups triddel" returns 6 groups.

The strange this is that with version Samba 3.5.8 everything was working fine...

On 12 April 2012 22:00, Gaiseric Vandal <gaiseric.vandal@xxxxxxxxx> wrote:
> Can you add a group mapping for your "unix" group to a Windows group?
> ("net groupmap add ....")
>
> If you do a "groups triddel" on the unix command line, how many groups
> are you in?    Unix groups mapped to Windows groups get double-counted,
> which can push you over 16 groups.    My environment is Samba 3.x. PDC's
> so not the same as yours.
>
> FYI The latest (as of a few months back) Solaris 10 kernels finally let
> you set ngroups_max=1024.
>
> 147441-10 (x86_84)
> 147440-10 (sparc)
>
> Most previous ones allowed ngroups_max=32.  Except 147441-09 /147441-09
> actually rolled it back to ngroups_max=16.
>
>
>
>
> On 04/12/12 13:21, Toby Riddell wrote:
>> Hi all,
>>
>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
>> with a Windows Server 2008 domain controller. I should state early on
>> that I do not believe this is a manifestation of the Solaris 16 group
>> limit - the number of groups is well below 16.
>>
>> Winbind seems to be working fine - I can use wbinfo -r to check the
>> groups that a user is a member of, it returns the list of Active
>> Directory groups that the userid belongs to:
>>
>> # /opt/samba/bin/wbinfo -r triddel
>> 5000
>> 10501
>> 10000
>> 10586
>> 20001
>>
>> (You'll note that the above list differs from the lists below - this
>> is because some of the groups have no NIS domain defined in AD.)
>>
>> What I see is smbd panicking when initialising groups for a user, it
>> seems to be trying (and failing) to set one of the groups to  -1:
>>
>> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: -1
>>   Group[  2]: 10501
>>   Group[  3]: 10000
>>   Group[  4]: 10586
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The corresponding truss output looks like this:
>>
>> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
>> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
>> 6114:            20001
>>
>> The group with gid -1 corresponds to a group defined in /etc/group,
>> the rest come from Active Directory.
>>
>> Occasionally smbd works correctly, and I see this in the log:
>>
>> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 10 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: 10590
>>   Group[  5]: 10505
>>   Group[  6]: 20002
>>   Group[  7]: 20003
>>   Group[  8]: 20004
>>   Group[  9]: 20001
>>
>> This may not be relevant, but I also see the list of groups being shuffled:
>>
>> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: -1
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The Samba config. looks like this:
>>
>> [global]
>> disable spoolss = Yes
>> disable netbios = yes
>> show add printer wizard = No
>> security = ADS
>> log level = 10
>> realm = FOO.BAR.COM
>> password server = *
>> kerberos method = system keytab
>> workgroup = INTRA
>> client lanman auth = no
>> client ntlmv2 auth = yes
>> max protocol = SMB2
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind separator = +
>> winbind use default domain = yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = yes
>> winbind cache time = 15
>>
>> idmap config * : range = 20000-30000
>> idmap config * : backend = tdb
>> idmap config INTRA : backend = ad
>> idmap config INTRA : range = 1000-20000
>> idmap config INTRA : schema_mode = rfc3207
>>
>> [foo]
>> path = /live/home/triddel
>> read only = no
>> force create mode = 0600
>> force directory mode = 2700
>> browsable = no
>>
>> Can anyone shed any light on this?
>>
>> Thanks.
>>
>> Toby
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



[Index of Archives]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [RAID]     [Trinity TED Users]     [Yosemite News]
  Powered by Linux