Samba 3.6.4 on Solaris - groups for user inconsistent
Locked
Samba 3.6.4 on Solaris - groups for user inconsistent
 
|
Hi all,
I'm having an issue with Samba 3.6.4 on Solaris using Active Directory with a Windows Server 2008 domain controller. I should state early on that I do not believe this is a manifestation of the Solaris 16 group limit - the number of groups is well below 16. Winbind seems to be working fine - I can use wbinfo -r to check the groups that a user is a member of, it returns the list of Active Directory groups that the userid belongs to: # /opt/samba/bin/wbinfo -r triddel 5000 10501 10000 10586 20001 (You'll note that the above list differs from the lists below - this is because some of the groups have no NIS domain defined in AD.) What I see is smbd panicking when initialising groups for a user, it seems to be trying (and failing) to set one of the groups to -1: [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10017 Primary group is 5000 and contains 11 supplementary groups Group[ 0]: 5000 Group[ 1]: -1 Group[ 2]: 10501 Group[ 3]: 10000 Group[ 4]: 10586 Group[ 5]: 10590 Group[ 6]: 10505 Group[ 7]: 20002 Group[ 8]: 20003 Group[ 9]: 20004 Group[ 10]: 20001 The corresponding truss output looks like this: 6114: setgroups(11, 0x08933B50) Err#22 EINVAL 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004 6114: 20001 The group with gid -1 corresponds to a group defined in /etc/group, the rest come from Active Directory. Occasionally smbd works correctly, and I see this in the log: [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10017 Primary group is 5000 and contains 10 supplementary groups Group[ 0]: 5000 Group[ 1]: 10501 Group[ 2]: 10000 Group[ 3]: 10586 Group[ 4]: 10590 Group[ 5]: 10505 Group[ 6]: 20002 Group[ 7]: 20003 Group[ 8]: 20004 Group[ 9]: 20001 This may not be relevant, but I also see the list of groups being shuffled: [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10017 Primary group is 5000 and contains 11 supplementary groups Group[ 0]: 5000 Group[ 1]: 10501 Group[ 2]: 10000 Group[ 3]: 10586 Group[ 4]: -1 Group[ 5]: 10590 Group[ 6]: 10505 Group[ 7]: 20002 Group[ 8]: 20003 Group[ 9]: 20004 Group[ 10]: 20001 The Samba config. looks like this: [global] disable spoolss = Yes disable netbios = yes show add printer wizard = No security = ADS log level = 10 realm = FOO.BAR.COM password server = * kerberos method = system keytab workgroup = INTRA client lanman auth = no client ntlmv2 auth = yes max protocol = SMB2 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = yes winbind nss info = rfc2307 winbind refresh tickets = yes winbind cache time = 15 idmap config * : range = 20000-30000 idmap config * : backend = tdb idmap config INTRA : backend = ad idmap config INTRA : range = 1000-20000 idmap config INTRA : schema_mode = rfc3207 [foo] path = /live/home/triddel read only = no force create mode = 0600 force directory mode = 2700 browsable = no Can anyone shed any light on this? Thanks. Toby -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: Samba 3.6.4 on Solaris - groups for user inconsistent
|
From the Solaris man page of
http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html ... The setgroups() function will fail if: EINVAL The value of /ngroups/ is greater than {NGROUPS_MAX}. ... According to your truss setgroups returns EINVAL. Solaris (10) no longer has the 16 group limitation Starting from Solaris 10 Update 10 or starting with the patch bundle 144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07 <http://wesunsolve.net/patch/id/144501-07> (x86) one can set ngroups_max up to 1024 in /etc/system.(a reboot is required) I recommend you to upgrade to Solaris 10 update 10. HTH, Bart On 12/04/12 19:21, Toby Riddell wrote: > Hi all, > > I'm having an issue with Samba 3.6.4 on Solaris using Active Directory > with a Windows Server 2008 domain controller. I should state early on > that I do not believe this is a manifestation of the Solaris 16 group > limit - the number of groups is well below 16. > > Winbind seems to be working fine - I can use wbinfo -r to check the > groups that a user is a member of, it returns the list of Active > Directory groups that the userid belongs to: > > # /opt/samba/bin/wbinfo -r triddel > 5000 > 10501 > 10000 > 10586 > 20001 > > (You'll note that the above list differs from the lists below - this > is because some of the groups have no NIS domain defined in AD.) > > What I see is smbd panicking when initialising groups for a user, it > seems to be trying (and failing) to set one of the groups to -1: > > [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 10017 > Primary group is 5000 and contains 11 supplementary groups > Group[ 0]: 5000 > Group[ 1]: -1 > Group[ 2]: 10501 > Group[ 3]: 10000 > Group[ 4]: 10586 > Group[ 5]: 10590 > Group[ 6]: 10505 > Group[ 7]: 20002 > Group[ 8]: 20003 > Group[ 9]: 20004 > Group[ 10]: 20001 > > The corresponding truss output looks like this: > > 6114: setgroups(11, 0x08933B50) Err#22 EINVAL > 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004 > 6114: 20001 > > The group with gid -1 corresponds to a group defined in /etc/group, > the rest come from Active Directory. > > Occasionally smbd works correctly, and I see this in the log: > > [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 10017 > Primary group is 5000 and contains 10 supplementary groups > Group[ 0]: 5000 > Group[ 1]: 10501 > Group[ 2]: 10000 > Group[ 3]: 10586 > Group[ 4]: 10590 > Group[ 5]: 10505 > Group[ 6]: 20002 > Group[ 7]: 20003 > Group[ 8]: 20004 > Group[ 9]: 20001 > > This may not be relevant, but I also see the list of groups being shuffled: > > [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 10017 > Primary group is 5000 and contains 11 supplementary groups > Group[ 0]: 5000 > Group[ 1]: 10501 > Group[ 2]: 10000 > Group[ 3]: 10586 > Group[ 4]: -1 > Group[ 5]: 10590 > Group[ 6]: 10505 > Group[ 7]: 20002 > Group[ 8]: 20003 > Group[ 9]: 20004 > Group[ 10]: 20001 > > The Samba config. looks like this: > > [global] > disable spoolss = Yes > disable netbios = yes > show add printer wizard = No > security = ADS > log level = 10 > realm = FOO.BAR.COM > password server = * > kerberos method = system keytab > workgroup = INTRA > client lanman auth = no > client ntlmv2 auth = yes > max protocol = SMB2 > > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > winbind use default domain = yes > winbind nss info = rfc2307 > winbind refresh tickets = yes > winbind cache time = 15 > > idmap config * : range = 20000-30000 > idmap config * : backend = tdb > idmap config INTRA : backend = ad > idmap config INTRA : range = 1000-20000 > idmap config INTRA : schema_mode = rfc3207 > > [foo] > path = /live/home/triddel > read only = no > force create mode = 0600 > force directory mode = 2700 > browsable = no > > Can anyone shed any light on this? > > Thanks. > > Toby -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: Samba 3.6.4 on Solaris - groups for user inconsistent
|
In reply to this post by Toby Riddell
Can you add a group mapping for your "unix" group to a Windows group?
("net groupmap add ....") If you do a "groups triddel" on the unix command line, how many groups are you in? Unix groups mapped to Windows groups get double-counted, which can push you over 16 groups. My environment is Samba 3.x. PDC's so not the same as yours. FYI The latest (as of a few months back) Solaris 10 kernels finally let you set ngroups_max=1024. 147441-10 (x86_84) 147440-10 (sparc) Most previous ones allowed ngroups_max=32. Except 147441-09 /147441-09 actually rolled it back to ngroups_max=16. On 04/12/12 13:21, Toby Riddell wrote: > Hi all, > > I'm having an issue with Samba 3.6.4 on Solaris using Active Directory > with a Windows Server 2008 domain controller. I should state early on > that I do not believe this is a manifestation of the Solaris 16 group > limit - the number of groups is well below 16. > > Winbind seems to be working fine - I can use wbinfo -r to check the > groups that a user is a member of, it returns the list of Active > Directory groups that the userid belongs to: > > # /opt/samba/bin/wbinfo -r triddel > 5000 > 10501 > 10000 > 10586 > 20001 > > (You'll note that the above list differs from the lists below - this > is because some of the groups have no NIS domain defined in AD.) > > What I see is smbd panicking when initialising groups for a user, it > seems to be trying (and failing) to set one of the groups to -1: > > [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 10017 > Primary group is 5000 and contains 11 supplementary groups > Group[ 0]: 5000 > Group[ 1]: -1 > Group[ 2]: 10501 > Group[ 3]: 10000 > Group[ 4]: 10586 > Group[ 5]: 10590 > Group[ 6]: 10505 > Group[ 7]: 20002 > Group[ 8]: 20003 > Group[ 9]: 20004 > Group[ 10]: 20001 > > The corresponding truss output looks like this: > > 6114: setgroups(11, 0x08933B50) Err#22 EINVAL > 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004 > 6114: 20001 > > The group with gid -1 corresponds to a group defined in /etc/group, > the rest come from Active Directory. > > Occasionally smbd works correctly, and I see this in the log: > > [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 10017 > Primary group is 5000 and contains 10 supplementary groups > Group[ 0]: 5000 > Group[ 1]: 10501 > Group[ 2]: 10000 > Group[ 3]: 10586 > Group[ 4]: 10590 > Group[ 5]: 10505 > Group[ 6]: 20002 > Group[ 7]: 20003 > Group[ 8]: 20004 > Group[ 9]: 20001 > > This may not be relevant, but I also see the list of groups being shuffled: > > [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 10017 > Primary group is 5000 and contains 11 supplementary groups > Group[ 0]: 5000 > Group[ 1]: 10501 > Group[ 2]: 10000 > Group[ 3]: 10586 > Group[ 4]: -1 > Group[ 5]: 10590 > Group[ 6]: 10505 > Group[ 7]: 20002 > Group[ 8]: 20003 > Group[ 9]: 20004 > Group[ 10]: 20001 > > The Samba config. looks like this: > > [global] > disable spoolss = Yes > disable netbios = yes > show add printer wizard = No > security = ADS > log level = 10 > realm = FOO.BAR.COM > password server = * > kerberos method = system keytab > workgroup = INTRA > client lanman auth = no > client ntlmv2 auth = yes > max protocol = SMB2 > > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > winbind use default domain = yes > winbind nss info = rfc2307 > winbind refresh tickets = yes > winbind cache time = 15 > > idmap config * : range = 20000-30000 > idmap config * : backend = tdb > idmap config INTRA : backend = ad > idmap config INTRA : range = 1000-20000 > idmap config INTRA : schema_mode = rfc3207 > > [foo] > path = /live/home/triddel > read only = no > force create mode = 0600 > force directory mode = 2700 > browsable = no > > Can anyone shed any light on this? > > Thanks. > > Toby -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: Samba 3.6.4 on Solaris - groups for user inconsistent
|
|
I'd like to avoid adding a group mapping if possible.
"groups triddel" returns 6 groups. The strange this is that with version Samba 3.5.8 everything was working fine... On 12 April 2012 22:00, Gaiseric Vandal <[hidden email]> wrote: > Can you add a group mapping for your "unix" group to a Windows group? > ("net groupmap add ....") > > If you do a "groups triddel" on the unix command line, how many groups > are you in? Unix groups mapped to Windows groups get double-counted, > which can push you over 16 groups. My environment is Samba 3.x. PDC's > so not the same as yours. > > FYI The latest (as of a few months back) Solaris 10 kernels finally let > you set ngroups_max=1024. > > 147441-10 (x86_84) > 147440-10 (sparc) > > Most previous ones allowed ngroups_max=32. Except 147441-09 /147441-09 > actually rolled it back to ngroups_max=16. > > > > > On 04/12/12 13:21, Toby Riddell wrote: >> Hi all, >> >> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory >> with a Windows Server 2008 domain controller. I should state early on >> that I do not believe this is a manifestation of the Solaris 16 group >> limit - the number of groups is well below 16. >> >> Winbind seems to be working fine - I can use wbinfo -r to check the >> groups that a user is a member of, it returns the list of Active >> Directory groups that the userid belongs to: >> >> # /opt/samba/bin/wbinfo -r triddel >> 5000 >> 10501 >> 10000 >> 10586 >> 20001 >> >> (You'll note that the above list differs from the lists below - this >> is because some of the groups have no NIS domain defined in AD.) >> >> What I see is smbd panicking when initialising groups for a user, it >> seems to be trying (and failing) to set one of the groups to -1: >> >> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 11 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: -1 >> Group[ 2]: 10501 >> Group[ 3]: 10000 >> Group[ 4]: 10586 >> Group[ 5]: 10590 >> Group[ 6]: 10505 >> Group[ 7]: 20002 >> Group[ 8]: 20003 >> Group[ 9]: 20004 >> Group[ 10]: 20001 >> >> The corresponding truss output looks like this: >> >> 6114: setgroups(11, 0x08933B50) Err#22 EINVAL >> 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004 >> 6114: 20001 >> >> The group with gid -1 corresponds to a group defined in /etc/group, >> the rest come from Active Directory. >> >> Occasionally smbd works correctly, and I see this in the log: >> >> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 10 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: 10501 >> Group[ 2]: 10000 >> Group[ 3]: 10586 >> Group[ 4]: 10590 >> Group[ 5]: 10505 >> Group[ 6]: 20002 >> Group[ 7]: 20003 >> Group[ 8]: 20004 >> Group[ 9]: 20001 >> >> This may not be relevant, but I also see the list of groups being shuffled: >> >> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 11 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: 10501 >> Group[ 2]: 10000 >> Group[ 3]: 10586 >> Group[ 4]: -1 >> Group[ 5]: 10590 >> Group[ 6]: 10505 >> Group[ 7]: 20002 >> Group[ 8]: 20003 >> Group[ 9]: 20004 >> Group[ 10]: 20001 >> >> The Samba config. looks like this: >> >> [global] >> disable spoolss = Yes >> disable netbios = yes >> show add printer wizard = No >> security = ADS >> log level = 10 >> realm = FOO.BAR.COM >> password server = * >> kerberos method = system keytab >> workgroup = INTRA >> client lanman auth = no >> client ntlmv2 auth = yes >> max protocol = SMB2 >> >> winbind enum users = yes >> winbind enum groups = yes >> winbind separator = + >> winbind use default domain = yes >> winbind nss info = rfc2307 >> winbind refresh tickets = yes >> winbind cache time = 15 >> >> idmap config * : range = 20000-30000 >> idmap config * : backend = tdb >> idmap config INTRA : backend = ad >> idmap config INTRA : range = 1000-20000 >> idmap config INTRA : schema_mode = rfc3207 >> >> [foo] >> path = /live/home/triddel >> read only = no >> force create mode = 0600 >> force directory mode = 2700 >> browsable = no >> >> Can anyone shed any light on this? >> >> Thanks. >> >> Toby > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: Samba 3.6.4 on Solaris - groups for user inconsistent
|
|
In reply to this post by Bart Janssens
Bart,
Thanks for the reply. However I don't think I'm hitting NGROUPS_MAX. As can be seen in the snippet of truss output, ngroups is 11. However, it looks like it might be time for an upgrade just to see if it fixes the problem. Regards, Toby On 12 April 2012 19:44, Bart Janssens <[hidden email]> wrote: > From the Solaris man page of > > http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html > > ... > > The setgroups() function will fail if: > > EINVAL > > The value of /ngroups/ is greater than {NGROUPS_MAX}. > > ... > > According to your truss setgroups returns EINVAL. > > Solaris (10) no longer has the 16 group limitation > Starting from Solaris 10 Update 10 or starting with the patch bundle > 144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07 > <http://wesunsolve.net/patch/id/144501-07> (x86) > one can set ngroups_max up to 1024 in /etc/system.(a reboot is required) > I recommend you to upgrade to Solaris 10 update 10. > > > HTH, > > Bart > > On 12/04/12 19:21, Toby Riddell wrote: >> >> Hi all, >> >> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory >> with a Windows Server 2008 domain controller. I should state early on >> that I do not believe this is a manifestation of the Solaris 16 group >> limit - the number of groups is well below 16. >> >> Winbind seems to be working fine - I can use wbinfo -r to check the >> groups that a user is a member of, it returns the list of Active >> Directory groups that the userid belongs to: >> >> # /opt/samba/bin/wbinfo -r triddel >> 5000 >> 10501 >> 10000 >> 10586 >> 20001 >> >> (You'll note that the above list differs from the lists below - this >> is because some of the groups have no NIS domain defined in AD.) >> >> What I see is smbd panicking when initialising groups for a user, it >> seems to be trying (and failing) to set one of the groups to -1: >> >> [2012/04/12 18:01:20.950498, 10] >> auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 11 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: -1 >> Group[ 2]: 10501 >> Group[ 3]: 10000 >> Group[ 4]: 10586 >> Group[ 5]: 10590 >> Group[ 6]: 10505 >> Group[ 7]: 20002 >> Group[ 8]: 20003 >> Group[ 9]: 20004 >> Group[ 10]: 20001 >> >> The corresponding truss output looks like this: >> >> 6114: setgroups(11, 0x08933B50) Err#22 EINVAL >> 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 >> 20004 >> 6114: 20001 >> >> The group with gid -1 corresponds to a group defined in /etc/group, >> the rest come from Active Directory. >> >> Occasionally smbd works correctly, and I see this in the log: >> >> [2012/04/12 17:57:58.790716, 10] >> auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 10 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: 10501 >> Group[ 2]: 10000 >> Group[ 3]: 10586 >> Group[ 4]: 10590 >> Group[ 5]: 10505 >> Group[ 6]: 20002 >> Group[ 7]: 20003 >> Group[ 8]: 20004 >> Group[ 9]: 20001 >> >> This may not be relevant, but I also see the list of groups being >> shuffled: >> >> [2012/04/12 18:01:17.915485, 10] >> auth/token_util.c:527(debug_unix_user_token) >> UNIX token of user 10017 >> Primary group is 5000 and contains 11 supplementary groups >> Group[ 0]: 5000 >> Group[ 1]: 10501 >> Group[ 2]: 10000 >> Group[ 3]: 10586 >> Group[ 4]: -1 >> Group[ 5]: 10590 >> Group[ 6]: 10505 >> Group[ 7]: 20002 >> Group[ 8]: 20003 >> Group[ 9]: 20004 >> Group[ 10]: 20001 >> >> The Samba config. looks like this: >> >> [global] >> disable spoolss = Yes >> disable netbios = yes >> show add printer wizard = No >> security = ADS >> log level = 10 >> realm = FOO.BAR.COM >> password server = * >> kerberos method = system keytab >> workgroup = INTRA >> client lanman auth = no >> client ntlmv2 auth = yes >> max protocol = SMB2 >> >> winbind enum users = yes >> winbind enum groups = yes >> winbind separator = + >> winbind use default domain = yes >> winbind nss info = rfc2307 >> winbind refresh tickets = yes >> winbind cache time = 15 >> >> idmap config * : range = 20000-30000 >> idmap config * : backend = tdb >> idmap config INTRA : backend = ad >> idmap config INTRA : range = 1000-20000 >> idmap config INTRA : schema_mode = rfc3207 >> >> [foo] >> path = /live/home/triddel >> read only = no >> force create mode = 0600 >> force directory mode = 2700 >> browsable = no >> >> Can anyone shed any light on this? >> >> Thanks. >> >> Toby > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Re: Samba 3.6.4 on Solaris - groups for user inconsistent
|
In reply to this post by Toby Riddell
Toby,
This may or may not be relevant for you ==> There are some winbind issues in 3.6.x. The one affecting me can be found here: https://bugzilla.samba.org/show_bug.cgi?id=8676 Maybe something there will look familiar to you. idmap_ad issue from last week in 3.6.x: http://lists-archives.com/samba/63876-resolved-ctdb-and-pacemaker-last-mile-ctdb-complains-cluster-ip-is-not-a-public-address.html Good luck, Dale On 04/12/2012 8:41 PM, Toby Riddell wrote: > I'd like to avoid adding a group mapping if possible. > > "groups triddel" returns 6 groups. > > The strange this is that with version Samba 3.5.8 everything was working fine... > > On 12 April 2012 22:00, Gaiseric Vandal<[hidden email]> wrote: >> Can you add a group mapping for your "unix" group to a Windows group? >> ("net groupmap add ....") >> >> If you do a "groups triddel" on the unix command line, how many groups >> are you in? Unix groups mapped to Windows groups get double-counted, >> which can push you over 16 groups. My environment is Samba 3.x. PDC's >> so not the same as yours. >> >> FYI The latest (as of a few months back) Solaris 10 kernels finally let >> you set ngroups_max=1024. >> >> 147441-10 (x86_84) >> 147440-10 (sparc) >> >> Most previous ones allowed ngroups_max=32. Except 147441-09 /147441-09 >> actually rolled it back to ngroups_max=16. >> >> >> >> >> On 04/12/12 13:21, Toby Riddell wrote: >>> Hi all, >>> >>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory >>> with a Windows Server 2008 domain controller. I should state early on >>> that I do not believe this is a manifestation of the Solaris 16 group >>> limit - the number of groups is well below 16. >>> >>> Winbind seems to be working fine - I can use wbinfo -r to check the >>> groups that a user is a member of, it returns the list of Active >>> Directory groups that the userid belongs to: >>> >>> # /opt/samba/bin/wbinfo -r triddel >>> 5000 >>> 10501 >>> 10000 >>> 10586 >>> 20001 >>> >>> (You'll note that the above list differs from the lists below - this >>> is because some of the groups have no NIS domain defined in AD.) >>> >>> What I see is smbd panicking when initialising groups for a user, it >>> seems to be trying (and failing) to set one of the groups to -1: >>> >>> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token) >>> UNIX token of user 10017 >>> Primary group is 5000 and contains 11 supplementary groups >>> Group[ 0]: 5000 >>> Group[ 1]: -1 >>> Group[ 2]: 10501 >>> Group[ 3]: 10000 >>> Group[ 4]: 10586 >>> Group[ 5]: 10590 >>> Group[ 6]: 10505 >>> Group[ 7]: 20002 >>> Group[ 8]: 20003 >>> Group[ 9]: 20004 >>> Group[ 10]: 20001 >>> >>> The corresponding truss output looks like this: >>> >>> 6114: setgroups(11, 0x08933B50) Err#22 EINVAL >>> 6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004 >>> 6114: 20001 >>> >>> The group with gid -1 corresponds to a group defined in /etc/group, >>> the rest come from Active Directory. >>> >>> Occasionally smbd works correctly, and I see this in the log: >>> >>> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token) >>> UNIX token of user 10017 >>> Primary group is 5000 and contains 10 supplementary groups >>> Group[ 0]: 5000 >>> Group[ 1]: 10501 >>> Group[ 2]: 10000 >>> Group[ 3]: 10586 >>> Group[ 4]: 10590 >>> Group[ 5]: 10505 >>> Group[ 6]: 20002 >>> Group[ 7]: 20003 >>> Group[ 8]: 20004 >>> Group[ 9]: 20001 >>> >>> This may not be relevant, but I also see the list of groups being shuffled: >>> >>> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token) >>> UNIX token of user 10017 >>> Primary group is 5000 and contains 11 supplementary groups >>> Group[ 0]: 5000 >>> Group[ 1]: 10501 >>> Group[ 2]: 10000 >>> Group[ 3]: 10586 >>> Group[ 4]: -1 >>> Group[ 5]: 10590 >>> Group[ 6]: 10505 >>> Group[ 7]: 20002 >>> Group[ 8]: 20003 >>> Group[ 9]: 20004 >>> Group[ 10]: 20001 >>> >>> The Samba config. looks like this: >>> >>> [global] >>> disable spoolss = Yes >>> disable netbios = yes >>> show add printer wizard = No >>> security = ADS >>> log level = 10 >>> realm = FOO.BAR.COM >>> password server = * >>> kerberos method = system keytab >>> workgroup = INTRA >>> client lanman auth = no >>> client ntlmv2 auth = yes >>> max protocol = SMB2 >>> >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind separator = + >>> winbind use default domain = yes >>> winbind nss info = rfc2307 >>> winbind refresh tickets = yes >>> winbind cache time = 15 >>> >>> idmap config * : range = 20000-30000 >>> idmap config * : backend = tdb >>> idmap config INTRA : backend = ad >>> idmap config INTRA : range = 1000-20000 >>> idmap config INTRA : schema_mode = rfc3207 >>> >>> [foo] >>> path = /live/home/triddel >>> read only = no >>> force create mode = 0600 >>> force directory mode = 2700 >>> browsable = no >>> >>> Can anyone shed any light on this? >>> >>> Thanks. >>> >>> Toby >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
«
Return to Samba - General
|
1 view|%1 views
Loading...
| Powered by Nabble | Edit this page |