Quantcast

Samba 3.6.4 on Solaris - groups for user inconsistent

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba 3.6.4 on Solaris - groups for user inconsistent

Toby Riddell
Hi all,

I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
with a Windows Server 2008 domain controller. I should state early on
that I do not believe this is a manifestation of the Solaris 16 group
limit - the number of groups is well below 16.

Winbind seems to be working fine - I can use wbinfo -r to check the
groups that a user is a member of, it returns the list of Active
Directory groups that the userid belongs to:

# /opt/samba/bin/wbinfo -r triddel
5000
10501
10000
10586
20001

(You'll note that the above list differs from the lists below - this
is because some of the groups have no NIS domain defined in AD.)

What I see is smbd panicking when initialising groups for a user, it
seems to be trying (and failing) to set one of the groups to  -1:

[2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 11 supplementary groups
  Group[  0]: 5000
  Group[  1]: -1
  Group[  2]: 10501
  Group[  3]: 10000
  Group[  4]: 10586
  Group[  5]: 10590
  Group[  6]: 10505
  Group[  7]: 20002
  Group[  8]: 20003
  Group[  9]: 20004
  Group[ 10]: 20001

The corresponding truss output looks like this:

6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
6114:            20001

The group with gid -1 corresponds to a group defined in /etc/group,
the rest come from Active Directory.

Occasionally smbd works correctly, and I see this in the log:

[2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 10 supplementary groups
  Group[  0]: 5000
  Group[  1]: 10501
  Group[  2]: 10000
  Group[  3]: 10586
  Group[  4]: 10590
  Group[  5]: 10505
  Group[  6]: 20002
  Group[  7]: 20003
  Group[  8]: 20004
  Group[  9]: 20001

This may not be relevant, but I also see the list of groups being shuffled:

[2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 11 supplementary groups
  Group[  0]: 5000
  Group[  1]: 10501
  Group[  2]: 10000
  Group[  3]: 10586
  Group[  4]: -1
  Group[  5]: 10590
  Group[  6]: 10505
  Group[  7]: 20002
  Group[  8]: 20003
  Group[  9]: 20004
  Group[ 10]: 20001

The Samba config. looks like this:

[global]
disable spoolss = Yes
disable netbios = yes
show add printer wizard = No
security = ADS
log level = 10
realm = FOO.BAR.COM
password server = *
kerberos method = system keytab
workgroup = INTRA
client lanman auth = no
client ntlmv2 auth = yes
max protocol = SMB2

winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind cache time = 15

idmap config * : range = 20000-30000
idmap config * : backend = tdb
idmap config INTRA : backend = ad
idmap config INTRA : range = 1000-20000
idmap config INTRA : schema_mode = rfc3207

[foo]
path = /live/home/triddel
read only = no
force create mode = 0600
force directory mode = 2700
browsable = no

Can anyone shed any light on this?

Thanks.

Toby
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6.4 on Solaris - groups for user inconsistent

Bart Janssens
 From the Solaris man page of

http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html

...

The setgroups() function will fail if:

EINVAL

    The value of /ngroups/ is greater than {NGROUPS_MAX}.

...

According to your truss setgroups returns EINVAL.

Solaris (10) no longer has the 16 group limitation
Starting from Solaris 10 Update 10 or starting with the patch bundle
144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07
<http://wesunsolve.net/patch/id/144501-07> (x86)
one can set ngroups_max up to 1024 in /etc/system.(a reboot is required)
I recommend you to upgrade to Solaris 10 update 10.


HTH,

Bart
On 12/04/12 19:21, Toby Riddell wrote:

> Hi all,
>
> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
> with a Windows Server 2008 domain controller. I should state early on
> that I do not believe this is a manifestation of the Solaris 16 group
> limit - the number of groups is well below 16.
>
> Winbind seems to be working fine - I can use wbinfo -r to check the
> groups that a user is a member of, it returns the list of Active
> Directory groups that the userid belongs to:
>
> # /opt/samba/bin/wbinfo -r triddel
> 5000
> 10501
> 10000
> 10586
> 20001
>
> (You'll note that the above list differs from the lists below - this
> is because some of the groups have no NIS domain defined in AD.)
>
> What I see is smbd panicking when initialising groups for a user, it
> seems to be trying (and failing) to set one of the groups to  -1:
>
> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 11 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: -1
>    Group[  2]: 10501
>    Group[  3]: 10000
>    Group[  4]: 10586
>    Group[  5]: 10590
>    Group[  6]: 10505
>    Group[  7]: 20002
>    Group[  8]: 20003
>    Group[  9]: 20004
>    Group[ 10]: 20001
>
> The corresponding truss output looks like this:
>
> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
> 6114:            20001
>
> The group with gid -1 corresponds to a group defined in /etc/group,
> the rest come from Active Directory.
>
> Occasionally smbd works correctly, and I see this in the log:
>
> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 10 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: 10501
>    Group[  2]: 10000
>    Group[  3]: 10586
>    Group[  4]: 10590
>    Group[  5]: 10505
>    Group[  6]: 20002
>    Group[  7]: 20003
>    Group[  8]: 20004
>    Group[  9]: 20001
>
> This may not be relevant, but I also see the list of groups being shuffled:
>
> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 11 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: 10501
>    Group[  2]: 10000
>    Group[  3]: 10586
>    Group[  4]: -1
>    Group[  5]: 10590
>    Group[  6]: 10505
>    Group[  7]: 20002
>    Group[  8]: 20003
>    Group[  9]: 20004
>    Group[ 10]: 20001
>
> The Samba config. looks like this:
>
> [global]
> disable spoolss = Yes
> disable netbios = yes
> show add printer wizard = No
> security = ADS
> log level = 10
> realm = FOO.BAR.COM
> password server = *
> kerberos method = system keytab
> workgroup = INTRA
> client lanman auth = no
> client ntlmv2 auth = yes
> max protocol = SMB2
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind cache time = 15
>
> idmap config * : range = 20000-30000
> idmap config * : backend = tdb
> idmap config INTRA : backend = ad
> idmap config INTRA : range = 1000-20000
> idmap config INTRA : schema_mode = rfc3207
>
> [foo]
> path = /live/home/triddel
> read only = no
> force create mode = 0600
> force directory mode = 2700
> browsable = no
>
> Can anyone shed any light on this?
>
> Thanks.
>
> Toby

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6.4 on Solaris - groups for user inconsistent

Gaiseric Vandal
In reply to this post by Toby Riddell
Can you add a group mapping for your "unix" group to a Windows group?
("net groupmap add ....")

If you do a "groups triddel" on the unix command line, how many groups
are you in?    Unix groups mapped to Windows groups get double-counted,
which can push you over 16 groups.    My environment is Samba 3.x. PDC's
so not the same as yours.

FYI The latest (as of a few months back) Solaris 10 kernels finally let
you set ngroups_max=1024.  

147441-10 (x86_84)
147440-10 (sparc)

Most previous ones allowed ngroups_max=32.  Except 147441-09 /147441-09
actually rolled it back to ngroups_max=16.




On 04/12/12 13:21, Toby Riddell wrote:

> Hi all,
>
> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
> with a Windows Server 2008 domain controller. I should state early on
> that I do not believe this is a manifestation of the Solaris 16 group
> limit - the number of groups is well below 16.
>
> Winbind seems to be working fine - I can use wbinfo -r to check the
> groups that a user is a member of, it returns the list of Active
> Directory groups that the userid belongs to:
>
> # /opt/samba/bin/wbinfo -r triddel
> 5000
> 10501
> 10000
> 10586
> 20001
>
> (You'll note that the above list differs from the lists below - this
> is because some of the groups have no NIS domain defined in AD.)
>
> What I see is smbd panicking when initialising groups for a user, it
> seems to be trying (and failing) to set one of the groups to  -1:
>
> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 10017
>   Primary group is 5000 and contains 11 supplementary groups
>   Group[  0]: 5000
>   Group[  1]: -1
>   Group[  2]: 10501
>   Group[  3]: 10000
>   Group[  4]: 10586
>   Group[  5]: 10590
>   Group[  6]: 10505
>   Group[  7]: 20002
>   Group[  8]: 20003
>   Group[  9]: 20004
>   Group[ 10]: 20001
>
> The corresponding truss output looks like this:
>
> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
> 6114:            20001
>
> The group with gid -1 corresponds to a group defined in /etc/group,
> the rest come from Active Directory.
>
> Occasionally smbd works correctly, and I see this in the log:
>
> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 10017
>   Primary group is 5000 and contains 10 supplementary groups
>   Group[  0]: 5000
>   Group[  1]: 10501
>   Group[  2]: 10000
>   Group[  3]: 10586
>   Group[  4]: 10590
>   Group[  5]: 10505
>   Group[  6]: 20002
>   Group[  7]: 20003
>   Group[  8]: 20004
>   Group[  9]: 20001
>
> This may not be relevant, but I also see the list of groups being shuffled:
>
> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 10017
>   Primary group is 5000 and contains 11 supplementary groups
>   Group[  0]: 5000
>   Group[  1]: 10501
>   Group[  2]: 10000
>   Group[  3]: 10586
>   Group[  4]: -1
>   Group[  5]: 10590
>   Group[  6]: 10505
>   Group[  7]: 20002
>   Group[  8]: 20003
>   Group[  9]: 20004
>   Group[ 10]: 20001
>
> The Samba config. looks like this:
>
> [global]
> disable spoolss = Yes
> disable netbios = yes
> show add printer wizard = No
> security = ADS
> log level = 10
> realm = FOO.BAR.COM
> password server = *
> kerberos method = system keytab
> workgroup = INTRA
> client lanman auth = no
> client ntlmv2 auth = yes
> max protocol = SMB2
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind cache time = 15
>
> idmap config * : range = 20000-30000
> idmap config * : backend = tdb
> idmap config INTRA : backend = ad
> idmap config INTRA : range = 1000-20000
> idmap config INTRA : schema_mode = rfc3207
>
> [foo]
> path = /live/home/triddel
> read only = no
> force create mode = 0600
> force directory mode = 2700
> browsable = no
>
> Can anyone shed any light on this?
>
> Thanks.
>
> Toby

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6.4 on Solaris - groups for user inconsistent

Toby Riddell
I'd like to avoid adding a group mapping if possible.

"groups triddel" returns 6 groups.

The strange this is that with version Samba 3.5.8 everything was working fine...

On 12 April 2012 22:00, Gaiseric Vandal <[hidden email]> wrote:

> Can you add a group mapping for your "unix" group to a Windows group?
> ("net groupmap add ....")
>
> If you do a "groups triddel" on the unix command line, how many groups
> are you in?    Unix groups mapped to Windows groups get double-counted,
> which can push you over 16 groups.    My environment is Samba 3.x. PDC's
> so not the same as yours.
>
> FYI The latest (as of a few months back) Solaris 10 kernels finally let
> you set ngroups_max=1024.
>
> 147441-10 (x86_84)
> 147440-10 (sparc)
>
> Most previous ones allowed ngroups_max=32.  Except 147441-09 /147441-09
> actually rolled it back to ngroups_max=16.
>
>
>
>
> On 04/12/12 13:21, Toby Riddell wrote:
>> Hi all,
>>
>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
>> with a Windows Server 2008 domain controller. I should state early on
>> that I do not believe this is a manifestation of the Solaris 16 group
>> limit - the number of groups is well below 16.
>>
>> Winbind seems to be working fine - I can use wbinfo -r to check the
>> groups that a user is a member of, it returns the list of Active
>> Directory groups that the userid belongs to:
>>
>> # /opt/samba/bin/wbinfo -r triddel
>> 5000
>> 10501
>> 10000
>> 10586
>> 20001
>>
>> (You'll note that the above list differs from the lists below - this
>> is because some of the groups have no NIS domain defined in AD.)
>>
>> What I see is smbd panicking when initialising groups for a user, it
>> seems to be trying (and failing) to set one of the groups to  -1:
>>
>> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: -1
>>   Group[  2]: 10501
>>   Group[  3]: 10000
>>   Group[  4]: 10586
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The corresponding truss output looks like this:
>>
>> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
>> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
>> 6114:            20001
>>
>> The group with gid -1 corresponds to a group defined in /etc/group,
>> the rest come from Active Directory.
>>
>> Occasionally smbd works correctly, and I see this in the log:
>>
>> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 10 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: 10590
>>   Group[  5]: 10505
>>   Group[  6]: 20002
>>   Group[  7]: 20003
>>   Group[  8]: 20004
>>   Group[  9]: 20001
>>
>> This may not be relevant, but I also see the list of groups being shuffled:
>>
>> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: -1
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The Samba config. looks like this:
>>
>> [global]
>> disable spoolss = Yes
>> disable netbios = yes
>> show add printer wizard = No
>> security = ADS
>> log level = 10
>> realm = FOO.BAR.COM
>> password server = *
>> kerberos method = system keytab
>> workgroup = INTRA
>> client lanman auth = no
>> client ntlmv2 auth = yes
>> max protocol = SMB2
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind separator = +
>> winbind use default domain = yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = yes
>> winbind cache time = 15
>>
>> idmap config * : range = 20000-30000
>> idmap config * : backend = tdb
>> idmap config INTRA : backend = ad
>> idmap config INTRA : range = 1000-20000
>> idmap config INTRA : schema_mode = rfc3207
>>
>> [foo]
>> path = /live/home/triddel
>> read only = no
>> force create mode = 0600
>> force directory mode = 2700
>> browsable = no
>>
>> Can anyone shed any light on this?
>>
>> Thanks.
>>
>> Toby
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6.4 on Solaris - groups for user inconsistent

Toby Riddell
In reply to this post by Bart Janssens
Bart,

Thanks for the reply.

However I don't think I'm hitting NGROUPS_MAX. As can be seen in the
snippet of truss output, ngroups is 11.

However, it looks like it might be time for an upgrade just to see if
it fixes the problem.

Regards,

Toby

On 12 April 2012 19:44, Bart Janssens <[hidden email]> wrote:

> From the Solaris man page of
>
> http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html
>
> ...
>
> The setgroups() function will fail if:
>
> EINVAL
>
>   The value of /ngroups/ is greater than {NGROUPS_MAX}.
>
> ...
>
> According to your truss setgroups returns EINVAL.
>
> Solaris (10) no longer has the 16 group limitation
> Starting from Solaris 10 Update 10 or starting with the patch bundle
> 144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07
> <http://wesunsolve.net/patch/id/144501-07> (x86)
> one can set ngroups_max up to 1024 in /etc/system.(a reboot is required)
> I recommend you to upgrade to Solaris 10 update 10.
>
>
> HTH,
>
> Bart
>
> On 12/04/12 19:21, Toby Riddell wrote:
>>
>> Hi all,
>>
>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
>> with a Windows Server 2008 domain controller. I should state early on
>> that I do not believe this is a manifestation of the Solaris 16 group
>> limit - the number of groups is well below 16.
>>
>> Winbind seems to be working fine - I can use wbinfo -r to check the
>> groups that a user is a member of, it returns the list of Active
>> Directory groups that the userid belongs to:
>>
>> # /opt/samba/bin/wbinfo -r triddel
>> 5000
>> 10501
>> 10000
>> 10586
>> 20001
>>
>> (You'll note that the above list differs from the lists below - this
>> is because some of the groups have no NIS domain defined in AD.)
>>
>> What I see is smbd panicking when initialising groups for a user, it
>> seems to be trying (and failing) to set one of the groups to  -1:
>>
>> [2012/04/12 18:01:20.950498, 10]
>> auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: -1
>>   Group[  2]: 10501
>>   Group[  3]: 10000
>>   Group[  4]: 10586
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The corresponding truss output looks like this:
>>
>> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
>> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003
>> 20004
>> 6114:            20001
>>
>> The group with gid -1 corresponds to a group defined in /etc/group,
>> the rest come from Active Directory.
>>
>> Occasionally smbd works correctly, and I see this in the log:
>>
>> [2012/04/12 17:57:58.790716, 10]
>> auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 10 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: 10590
>>   Group[  5]: 10505
>>   Group[  6]: 20002
>>   Group[  7]: 20003
>>   Group[  8]: 20004
>>   Group[  9]: 20001
>>
>> This may not be relevant, but I also see the list of groups being
>> shuffled:
>>
>> [2012/04/12 18:01:17.915485, 10]
>> auth/token_util.c:527(debug_unix_user_token)
>>   UNIX token of user 10017
>>   Primary group is 5000 and contains 11 supplementary groups
>>   Group[  0]: 5000
>>   Group[  1]: 10501
>>   Group[  2]: 10000
>>   Group[  3]: 10586
>>   Group[  4]: -1
>>   Group[  5]: 10590
>>   Group[  6]: 10505
>>   Group[  7]: 20002
>>   Group[  8]: 20003
>>   Group[  9]: 20004
>>   Group[ 10]: 20001
>>
>> The Samba config. looks like this:
>>
>> [global]
>> disable spoolss = Yes
>> disable netbios = yes
>> show add printer wizard = No
>> security = ADS
>> log level = 10
>> realm = FOO.BAR.COM
>> password server = *
>> kerberos method = system keytab
>> workgroup = INTRA
>> client lanman auth = no
>> client ntlmv2 auth = yes
>> max protocol = SMB2
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind separator = +
>> winbind use default domain = yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = yes
>> winbind cache time = 15
>>
>> idmap config * : range = 20000-30000
>> idmap config * : backend = tdb
>> idmap config INTRA : backend = ad
>> idmap config INTRA : range = 1000-20000
>> idmap config INTRA : schema_mode = rfc3207
>>
>> [foo]
>> path = /live/home/triddel
>> read only = no
>> force create mode = 0600
>> force directory mode = 2700
>> browsable = no
>>
>> Can anyone shed any light on this?
>>
>> Thanks.
>>
>> Toby
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6.4 on Solaris - groups for user inconsistent

Dale Schroeder
In reply to this post by Toby Riddell
Toby,

This may or may not be relevant for you ==>

There are some winbind issues in 3.6.x.  The one affecting me can be
found here:
https://bugzilla.samba.org/show_bug.cgi?id=8676

Maybe something there will look familiar to you.

idmap_ad issue from last week in 3.6.x:
http://lists-archives.com/samba/63876-resolved-ctdb-and-pacemaker-last-mile-ctdb-complains-cluster-ip-is-not-a-public-address.html

Good luck,
Dale


On 04/12/2012 8:41 PM, Toby Riddell wrote:

> I'd like to avoid adding a group mapping if possible.
>
> "groups triddel" returns 6 groups.
>
> The strange this is that with version Samba 3.5.8 everything was working fine...
>
> On 12 April 2012 22:00, Gaiseric Vandal<[hidden email]>  wrote:
>> Can you add a group mapping for your "unix" group to a Windows group?
>> ("net groupmap add ....")
>>
>> If you do a "groups triddel" on the unix command line, how many groups
>> are you in?    Unix groups mapped to Windows groups get double-counted,
>> which can push you over 16 groups.    My environment is Samba 3.x. PDC's
>> so not the same as yours.
>>
>> FYI The latest (as of a few months back) Solaris 10 kernels finally let
>> you set ngroups_max=1024.
>>
>> 147441-10 (x86_84)
>> 147440-10 (sparc)
>>
>> Most previous ones allowed ngroups_max=32.  Except 147441-09 /147441-09
>> actually rolled it back to ngroups_max=16.
>>
>>
>>
>>
>> On 04/12/12 13:21, Toby Riddell wrote:
>>> Hi all,
>>>
>>> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
>>> with a Windows Server 2008 domain controller. I should state early on
>>> that I do not believe this is a manifestation of the Solaris 16 group
>>> limit - the number of groups is well below 16.
>>>
>>> Winbind seems to be working fine - I can use wbinfo -r to check the
>>> groups that a user is a member of, it returns the list of Active
>>> Directory groups that the userid belongs to:
>>>
>>> # /opt/samba/bin/wbinfo -r triddel
>>> 5000
>>> 10501
>>> 10000
>>> 10586
>>> 20001
>>>
>>> (You'll note that the above list differs from the lists below - this
>>> is because some of the groups have no NIS domain defined in AD.)
>>>
>>> What I see is smbd panicking when initialising groups for a user, it
>>> seems to be trying (and failing) to set one of the groups to  -1:
>>>
>>> [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
>>>    UNIX token of user 10017
>>>    Primary group is 5000 and contains 11 supplementary groups
>>>    Group[  0]: 5000
>>>    Group[  1]: -1
>>>    Group[  2]: 10501
>>>    Group[  3]: 10000
>>>    Group[  4]: 10586
>>>    Group[  5]: 10590
>>>    Group[  6]: 10505
>>>    Group[  7]: 20002
>>>    Group[  8]: 20003
>>>    Group[  9]: 20004
>>>    Group[ 10]: 20001
>>>
>>> The corresponding truss output looks like this:
>>>
>>> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
>>> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
>>> 6114:            20001
>>>
>>> The group with gid -1 corresponds to a group defined in /etc/group,
>>> the rest come from Active Directory.
>>>
>>> Occasionally smbd works correctly, and I see this in the log:
>>>
>>> [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
>>>    UNIX token of user 10017
>>>    Primary group is 5000 and contains 10 supplementary groups
>>>    Group[  0]: 5000
>>>    Group[  1]: 10501
>>>    Group[  2]: 10000
>>>    Group[  3]: 10586
>>>    Group[  4]: 10590
>>>    Group[  5]: 10505
>>>    Group[  6]: 20002
>>>    Group[  7]: 20003
>>>    Group[  8]: 20004
>>>    Group[  9]: 20001
>>>
>>> This may not be relevant, but I also see the list of groups being shuffled:
>>>
>>> [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
>>>    UNIX token of user 10017
>>>    Primary group is 5000 and contains 11 supplementary groups
>>>    Group[  0]: 5000
>>>    Group[  1]: 10501
>>>    Group[  2]: 10000
>>>    Group[  3]: 10586
>>>    Group[  4]: -1
>>>    Group[  5]: 10590
>>>    Group[  6]: 10505
>>>    Group[  7]: 20002
>>>    Group[  8]: 20003
>>>    Group[  9]: 20004
>>>    Group[ 10]: 20001
>>>
>>> The Samba config. looks like this:
>>>
>>> [global]
>>> disable spoolss = Yes
>>> disable netbios = yes
>>> show add printer wizard = No
>>> security = ADS
>>> log level = 10
>>> realm = FOO.BAR.COM
>>> password server = *
>>> kerberos method = system keytab
>>> workgroup = INTRA
>>> client lanman auth = no
>>> client ntlmv2 auth = yes
>>> max protocol = SMB2
>>>
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind separator = +
>>> winbind use default domain = yes
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = yes
>>> winbind cache time = 15
>>>
>>> idmap config * : range = 20000-30000
>>> idmap config * : backend = tdb
>>> idmap config INTRA : backend = ad
>>> idmap config INTRA : range = 1000-20000
>>> idmap config INTRA : schema_mode = rfc3207
>>>
>>> [foo]
>>> path = /live/home/triddel
>>> read only = no
>>> force create mode = 0600
>>> force directory mode = 2700
>>> browsable = no
>>>
>>> Can anyone shed any light on this?
>>>
>>> Thanks.
>>>
>>> Toby
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...