Toby,
This may or may not be relevant for you ==>
There are some winbind issues in 3.6.x. The one affecting me can be
found here:
https://bugzilla.samba.org/show_bug.cgi?id=8676
Maybe something there will look familiar to you.
idmap_ad issue from last week in 3.6.x:
http://lists-archives.com/samba/63876-resolved-ctdb-and-pacemaker-last-mile-ctdb-complains-cluster-ip-is-not-a-public-address.html
Good luck,
Dale
On 04/12/2012 8:41 PM, Toby Riddell wrote:
I'd like to avoid adding a group mapping if possible.
"groups triddel" returns 6 groups.
The strange this is that with version Samba 3.5.8 everything was working fine...
On 12 April 2012 22:00, Gaiseric Vandal<[email protected]> wrote:
Can you add a group mapping for your "unix" group to a Windows group?
("net groupmap add ....")
If you do a "groups triddel" on the unix command line, how many groups
are you in? Unix groups mapped to Windows groups get double-counted,
which can push you over 16 groups. My environment is Samba 3.x. PDC's
so not the same as yours.
FYI The latest (as of a few months back) Solaris 10 kernels finally let
you set ngroups_max=1024.
147441-10 (x86_84)
147440-10 (sparc)
Most previous ones allowed ngroups_max=32. Except 147441-09 /147441-09
actually rolled it back to ngroups_max=16.
On 04/12/12 13:21, Toby Riddell wrote:
Hi all,
I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
with a Windows Server 2008 domain controller. I should state early on
that I do not believe this is a manifestation of the Solaris 16 group
limit - the number of groups is well below 16.
Winbind seems to be working fine - I can use wbinfo -r to check the
groups that a user is a member of, it returns the list of Active
Directory groups that the userid belongs to:
# /opt/samba/bin/wbinfo -r triddel
5000
10501
10000
10586
20001
(You'll note that the above list differs from the lists below - this
is because some of the groups have no NIS domain defined in AD.)
What I see is smbd panicking when initialising groups for a user, it
seems to be trying (and failing) to set one of the groups to -1:
[2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10017
Primary group is 5000 and contains 11 supplementary groups
Group[ 0]: 5000
Group[ 1]: -1
Group[ 2]: 10501
Group[ 3]: 10000
Group[ 4]: 10586
Group[ 5]: 10590
Group[ 6]: 10505
Group[ 7]: 20002
Group[ 8]: 20003
Group[ 9]: 20004
Group[ 10]: 20001
The corresponding truss output looks like this:
6114: setgroups(11, 0x08933B50) Err#22 EINVAL
6114: 5000 -1 10501 10000 10586 10590 10505 20002 20003 20004
6114: 20001
The group with gid -1 corresponds to a group defined in /etc/group,
the rest come from Active Directory.
Occasionally smbd works correctly, and I see this in the log:
[2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10017
Primary group is 5000 and contains 10 supplementary groups
Group[ 0]: 5000
Group[ 1]: 10501
Group[ 2]: 10000
Group[ 3]: 10586
Group[ 4]: 10590
Group[ 5]: 10505
Group[ 6]: 20002
Group[ 7]: 20003
Group[ 8]: 20004
Group[ 9]: 20001
This may not be relevant, but I also see the list of groups being shuffled:
[2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10017
Primary group is 5000 and contains 11 supplementary groups
Group[ 0]: 5000
Group[ 1]: 10501
Group[ 2]: 10000
Group[ 3]: 10586
Group[ 4]: -1
Group[ 5]: 10590
Group[ 6]: 10505
Group[ 7]: 20002
Group[ 8]: 20003
Group[ 9]: 20004
Group[ 10]: 20001
The Samba config. looks like this:
[global]
disable spoolss = Yes
disable netbios = yes
show add printer wizard = No
security = ADS
log level = 10
realm = FOO.BAR.COM
password server = *
kerberos method = system keytab
workgroup = INTRA
client lanman auth = no
client ntlmv2 auth = yes
max protocol = SMB2
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind cache time = 15
idmap config * : range = 20000-30000
idmap config * : backend = tdb
idmap config INTRA : backend = ad
idmap config INTRA : range = 1000-20000
idmap config INTRA : schema_mode = rfc3207
[foo]
path = /live/home/triddel
read only = no
force create mode = 0600
force directory mode = 2700
browsable = no
Can anyone shed any light on this?
Thanks.
Toby
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
