Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
Hi! First of all, thanks for replies to all ;)! Using GCC was a fail for me - too much errors and 2 additional things must be compiled (tdb talloc) . I only managed to compile using Sun's cc and gmake and will stick to them. I'm a bit further now. Now I don't get PKCS 11 erros, when trying to do net ads join. I recompiled openldap with slapd (but with null backend) and -lpkcs11 in LDFLAGS (I think this is what helped). However now I'm getting following when doing net ads join [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) lp_load_ex: refreshing parameters [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) Initialising global parameters [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) rlimit_max: rlimit_max (256) below minimum Windows limit (16384) [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /opt/samba/lib/smb.conf [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) Processing section [global] [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 netmask=255.255.255.0 [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SAMBA-DEV' domain_name : * domain_name : 'mydomain.COM' account_ou : NULL admin_account: 'Administrator' admin_password : * machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config: 0x00 (0) ads : NULL debug: 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT [2010/07/16 12:17:00.141661, 3] libsmb/cliconnect.c:2201(cli_start_connection) Connecting to host=BORED.mydomain.com [2010/07/16 12:17:00.141828, 3] lib/util_sock.c:974(open_socket_out_send) Connecting to 192.168.0.94 at port 445 [2010/07/16 12:17:00.143207, 3] libsmb/cliconnect.c:991(cli_session_setup_spnego) Doing spnego session setup (blob length=107) [2010/07/16 12:17:00.143274, 3] libsmb/cliconnect.c:1019(cli_session_setup_spnego) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2010/07/16 12:17:00.143302, 3] libsmb/cliconnect.c:1029(cli_session_setup_spnego) got principal=bor...@mydomain.com [2010/07/16 12:17:00.143856, 3] libsmb/ntlmssp.c:1101(ntlmssp_client_challenge) Got challenge flags: [2010/07/16 12:17:00.143870, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62898215 [2010/07/16 12:17:00.143883, 3] libsmb/ntlmssp.c:1123(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2010/07/16 12:17:00.143894, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2010/07/16 12:17:00.143984, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2010/07/16 12:17:00.143997, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2010/07/16 12:17:00.177128, 3] libsmb/cliconnect.c:1249(cli_session_setup) SPNEGO login failed: Logon failure [2010/07/16 12:17:00.177159, 1] libsmb/cliconnect.c:2307(cli_full_connection) failed session setup with NT_STATUS_LOGON_FAILURE [2010/07/16 12:17:00.177271, 1] libnet/libnet_join.c:1978(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
Which version of Samba? I had more trouble with Samba 3.5.x. And I have never managed to get Samba to compile with sun cc. I figured Samba was written with gcc in mind. The failed to lookup DC info for domain 'mydomain.COM' over rpc: Logon failure' message is interesting - not sure if you are getting login errors before lookup errors. Is you samba server configure to use your AD server as the DNS server? What version of windows is the AD server? What domain/foreset mode is your AD server in? In the windows world clients can locate the the login server via specific resource records in DNS. I don't know if Samba does this do or is still relying on netbios.I had one AD domain that was in NT4-compatibility mode and one AD domain that was in Windows 2003 native mode.Changing the client DNS settings on the samba machine seemed to help with locating the 2003 native mode. DC. On 07/16/2010 05:29 AM, Marcis Lielturks wrote: Hi! First of all, thanks for replies to all ;)! Using GCC was a fail for me - too much errors and 2 additional things must be compiled (tdb talloc) . I only managed to compile using Sun's cc and gmake and will stick to them. I'm a bit further now. Now I don't get PKCS 11 erros, when trying to do net ads join. I recompiled openldap with slapd (but with null backend) and -lpkcs11 in LDFLAGS (I think this is what helped). However now I'm getting following when doing net ads join [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) lp_load_ex: refreshing parameters [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) Initialising global parameters [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) rlimit_max: rlimit_max (256) below minimum Windows limit (16384) [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /opt/samba/lib/smb.conf [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) Processing section [global] [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 netmask=255.255.255.0 [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SAMBA-DEV' domain_name : * domain_name : 'mydomain.COM' account_ou : NULL admin_account: 'Administrator' admin_password : * machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config: 0x00 (0) ads : NULL debug: 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT [2010/07/16 12:17:00.141661, 3] libsmb/cliconnect.c:2201(cli_start_connection) Connecting to host=BORED.mydomain.com [2010/07/16 12:17:00.141828, 3] lib/util_sock.c:974(open_socket_out_send) Connecting to 192.168.0.94 at port 445 [2010/07/16 12:17:00.143207, 3] libsmb/cliconnect.c:991(cli_session_setup_spnego) Doing spnego session setup (blob length=107) [2010/07/16 12:17:00.143274, 3] libsmb/cliconnect.c:1019(cli_session_setup_spnego) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2010/07/16 12:17:00.143302, 3] libsmb/cliconnect.c:1029(cli_session_setup_spnego) got principal=bor...@mydomain.com [2010/07/16 12:17:00.143856, 3] libsmb/ntlmssp.c:1101(ntlmssp_client_challenge) Got challenge flags: [2010/07/16 12:17:00.143870, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62898215 [2010/07/16 12:17:00.143883, 3]
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
Hi! Thanks! Version is 3.5.4, primary dns is AD server. AD is Win2003 server sp2. Domain functional level is windows server 2003, forest functional level is windows 2000. I think even 3.0.37 did use DNS (judging by network traffic it made). It's a pitty that there's no instructions how Sun is compiling it's 3.0.37. All I managed to find was source and several patches at opensolaris.org, but getting to know how it all should be compiled (and applied to 3.5.4) could prove to bee painful trial and error process. MMM 00371 2832 7826 by the way, did you know, that mouse initially was invented just for simplifying text selection in xterm? On 07/16/10 04:34 PM, Gaiseric Vandal wrote: Which version of Samba? I had more trouble with Samba 3.5.x. And I have never managed to get Samba to compile with sun cc. I figured Samba was written with gcc in mind. The failed to lookup DC info for domain 'mydomain.COM' over rpc: Logon failure' message is interesting - not sure if you are getting login errors before lookup errors. Is you samba server configure to use your AD server as the DNS server? What version of windows is the AD server? What domain/foreset mode is your AD server in? In the windows world clients can locate the the login server via specific resource records in DNS. I don't know if Samba does this do or is still relying on netbios.I had one AD domain that was in NT4-compatibility mode and one AD domain that was in Windows 2003 native mode.Changing the client DNS settings on the samba machine seemed to help with locating the 2003 native mode. DC. On 07/16/2010 05:29 AM, Marcis Lielturks wrote: Hi! First of all, thanks for replies to all ;)! Using GCC was a fail for me - too much errors and 2 additional things must be compiled (tdb talloc) . I only managed to compile using Sun's cc and gmake and will stick to them. I'm a bit further now. Now I don't get PKCS 11 erros, when trying to do net ads join. I recompiled openldap with slapd (but with null backend) and -lpkcs11 in LDFLAGS (I think this is what helped). However now I'm getting following when doing net ads join [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) lp_load_ex: refreshing parameters [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) Initialising global parameters [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) rlimit_max: rlimit_max (256) below minimum Windows limit (16384) [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /opt/samba/lib/smb.conf [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) Processing section [global] [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 netmask=255.255.255.0 [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SAMBA-DEV' domain_name : * domain_name : 'mydomain.COM' account_ou : NULL admin_account: 'Administrator' admin_password : * machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config: 0x00 (0) ads : NULL debug: 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT [2010/07/16 12:17:00.141661, 3] libsmb/cliconnect.c:2201(cli_start_connection) Connecting to host=BORED.mydomain.com [2010/07/16 12:17:00.141828, 3] lib/util_sock.c:974(open_socket_out_send) Connecting to 192.168.0.94 at port 445 [2010/07/16 12:17:00.143207, 3]
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
I compiled Samba 3.4.x on Solaris 10.(I have a Samba 3.4.x pdc with two Samba 3.0.x BDC's.) Samba 3.0.x DCs will not support Windows 7 clients (don't have any yet but it is probably inevitable) and doesn't seem to support trusts with Windows 2003 Native domains (at least it didn't for me.) If you following the opensolaris forums it seems unlikely that there will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or OpenSolaris in the near future. I don't think it really is a licensing or even major technical issue. There is seems to more interest in CIFS project as an alternative to Samba. Oracle/Sun sells a NAS server that runs on opensolaris and users CIFS so I don't think they have much interest in Samba. I don't see Oracle/Sun paying any one work on Samba 3.4.x or 3.5.x integration when they have better solutions and more important priorities. To be specific, Samba doesn't require OpenLDAP but it does require LDAP with certain functionality.The Solaris-bundled Samba does use OpenLDAP. But if you are compiling it yourself OpenLDAP is the way to do it. Easiest to just get the openldap precompiled from blastwave or sunfreeware.com. And there is precompiled Samba available from Sunfreeware and Blastwave but it may lack the features you need, so you probably need to compile anyway. If you don't need AD support, then then the Sun ldap client functionality should be sufficient. I didn't know about the NGROUPS_MAX option. I would have disabled it if I had known, since I am subject to the 16 group NFS v3 limit. (What I really need to do is switch to NFS v4 and use kerberos authentication for NFS clients.) The OpenSolaris developer build (from earlier this year- not the official release from last year- has updated GCC and other tools that may make compiling easier. Gcc from Sun (and even Sunfreeware) use /usr/ccs/bin/ld as the linker.You may need to renamed the file and symlink it to gld (gnu linker.) Samba compiling also requires that you get set the CPPFLAGS and LDFLAGS as well. e.g. PATH=/usr/swf/bin:/usr/ccs/bin:$PATH PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH LD_LIBRARY_PATH=/usr/local/samba-3.4.5:$LD_LIBRARY_PATH export LD_LIBRARY_PATH export CPPFLAGS=-I/usr/local/include -I/usr/local/ssl/include -I/usr/include export LDFLAGS=-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib I posted questions/results to the list earlier this year about my experiences. On 07/14/2010 05:38 PM, Mārcis Lielturks wrote: On 15 July 2010 00:28, Jeremy Allison j...@samba.org mailto:j...@samba.org wrote: On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote: Thanks, machine wont provide NFS or ssh login services, so fiddling with max groups should do no harm! I googled a bit at found that samba should be recompiled to take advantage of new NGROUPS_MAX. ./configure logs also suggested that NGROUPS_MAX is evaluated only at compile time. Yep. Recompilation should do the trick once the kernel understands large numbers of groups. Can anybody share experience on compiling samba on OpenSolaris? What's the most painless way? I'm considering to use latest 3.5.5 but maybe I should use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 servers, which already replicate storage, so ID mapping must be consistent between both Samba servers. Servers have to provide shares also to trusted domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not supported to provide mappings for more than one domain, so anything newer than 3.0.37 sounds like the right choice. The only reason they use 3.0.x is they're still unable to cope with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle Linux has been shipping GPLv3 Samba for a while. But it's a big company, you can't expect one part to know what another part is up to :-). Yeah, I read about that, but still, I was thinking that as they ship 3.0.37, it should also be easier to compile because OS has all that's necessary for 3.0.37. Newer Samba versions may have some dependencies (new libs or newer version of libs), that might be harder to satisfy. I have never compiled samba so far and all I know at the moment (from documentation) is that AD support requires krb5 and openldap development libraries and files. Jeremy. -- ML -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD [SEC=UNCLASSIFIED]
0n Thu, Jul 15, 2010 at 12:26:05AM +0300, M??rcis Lielturks wrote: Can anybody share experience on compiling samba on OpenSolaris? What's the most painless way? I'm considering to use latest 3.5.5 but maybe I should use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 servers, which already replicate storage, so ID mapping must be consistent between both Samba servers. Servers have to provide shares also to trusted domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not supported to provide mappings for more than one domain, so anything newer than 3.0.37 sounds like the right choice. You could try using http://www.blastwave.org/ seems to have samba 3.4 in the repo: [http://www.blastwave.org/jir/pkgcontents.ftd?software=sambastyle=briefstate=5arch=i386] -Alex IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
Compiled 3.5.4 successfully, but new binaries seem to be defective or missing something. I get errors about PKCS 11 library calls when trying to join domain. I've seen these errors with original Samba 3.0.37 in log.winbindd and log.wb-DOMAIN, but besides that, 3.0.37 worked and could join domain. # ./net -U 'Administrator%password' ads join [2010/07/15 16:17:48.692586, 0] libads/sasl.c:818(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Error in the PKCS 11 library calls Failed to join domain: failed to connect to AD: Error in the PKCS 11 library calls I'm using Sun's cc for compilation and gnu make (configure didn't generate Makefile, until gmake was not installed). 1. I installed openldap stable 20100219 with 1. ./configure --disable-slapd --prefix=/opt/samba 2. Installed Samba with 1. export CFLAGS=-I/usr/include/kerberosv5 -I/usr/include/gssapi 2. export LDFLAGS=-lsasl -lgss 3. ./configure --prefix=/opt/samba --with-ads --with-krb5=/usr --with-aio-support --with-static modules=vfs_zfsacl,idmap_rid,idmap_hash --with-automount Where to look next? Maybe I have compiled with wrong options? Should I try using only gnu build tools? What about openldap compilation, I've red somewhere that it may leave some important header files and/or libraries and --enable-null option should be used, if I don't need daemon. Should I try that? I also attached smbd -b output differences between original 3.0.37 and my 3.5.4 samba versions. I don't like the line which tells that new version doesn't have HAVE_KRB5_MIT option. Thanks! MMM On 07/15/10 12:28 AM, Jeremy Allison wrote: On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote: Thanks, machine wont provide NFS or ssh login services, so fiddling with max groups should do no harm! I googled a bit at found that samba should be recompiled to take advantage of new NGROUPS_MAX. ./configure logs also suggested that NGROUPS_MAX is evaluated only at compile time. Yep. Recompilation should do the trick once the kernel understands large numbers of groups. Can anybody share experience on compiling samba on OpenSolaris? What's the most painless way? I'm considering to use latest 3.5.5 but maybe I should use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 servers, which already replicate storage, so ID mapping must be consistent between both Samba servers. Servers have to provide shares also to trusted domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not supported to provide mappings for more than one domain, so anything newer than 3.0.37 sounds like the right choice. The only reason they use 3.0.x is they're still unable to cope with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle Linux has been shipping GPLv3 Samba for a while. But it's a big company, you can't expect one part to know what another part is up to :-). Jeremy. --- smbd_minus_b_3.0.37.txt Thu Jul 15 11:37:09 2010 +++ smbd_minus_b_3.5.4_build3.txt Thu Jul 15 16:10:07 2010 @@ -1,24 +1,27 @@ Build environment: - Built by:g...@sfwnv-x - Built on:Tue Feb 16 03:02:36 PST 2010 - Built using: /opt/SUNWspro.40/SS12/bin/cc - Build host: SunOS sfwnv-x 5.11 snv_132 i86pc i386 i86pc - SRCDIR: /builds2/sfwnv-gate/usr/src/cmd/samba/samba-3.0.37/source - BUILDDIR:/builds2/sfwnv-gate/usr/src/cmd/samba/samba-3.0.37/source + Built by:r...@samba-dev + Built on:Thu Jul 15 16:01:48 EEST 2010 + Built using: cc + Build host: SunOS samba-dev 5.11 snv_134 i86pc i386 i86pc + SRCDIR: /root/samba-3.5.4/source3 + BUILDDIR:/root/samba-3.5.4/source3 Paths: - SBINDIR: /usr/sfw/sbin - BINDIR: /usr/sfw/bin - SWATDIR: /usr/sfw/swat - CONFIGFILE: /etc/sfw/smb.conf - LOGFILEBASE: /var/samba/log - LMHOSTSFILE: /etc/sfw/lmhosts - LIBDIR: /usr/sfw/lib + SBINDIR: /opt/samba/sbin + BINDIR: /opt/samba/bin + SWATDIR: /opt/samba/swat + CONFIGFILE: /opt/samba/lib/smb.conf + LOGFILEBASE: /opt/samba/var + LMHOSTSFILE: /opt/samba/lib/lmhosts + LIBDIR: /opt/samba/lib + MODULESDIR: /opt/samba/lib SHLIBEXT: so - LOCKDIR: /var/samba/locks - PIDDIR: /var/samba/locks - SMB_PASSWD_FILE: /etc/sfw/private/smbpasswd - PRIVATE_DIR: /etc/sfw/private + LOCKDIR: /opt/samba/var/locks + STATEDIR: /opt/samba/var/locks + CACHEDIR: /opt/samba/var/locks + PIDDIR: /opt/samba/var/locks + SMB_PASSWD_FILE: /opt/samba/private/smbpasswd + PRIVATE_DIR: /opt/samba/private System Headers: HAVE_SYS_ACL_H @@ -56,22 +59,25 @@ HAVE_ALLOCA_H HAVE_ARPA_INET_H HAVE_COM_ERR_H + HAVE_CRYPT_H HAVE_CTYPE_H HAVE_DIRENT_H HAVE_DLFCN_H HAVE_EXECINFO_H - HAVE_FAM_H HAVE_FCNTL_H HAVE_FLOAT_H HAVE_FNMATCH_H + HAVE_GETOPT_H HAVE_GLOB_H HAVE_GRP_H HAVE_GSSAPI_GSSAPI_H + HAVE_GSSAPI_H HAVE_KRB5_H
[Samba] Share permission problem if user is member in more than 16 groups on AD
Hi! Running OpenSolaris snv_134 with Samba 3.0.37. Samba is successfully joined to AD domain. AD user user1 is member in 17 AD groups including group1, but he cannot access Samba share which have read permissions for group1. If user account is modified and group1 becomes users primary group, then he can access shares. If user is member of only 16 groups, then permissions work as expected regardless of users primary group. Operating systems ngroups_max is set to 1024. I tested with local user and was able to add user to 1024 local groups. -- MMM -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
Here is the catch (at least for some people.) This can break NFS stuff.On my PDC I made a similar change. Home directories are not on the PDC. This fixed the problem of people getting login failures when logging into windows if they had more than 16 groups. But if a user tries to ssh into the PDC, and he is in more than 16 groups, his login will fail because the home directory can not be mounted. But if your samba server is not functioning as an nfs client then it shouldn't be an issue. My PDC is samba 3.4.x. The BDC's are 3.0.x. Samba 3.0.x domain controllers didn't check if your Windows groups exceeded the system group max.You could login- you might not have all the access to directories you thought you should since your effective group list was still getting truncated. With Samba 3.4.x, samba checks to see how may groups you are in, and if the exceeds the ngroups_max it aborts your login. I don't know why. It isn't like it is fixing a security hole. It just gets people mad at me. On 07/14/2010 07:39 AM, Marcis Lielturks wrote: Hi! Running OpenSolaris snv_134 with Samba 3.0.37. Samba is successfully joined to AD domain. AD user user1 is member in 17 AD groups including group1, but he cannot access Samba share which have read permissions for group1. If user account is modified and group1 becomes users primary group, then he can access shares. If user is member of only 16 groups, then permissions work as expected regardless of users primary group. Operating systems ngroups_max is set to 1024. I tested with local user and was able to add user to 1024 local groups. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
Thanks, machine wont provide NFS or ssh login services, so fiddling with max groups should do no harm! I googled a bit at found that samba should be recompiled to take advantage of new NGROUPS_MAX. ./configure logs also suggested that NGROUPS_MAX is evaluated only at compile time. Can anybody share experience on compiling samba on OpenSolaris? What's the most painless way? I'm considering to use latest 3.5.5 but maybe I should use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 servers, which already replicate storage, so ID mapping must be consistent between both Samba servers. Servers have to provide shares also to trusted domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not supported to provide mappings for more than one domain, so anything newer than 3.0.37 sounds like the right choice. On 14 July 2010 19:46, Gaiseric Vandal gaiseric.van...@gmail.com wrote: Here is the catch (at least for some people.) This can break NFS stuff.On my PDC I made a similar change. Home directories are not on the PDC. This fixed the problem of people getting login failures when logging into windows if they had more than 16 groups. But if a user tries to ssh into the PDC, and he is in more than 16 groups, his login will fail because the home directory can not be mounted. But if your samba server is not functioning as an nfs client then it shouldn't be an issue. My PDC is samba 3.4.x. The BDC's are 3.0.x. Samba 3.0.x domain controllers didn't check if your Windows groups exceeded the system group max.You could login- you might not have all the access to directories you thought you should since your effective group list was still getting truncated. With Samba 3.4.x, samba checks to see how may groups you are in, and if the exceeds the ngroups_max it aborts your login. I don't know why. It isn't like it is fixing a security hole. It just gets people mad at me. On 07/14/2010 07:39 AM, Marcis Lielturks wrote: Hi! Running OpenSolaris snv_134 with Samba 3.0.37. Samba is successfully joined to AD domain. AD user user1 is member in 17 AD groups including group1, but he cannot access Samba share which have read permissions for group1. If user account is modified and group1 becomes users primary group, then he can access shares. If user is member of only 16 groups, then permissions work as expected regardless of users primary group. Operating systems ngroups_max is set to 1024. I tested with local user and was able to add user to 1024 local groups. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- ML -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote: Thanks, machine wont provide NFS or ssh login services, so fiddling with max groups should do no harm! I googled a bit at found that samba should be recompiled to take advantage of new NGROUPS_MAX. ./configure logs also suggested that NGROUPS_MAX is evaluated only at compile time. Yep. Recompilation should do the trick once the kernel understands large numbers of groups. Can anybody share experience on compiling samba on OpenSolaris? What's the most painless way? I'm considering to use latest 3.5.5 but maybe I should use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 servers, which already replicate storage, so ID mapping must be consistent between both Samba servers. Servers have to provide shares also to trusted domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not supported to provide mappings for more than one domain, so anything newer than 3.0.37 sounds like the right choice. The only reason they use 3.0.x is they're still unable to cope with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle Linux has been shipping GPLv3 Samba for a while. But it's a big company, you can't expect one part to know what another part is up to :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD
On 15 July 2010 00:28, Jeremy Allison j...@samba.org wrote: On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote: Thanks, machine wont provide NFS or ssh login services, so fiddling with max groups should do no harm! I googled a bit at found that samba should be recompiled to take advantage of new NGROUPS_MAX. ./configure logs also suggested that NGROUPS_MAX is evaluated only at compile time. Yep. Recompilation should do the trick once the kernel understands large numbers of groups. Can anybody share experience on compiling samba on OpenSolaris? What's the most painless way? I'm considering to use latest 3.5.5 but maybe I should use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 servers, which already replicate storage, so ID mapping must be consistent between both Samba servers. Servers have to provide shares also to trusted domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not supported to provide mappings for more than one domain, so anything newer than 3.0.37 sounds like the right choice. The only reason they use 3.0.x is they're still unable to cope with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle Linux has been shipping GPLv3 Samba for a while. But it's a big company, you can't expect one part to know what another part is up to :-). Yeah, I read about that, but still, I was thinking that as they ship 3.0.37, it should also be easier to compile because OS has all that's necessary for 3.0.37. Newer Samba versions may have some dependencies (new libs or newer version of libs), that might be harder to satisfy. I have never compiled samba so far and all I know at the moment (from documentation) is that AD support requires krb5 and openldap development libraries and files. Jeremy. -- ML -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
