samba - Apr 2012 - Samba 3.6.4 on Solaris - groups for user inconsistent

Hi all,

I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
with a Windows Server 2008 domain controller. I should state early on
that I do not believe this is a manifestation of the Solaris 16 group
limit - the number of groups is well below 16.

Winbind seems to be working fine - I can use wbinfo -r to check the
groups that a user is a member of, it returns the list of Active
Directory groups that the userid belongs to:

# /opt/samba/bin/wbinfo -r triddel
5000
10501
10000
10586
20001

(You'll note that the above list differs from the lists below - this
is because some of the groups have no NIS domain defined in AD.)

What I see is smbd panicking when initialising groups for a user, it
seems to be trying (and failing) to set one of the groups to  -1:

[2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 11 supplementary groups
  Group[  0]: 5000
  Group[  1]: -1
  Group[  2]: 10501
  Group[  3]: 10000
  Group[  4]: 10586
  Group[  5]: 10590
  Group[  6]: 10505
  Group[  7]: 20002
  Group[  8]: 20003
  Group[  9]: 20004
  Group[ 10]: 20001

The corresponding truss output looks like this:

6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003 20004
6114:            20001

The group with gid -1 corresponds to a group defined in /etc/group,
the rest come from Active Directory.

Occasionally smbd works correctly, and I see this in the log:

[2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 10 supplementary groups
  Group[  0]: 5000
  Group[  1]: 10501
  Group[  2]: 10000
  Group[  3]: 10586
  Group[  4]: 10590
  Group[  5]: 10505
  Group[  6]: 20002
  Group[  7]: 20003
  Group[  8]: 20004
  Group[  9]: 20001

This may not be relevant, but I also see the list of groups being shuffled:

[2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 10017
  Primary group is 5000 and contains 11 supplementary groups
  Group[  0]: 5000
  Group[  1]: 10501
  Group[  2]: 10000
  Group[  3]: 10586
  Group[  4]: -1
  Group[  5]: 10590
  Group[  6]: 10505
  Group[  7]: 20002
  Group[  8]: 20003
  Group[  9]: 20004
  Group[ 10]: 20001

The Samba config. looks like this:

[global]
disable spoolss = Yes
disable netbios = yes
show add printer wizard = No
security = ADS
log level = 10
realm = FOO.BAR.COM
password server = *
kerberos method = system keytab
workgroup = INTRA
client lanman auth = no
client ntlmv2 auth = yes
max protocol = SMB2

winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind cache time = 15

idmap config * : range = 20000-30000
idmap config * : backend = tdb
idmap config INTRA : backend = ad
idmap config INTRA : range = 1000-20000
idmap config INTRA : schema_mode = rfc3207

[foo]
path = /live/home/triddel
read only = no
force create mode = 0600
force directory mode = 2700
browsable = no

Can anyone shed any light on this?

Thanks.

Toby

From the Solaris man page of

http://docs.oracle.com/cd/E19963-01/html/821-1463/getgroups-2.html

...

The setgroups() function will fail if:

EINVAL

    The value of /ngroups/ is greater than {NGROUPS_MAX}.

...

According to your truss setgroups returns EINVAL.

Solaris (10) no longer has the 16 group limitation
Starting from Solaris 10 Update 10 or starting with the patch bundle 
144500-07 <http://wesunsolve.net/patch/id/144500-07> (sparc) / 144501-07 
<http://wesunsolve.net/patch/id/144501-07> (x86)
one can set ngroups_max up to 1024 in /etc/system.(a reboot is required)
I recommend you to upgrade to Solaris 10 update 10.


HTH,

Bart
On 12/04/12 19:21, Toby Riddell wrote:
> Hi all,
>
> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
> with a Windows Server 2008 domain controller. I should state early on
> that I do not believe this is a manifestation of the Solaris 16 group
> limit - the number of groups is well below 16.
>
> Winbind seems to be working fine - I can use wbinfo -r to check the
> groups that a user is a member of, it returns the list of Active
> Directory groups that the userid belongs to:
>
> # /opt/samba/bin/wbinfo -r triddel
> 5000
> 10501
> 10000
> 10586
> 20001
>
> (You'll note that the above list differs from the lists below - this
> is because some of the groups have no NIS domain defined in AD.)
>
> What I see is smbd panicking when initialising groups for a user, it
> seems to be trying (and failing) to set one of the groups to  -1:
>
> [2012/04/12 18:01:20.950498, 10]
auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 11 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: -1
>    Group[  2]: 10501
>    Group[  3]: 10000
>    Group[  4]: 10586
>    Group[  5]: 10590
>    Group[  6]: 10505
>    Group[  7]: 20002
>    Group[  8]: 20003
>    Group[  9]: 20004
>    Group[ 10]: 20001
>
> The corresponding truss output looks like this:
>
> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003
20004
> 6114:            20001
>
> The group with gid -1 corresponds to a group defined in /etc/group,
> the rest come from Active Directory.
>
> Occasionally smbd works correctly, and I see this in the log:
>
> [2012/04/12 17:57:58.790716, 10]
auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 10 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: 10501
>    Group[  2]: 10000
>    Group[  3]: 10586
>    Group[  4]: 10590
>    Group[  5]: 10505
>    Group[  6]: 20002
>    Group[  7]: 20003
>    Group[  8]: 20004
>    Group[  9]: 20001
>
> This may not be relevant, but I also see the list of groups being shuffled:
>
> [2012/04/12 18:01:17.915485, 10]
auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 10017
>    Primary group is 5000 and contains 11 supplementary groups
>    Group[  0]: 5000
>    Group[  1]: 10501
>    Group[  2]: 10000
>    Group[  3]: 10586
>    Group[  4]: -1
>    Group[  5]: 10590
>    Group[  6]: 10505
>    Group[  7]: 20002
>    Group[  8]: 20003
>    Group[  9]: 20004
>    Group[ 10]: 20001
>
> The Samba config. looks like this:
>
> [global]
> disable spoolss = Yes
> disable netbios = yes
> show add printer wizard = No
> security = ADS
> log level = 10
> realm = FOO.BAR.COM
> password server = *
> kerberos method = system keytab
> workgroup = INTRA
> client lanman auth = no
> client ntlmv2 auth = yes
> max protocol = SMB2
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind cache time = 15
>
> idmap config * : range = 20000-30000
> idmap config * : backend = tdb
> idmap config INTRA : backend = ad
> idmap config INTRA : range = 1000-20000
> idmap config INTRA : schema_mode = rfc3207
>
> [foo]
> path = /live/home/triddel
> read only = no
> force create mode = 0600
> force directory mode = 2700
> browsable = no
>
> Can anyone shed any light on this?
>
> Thanks.
>
> Toby

Can you add a group mapping for your "unix" group to a Windows group? 
("net groupmap add ....")

If you do a "groups triddel" on the unix command line, how many groups
are you in?    Unix groups mapped to Windows groups get double-counted,
which can push you over 16 groups.    My environment is Samba 3.x. PDC's
so not the same as yours.

FYI The latest (as of a few months back) Solaris 10 kernels finally let
you set ngroups_max=1024.   

147441-10 (x86_84)
147440-10 (sparc)

Most previous ones allowed ngroups_max=32.  Except 147441-09 /147441-09
actually rolled it back to ngroups_max=16.




On 04/12/12 13:21, Toby Riddell wrote:
> Hi all,
>
> I'm having an issue with Samba 3.6.4 on Solaris using Active Directory
> with a Windows Server 2008 domain controller. I should state early on
> that I do not believe this is a manifestation of the Solaris 16 group
> limit - the number of groups is well below 16.
>
> Winbind seems to be working fine - I can use wbinfo -r to check the
> groups that a user is a member of, it returns the list of Active
> Directory groups that the userid belongs to:
>
> # /opt/samba/bin/wbinfo -r triddel
> 5000
> 10501
> 10000
> 10586
> 20001
>
> (You'll note that the above list differs from the lists below - this
> is because some of the groups have no NIS domain defined in AD.)
>
> What I see is smbd panicking when initialising groups for a user, it
> seems to be trying (and failing) to set one of the groups to  -1:
>
> [2012/04/12 18:01:20.950498, 10]
auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 10017
>   Primary group is 5000 and contains 11 supplementary groups
>   Group[  0]: 5000
>   Group[  1]: -1
>   Group[  2]: 10501
>   Group[  3]: 10000
>   Group[  4]: 10586
>   Group[  5]: 10590
>   Group[  6]: 10505
>   Group[  7]: 20002
>   Group[  8]: 20003
>   Group[  9]: 20004
>   Group[ 10]: 20001
>
> The corresponding truss output looks like this:
>
> 6114:   setgroups(11, 0x08933B50)                       Err#22 EINVAL
> 6114:             5000    -1 10501 10000 10586 10590 10505 20002 20003
20004
> 6114:            20001
>
> The group with gid -1 corresponds to a group defined in /etc/group,
> the rest come from Active Directory.
>
> Occasionally smbd works correctly, and I see this in the log:
>
> [2012/04/12 17:57:58.790716, 10]
auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 10017
>   Primary group is 5000 and contains 10 supplementary groups
>   Group[  0]: 5000
>   Group[  1]: 10501
>   Group[  2]: 10000
>   Group[  3]: 10586
>   Group[  4]: 10590
>   Group[  5]: 10505
>   Group[  6]: 20002
>   Group[  7]: 20003
>   Group[  8]: 20004
>   Group[  9]: 20001
>
> This may not be relevant, but I also see the list of groups being shuffled:
>
> [2012/04/12 18:01:17.915485, 10]
auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 10017
>   Primary group is 5000 and contains 11 supplementary groups
>   Group[  0]: 5000
>   Group[  1]: 10501
>   Group[  2]: 10000
>   Group[  3]: 10586
>   Group[  4]: -1
>   Group[  5]: 10590
>   Group[  6]: 10505
>   Group[  7]: 20002
>   Group[  8]: 20003
>   Group[  9]: 20004
>   Group[ 10]: 20001
>
> The Samba config. looks like this:
>
> [global]
> disable spoolss = Yes
> disable netbios = yes
> show add printer wizard = No
> security = ADS
> log level = 10
> realm = FOO.BAR.COM
> password server = *
> kerberos method = system keytab
> workgroup = INTRA
> client lanman auth = no
> client ntlmv2 auth = yes
> max protocol = SMB2
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind cache time = 15
>
> idmap config * : range = 20000-30000
> idmap config * : backend = tdb
> idmap config INTRA : backend = ad
> idmap config INTRA : range = 1000-20000
> idmap config INTRA : schema_mode = rfc3207
>
> [foo]
> path = /live/home/triddel
> read only = no
> force create mode = 0600
> force directory mode = 2700
> browsable = no
>
> Can anyone shed any light on this?
>
> Thanks.
>
> Toby