Hi, I'm trying to create a new Samba server to share files. We currently have an instance of Samba 3.6 on another server which we are using but need to retire that server. I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. There are two domain controllers. Most of the PCs are joined to this AD domain. Our user accounts and group memberships are maintained in an LDAP directory. On our Linux servers SSSD is used to authenticate and authorize and Solaris servers use nsswitch ldap directly. I've followed the instructions here to join the new Samba server (Samba 4.4.14 on Solaris 11.3) to the AD domain. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member My hope is to use AD for authentication, but for the users & groups to be read by the Samba server OS as if our users were on Unix/Linux directly. Our current Samba 3.6 works this way. We assign permissions in Unix. We don't assign permissions using Windows. Anyways, when I connect it seems work when I authenticate but then it bails on sys_setgroups. Not sure what to look for now. What information should I provide for help? # # smb.conf #======================= Global Settings ===================================== [global] security = ADS workgroup = MYDOMAIN-AD server string = Samba Server on LEX server role = standalone server log file = /var/samba/log/log.%m max log size = 50 realm = MYDOMAIN-AD.CTG.QUEENSU.CA passdb backend = tdbsam interfaces = 10.1.21.220/16 bind interfaces only = yes wins support = no idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYDOMAIN-AD : backend = nss idmap config MYDOMAIn-AD : range = 100000-999999 # # # some output from: smbd -i -d3 ....snip... ldb_wrap open of secrets.ldb check_ntlm_password: winbind authentication for user [teddy] succeeded check_ntlm_password: authentication for user [teddy] -> [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0xe2088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0xe2088215 Adding homes service for user 'teddy' using home directory: '/home/teddy' adding home's share [teddy] for user 'teddy' at '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) Connect path is '/tmp' for service [IPC$] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] PANIC (pid 23738): sys_setgroups failed BACKTRACE: 22 stack frames: ....snip.... -- Teddy Brown Senior Applications Developer Systems Analyst Canadian Cancer Trials Group Queen's University 10 Stuart St, Kingston ON, K7L 3N6 (613) 533-6430 Follow us: [ https://twitter.com/CDNCancerTrials ] [ https://www.linkedin.com/company/canadiancancertrialsgroup | ] [ http://www.cctg.ca/ | cctg.ca ]
On Thu, 7 Jun 2018 10:04:41 -0400 (EDT) Teddy Brown via samba <samba at lists.samba.org> wrote:> Hi, > I'm trying to create a new Samba server to share files. We currently > have an instance of Samba 3.6 on another server which we are using > but need to retire that server. > > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. > There are two domain controllers. Most of the PCs are joined to this > AD domain. >Another one, sigh ;-) If it is new AD Domain, why use an EOL version of Samba ??? you would have been better off using 18.04 with Samba 4.7.6> Our user accounts and group memberships are maintained in an LDAP > directory. On our Linux servers SSSD is used to authenticate and > authorizeAround here 'sssd' is a dirty word, it has nothing to do with Samba ;-)> and Solaris servers use nsswitch ldap directly.Why not use winbind ?> > I've followed the instructions here to join the new Samba server > (Samba 4.4.14 on Solaris 11.3) to the AD domain. > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > My hope is to use AD for authentication, but for the users & groups > to be read by the Samba server OS as if our users were on Unix/Linux > directly. Our current Samba 3.6 works this way. We assign permissions > in Unix. We don't assign permissions using Windows. > > Anyways, when I connect it seems work when I authenticate but then it > bails on sys_setgroups. > > Not sure what to look for now. What information should I provide for > help? > > # > # smb.conf > #======================= Global Settings > ===================================== [global] > security = ADS > workgroup = MYDOMAIN-AD > server string = Samba Server on LEX > server role = standalone serverIt cannot be a 'standalone server' and use 'security = ADS'> log file = /var/samba/log/log.%m > max log size = 50 > realm = MYDOMAIN-AD.CTG.QUEENSU.CA > passdb backend = tdbsam > > interfaces = 10.1.21.220/16 > bind interfaces only = yes > wins support = no > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config MYDOMAIN-AD : backend = nss > idmap config MYDOMAIn-AD : range = 100000-999999Why the 'nss' backend if you have added uidNumber & gidNumber attributes to AD ? It should be 'ad'> > # > # > # some output from: smbd -i -d3 > ....snip... > ldb_wrap open of secrets.ldb > check_ntlm_password: winbind authentication for user [teddy] > succeeded check_ntlm_password: authentication for user [teddy] -> > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with > flags: Got NTLMSSP neg_flags=0xe2088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0xe2088215 > Adding homes service for user 'teddy' using home directory: > '/home/teddy' adding home's share [teddy] for user 'teddy' at > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) > Connect path is '/tmp' for service [IPC$] > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > PANIC (pid 23738): sys_setgroups failed > BACKTRACE: 22 stack frames: > ....snip.... >Try setting your Unix domain member's smb.conf correctly ;-) Rowland
On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:> Hi, > I'm trying to create a new Samba server to share files. We currently have an instance of Samba 3.6 on another server which we are using but need to retire that server. > > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. There are two domain controllers. Most of the PCs are joined to this AD domain. > > Our user accounts and group memberships are maintained in an LDAP directory. On our Linux servers SSSD is used to authenticate and authorize and Solaris servers use nsswitch ldap directly. > > I've followed the instructions here to join the new Samba server (Samba 4.4.14 on Solaris 11.3) to the AD domain. > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > My hope is to use AD for authentication, but for the users & groups to be read by the Samba server OS as if our users were on Unix/Linux directly. Our current Samba 3.6 works this way. We assign permissions in Unix. We don't assign permissions using Windows. > > Anyways, when I connect it seems work when I authenticate but then it bails on sys_setgroups. > > Not sure what to look for now. What information should I provide for help?Samba may panic when user is a member of more then NGROUPS_MAX Active Directory groups. set ngroups_max to at least the maximum number of groups a Active Directory user belongs to. As an example, the following line in /etc/system will set ngroups_max to 128: set ngroups_max = 128 (a reboot is required after changing /etc/system).> > # > # smb.conf > #======================= Global Settings ===================================== > [global] > security = ADS > workgroup = MYDOMAIN-AD > server string = Samba Server on LEX > server role = standalone server > log file = /var/samba/log/log.%m > max log size = 50 > realm = MYDOMAIN-AD.CTG.QUEENSU.CA > passdb backend = tdbsam > > interfaces = 10.1.21.220/16 > bind interfaces only = yes > wins support = no > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config MYDOMAIN-AD : backend = nss > idmap config MYDOMAIn-AD : range = 100000-999999 > > # > # > # some output from: smbd -i -d3 > ....snip... > ldb_wrap open of secrets.ldb > check_ntlm_password: winbind authentication for user [teddy] succeeded > check_ntlm_password: authentication for user [teddy] -> [teddy] -> [teddy] succeeded > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0xe2088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0xe2088215 > Adding homes service for user 'teddy' using home directory: '/home/teddy' > adding home's share [teddy] for user 'teddy' at '/home/teddy' > Allowed connection from 10.0.61.1 (10.0.61.1) > Connect path is '/tmp' for service [IPC$] > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > PANIC (pid 23738): sys_setgroups failed > BACKTRACE: 22 stack frames: > ....snip.... >
If you have an Oracle support contract, the Solaris 11 updates should
bring you up to samba 4.6.x or 4.7.x. You may get warnings about
NGROUPS_MAX exceeding 16 but it should not cause samba to crash (I have
several Solaris 11 machines.) This should have been fixed since Samba
3.6.x if not earlier.
My /etc/nsswitch.conf file includes
passwd: files ldap winbind
group: files ldap winbind
This does mean that "getent" shows double users, but this is not a
problem if the uidNumber and gidNumber is set.
# getent passwd | grep myname
myname:x:123:518::/home/myname:/bin/bash
MYDOMAIN\mydomain:*:123:518:Firstname
Lastname:/home/MYDOMAIN/myname:/bin/false
My smb.conf includes
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 100-1999
This allows us to have consistent permissions between NFS and Windows
clients.
Originally we were in a classic domain (Samba domain controllers with
Oracle's LDAP server as the backend for unix and samba accounts.) We
reconfigured as an AD domain, with Windows servers as domain
controllers. But it shouldn't change the unix-to-windows mapping approach.
On 06/07/18 11:28, Jean-Christophe Delaye via samba
wrote:> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote:
>> Hi,
>> I'm trying to create a new Samba server to share files. We
currently have an instance of Samba 3.6 on another server which we are using but
need to retire that server.
>>
>> I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04.
There are two domain controllers. Most of the PCs are joined to this AD domain.
>>
>> Our user accounts and group memberships are maintained in an LDAP
directory. On our Linux servers SSSD is used to authenticate and authorize and
Solaris servers use nsswitch ldap directly.
>>
>> I've followed the instructions here to join the new Samba server
(Samba 4.4.14 on Solaris 11.3) to the AD domain.
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> My hope is to use AD for authentication, but for the users & groups
to be read by the Samba server OS as if our users were on Unix/Linux directly.
Our current Samba 3.6 works this way. We assign permissions in Unix. We
don't assign permissions using Windows.
>>
>> Anyways, when I connect it seems work when I authenticate but then it
bails on sys_setgroups.
>>
>> Not sure what to look for now. What information should I provide for
help?
> Samba may panic when user is a member of more then NGROUPS_MAX Active
> Directory groups.
>
> set ngroups_max to at least the maximum number of groups a Active
> Directory user belongs to.
>
> As an example, the following line in /etc/system will set ngroups_max to
> 128:
>
> set ngroups_max = 128
>
> (a reboot is required after changing /etc/system).
>
>
>> #
>> # smb.conf
>> #======================= Global Settings
====================================>> [global]
>> security = ADS
>> workgroup = MYDOMAIN-AD
>> server string = Samba Server on LEX
>> server role = standalone server
>> log file = /var/samba/log/log.%m
>> max log size = 50
>> realm = MYDOMAIN-AD.CTG.QUEENSU.CA
>> passdb backend = tdbsam
>>
>> interfaces = 10.1.21.220/16
>> bind interfaces only = yes
>> wins support = no
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>>
>> idmap config MYDOMAIN-AD : backend = nss
>> idmap config MYDOMAIn-AD : range = 100000-999999
>>
>> #
>> #
>> # some output from: smbd -i -d3
>> ....snip...
>> ldb_wrap open of secrets.ldb
>> check_ntlm_password: winbind authentication for user [teddy] succeeded
>> check_ntlm_password: authentication for user [teddy] -> [teddy]
-> [teddy] succeeded
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xe2088215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xe2088215
>> Adding homes service for user 'teddy' using home directory:
'/home/teddy'
>> adding home's share [teddy] for user 'teddy' at
'/home/teddy'
>> Allowed connection from 10.0.61.1 (10.0.61.1)
>> Connect path is '/tmp' for service [IPC$]
>> Initialising default vfs hooks
>> Initialising custom vfs hooks from [/[Default VFS]/]
>> PANIC (pid 23738): sys_setgroups failed
>> BACKTRACE: 22 stack frames:
>> ....snip....
>>
>
On Thu, 7 Jun 2018 17:28:43 +0200 Jean-Christophe Delaye via samba <samba at lists.samba.org> wrote:> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote: > > Hi, > > I'm trying to create a new Samba server to share files. We > > currently have an instance of Samba 3.6 on another server which we > > are using but need to retire that server. > > > > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. > > There are two domain controllers. Most of the PCs are joined to > > this AD domain. > > > > Our user accounts and group memberships are maintained in an LDAP > > directory. On our Linux servers SSSD is used to authenticate and > > authorize and Solaris servers use nsswitch ldap directly. > > > > I've followed the instructions here to join the new Samba server > > (Samba 4.4.14 on Solaris 11.3) to the AD domain. > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > My hope is to use AD for authentication, but for the users & groups > > to be read by the Samba server OS as if our users were on > > Unix/Linux directly. Our current Samba 3.6 works this way. We > > assign permissions in Unix. We don't assign permissions using > > Windows. > > > > Anyways, when I connect it seems work when I authenticate but then > > it bails on sys_setgroups. > > > > Not sure what to look for now. What information should I provide > > for help? > Samba may panic when user is a member of more then NGROUPS_MAX Active > Directory groups. > > set ngroups_max to at least the maximum number of groups a Active > Directory user belongs to. > > As an example, the following line in /etc/system will set ngroups_max > to 128: > > set ngroups_max = 128 > > (a reboot is required after changing /etc/system). > > > > > > # > > # smb.conf > > #======================= Global Settings > > ===================================== [global] > > security = ADS > > workgroup = MYDOMAIN-AD > > server string = Samba Server on LEX > > server role = standalone server > > log file = /var/samba/log/log.%m > > max log size = 50 > > realm = MYDOMAIN-AD.CTG.QUEENSU.CA > > passdb backend = tdbsam > > > > interfaces = 10.1.21.220/16 > > bind interfaces only = yes > > wins support = no > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > > > idmap config MYDOMAIN-AD : backend = nss > > idmap config MYDOMAIn-AD : range = 100000-999999 > > > > # > > # > > # some output from: smbd -i -d3 > > ....snip... > > ldb_wrap open of secrets.ldb > > check_ntlm_password: winbind authentication for user [teddy] > > succeeded check_ntlm_password: authentication for user [teddy] -> > > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with > > flags: Got NTLMSSP neg_flags=0xe2088215 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0xe2088215 > > Adding homes service for user 'teddy' using home directory: > > '/home/teddy' adding home's share [teddy] for user 'teddy' at > > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) > > Connect path is '/tmp' for service [IPC$] > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > PANIC (pid 23738): sys_setgroups failed > > BACKTRACE: 22 stack frames: > > ....snip.... > > > >Did you actually read the OP's smb.conf ? It is for a Unix domain member and the OP has explicitly set 'server role = standalone server' and the wrong winbind backend for a Unix domain member. I am also unsure, but I think he may be trying to use the users in the ldap machine in AD, this is never going to work. I hope he is just testing at this time, if he is , I would suggest upgrading Ubuntu to 18.04 and provision Samba on the DC again, but this time read this first: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller Then setup a new Unix member server following this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Migrate all the users and groups from the ldap server (or carry out a classicupgrade, see here: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) ) Rowland
I'm using an EOL version of Samba because it was at the time of installation the latest versions available from Solaris 11.3 (which is the server which has the files and permissions on a ZFS filesystem with NFS4 ACLs) and Ubuntu 16.04 (which is running our domain controllers). It appears 4.4 is the latest version available from Oracle. We have 3 of the Ubuntu servers with role "active directory domain controller". If I upgrade them one-by-one to 18.04 what effect will this have on the domain environment? Will I need to take any action on the Samba AD? From: "samba" <samba at lists.samba.org> To: "samba" <samba at lists.samba.org> Sent: Thursday, June 7, 2018 10:32:25 AM Subject: Re: [Samba] sys_setgroups failed on Solaris 11 On Thu, 7 Jun 2018 10:04:41 -0400 (EDT) Teddy Brown via samba <samba at lists.samba.org> wrote:> Hi, > I'm trying to create a new Samba server to share files. We currently > have an instance of Samba 3.6 on another server which we are using > but need to retire that server. > > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. > There are two domain controllers. Most of the PCs are joined to this > AD domain. >Another one, sigh ;-) If it is new AD Domain, why use an EOL version of Samba ??? you would have been better off using 18.04 with Samba 4.7.6> Our user accounts and group memberships are maintained in an LDAP > directory. On our Linux servers SSSD is used to authenticate and > authorizeAround here 'sssd' is a dirty word, it has nothing to do with Samba ;-)> and Solaris servers use nsswitch ldap directly.Why not use winbind ?> > I've followed the instructions here to join the new Samba server > (Samba 4.4.14 on Solaris 11.3) to the AD domain. > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > My hope is to use AD for authentication, but for the users & groups > to be read by the Samba server OS as if our users were on Unix/Linux > directly. Our current Samba 3.6 works this way. We assign permissions > in Unix. We don't assign permissions using Windows. > > Anyways, when I connect it seems work when I authenticate but then it > bails on sys_setgroups. > > Not sure what to look for now. What information should I provide for > help? > > # > # smb.conf > #======================= Global Settings > ===================================== [global] > security = ADS > workgroup = MYDOMAIN-AD > server string = Samba Server on LEX > server role = standalone serverIt cannot be a 'standalone server' and use 'security = ADS'> log file = /var/samba/log/log.%m > max log size = 50 > realm = MYDOMAIN-AD.CTG.QUEENSU.CA > passdb backend = tdbsam > > interfaces = 10.1.21.220/16 > bind interfaces only = yes > wins support = no > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config MYDOMAIN-AD : backend = nss > idmap config MYDOMAIn-AD : range = 100000-999999Why the 'nss' backend if you have added uidNumber & gidNumber attributes to AD ? It should be 'ad'> > # > # > # some output from: smbd -i -d3 > ....snip... > ldb_wrap open of secrets.ldb > check_ntlm_password: winbind authentication for user [teddy] > succeeded check_ntlm_password: authentication for user [teddy] -> > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with > flags: Got NTLMSSP neg_flags=0xe2088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0xe2088215 > Adding homes service for user 'teddy' using home directory: > '/home/teddy' adding home's share [teddy] for user 'teddy' at > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) > Connect path is '/tmp' for service [IPC$] > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > PANIC (pid 23738): sys_setgroups failed > BACKTRACE: 22 stack frames: > ....snip.... >Try setting your Unix domain member's smb.conf correctly ;-) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Teddy Brown Senior Applications Developer Systems Analyst Canadian Cancer Trials Group Queen's University 10 Stuart St, Kingston ON, K7L 3N6 (613) 533-6430 Follow us: [ https://twitter.com/CDNCancerTrials ] [ https://www.linkedin.com/company/canadiancancertrialsgroup | ] [ http://www.cctg.ca/ | cctg.ca ]