lejeczek
2019-Oct-05 12:41 UTC
[Samba] Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?
hi everyone, I believe a resolution is there - https://access.redhat.com/solutions/4367771 But what I'm hoping for is an expert would comment how would this apply to Samba with LDAP backend? many thanks, L.
Rowland penny
2019-Oct-05 13:10 UTC
[Samba] Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?
On 05/10/2019 13:41, lejeczek via samba wrote:> hi everyone, > > I believe a resolution is there - > https://access.redhat.com/solutions/4367771Which is behind a paywall ;-)> > But what I'm hoping for is an expert would comment how would this apply > to Samba with LDAP backend?What do you mean 'Samba with LDAP backend' ???? You really shouldn't be running Samba with LDAP any more and the problem only occurred on a standalone server and was fixed here: https://bugzilla.samba.org/show_bug.cgi?id=13697 Rowland> > many thanks, L. >
lejeczek
2019-Oct-05 14:20 UTC
[Samba] Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?
On 05/10/2019 14:10, Rowland penny via samba wrote:> On 05/10/2019 13:41, lejeczek via samba wrote: >> hi everyone, >> >> I believe a resolution is there - >> https://access.redhat.com/solutions/4367771 > Which is behind a paywall ;-) >> >> But what I'm hoping for is an expert would comment how >> would this apply >> to Samba with LDAP backend? > > What do you mean 'Samba with LDAP backend' ???? > > You really shouldn't be running Samba with LDAP any more > and the problem only occurred on a standalone server and > was fixed here: > https://bugzilla.samba.org/show_bug.cgi?id=13697 > > Rowland > >> >> many thanks, L. >> > >It's not a paywall, suffices to register with Redhat and to this content access if free of charge. Here: Environment ??? Red Hat Enterprise Linux 7 Issue After upgrading to samba-4.9.1, samba failed to restart with error messages like: Raw Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09 10:00:00.000000,? 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest) Nov 09 10:00:00 example.com smbd[13641]:?? create_local_token failed: NT_STATUS_ACCESS_DENIED Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09 10:00:00.000200,? 0] ../source3/smbd/server.c:2000(main) Nov 09 10:00:00 example.com smbd[13641]:?? ERROR: failed to setup guest info. Resolution 1) Ensure the id map is configured in smb.conf, like: Raw ??? [global] ????? ... ????? idmap config * : backend = tdb ????? idmap config * : range 10000-199999 ????? idmap config DOMAIN : backend = autorid ????? idmap config DOMAIN : range = 200000-2147483647 2) Map group BUILTIN\Guests to group nobody with following command: Raw ??? # net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin 3) Restart samba services and replicate the issue: Raw ??? # systemctl restart {smb,nmb,winbind} ??? # smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10 Root Cause ??? samba-4.9.x expands guest handling to differentiate between anonymous and guest sessions. This required a proper handling of BUILTIN\Guests. ??? Old-style configuration does not handle BUILTIN\Guest. Thus samba fails after upgrade when administrators unaware of this change. Diagnostic Steps ??? Ensure the id map is configured in smb.conf, like: ??? Raw ??? [global] ????? ... ????? idmap config * : backend = tdb ????? idmap config * : range 10000-199999 ????? idmap config DOMAIN : backend = autorid ????? idmap config DOMAIN : range = 200000-2147483647 ??? Ensure the BUILTIN\Guests is mapped ??? Raw ??? net groupman list sid=S-1-5-32-546 Does not bother me shoulds and shouldnots, I'm doing it, and facing a problem which I'd hope can be solved without changing a lot. User db is in LDAP and winbind is not used. many thanks, L.
Reasonably Related Threads
- Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?
- Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?
- Publication of an llvm-based tool that protects against fault injection attacks
- [LLVMdev] Potential SimplifyCFG optimization; hammock to diamond transformation
- [RFC] Zeroing Caller Saved Regs