On Thu, 7 Jun 2018 17:28:43 +0200 Jean-Christophe Delaye via samba <samba at lists.samba.org> wrote:> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote: > > Hi, > > I'm trying to create a new Samba server to share files. We > > currently have an instance of Samba 3.6 on another server which we > > are using but need to retire that server. > > > > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. > > There are two domain controllers. Most of the PCs are joined to > > this AD domain. > > > > Our user accounts and group memberships are maintained in an LDAP > > directory. On our Linux servers SSSD is used to authenticate and > > authorize and Solaris servers use nsswitch ldap directly. > > > > I've followed the instructions here to join the new Samba server > > (Samba 4.4.14 on Solaris 11.3) to the AD domain. > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > My hope is to use AD for authentication, but for the users & groups > > to be read by the Samba server OS as if our users were on > > Unix/Linux directly. Our current Samba 3.6 works this way. We > > assign permissions in Unix. We don't assign permissions using > > Windows. > > > > Anyways, when I connect it seems work when I authenticate but then > > it bails on sys_setgroups. > > > > Not sure what to look for now. What information should I provide > > for help? > Samba may panic when user is a member of more then NGROUPS_MAX Active > Directory groups. > > set ngroups_max to at least the maximum number of groups a Active > Directory user belongs to. > > As an example, the following line in /etc/system will set ngroups_max > to 128: > > set ngroups_max = 128 > > (a reboot is required after changing /etc/system). > > > > > > # > > # smb.conf > > #======================= Global Settings > > ===================================== [global] > > security = ADS > > workgroup = MYDOMAIN-AD > > server string = Samba Server on LEX > > server role = standalone server > > log file = /var/samba/log/log.%m > > max log size = 50 > > realm = MYDOMAIN-AD.CTG.QUEENSU.CA > > passdb backend = tdbsam > > > > interfaces = 10.1.21.220/16 > > bind interfaces only = yes > > wins support = no > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > > > idmap config MYDOMAIN-AD : backend = nss > > idmap config MYDOMAIn-AD : range = 100000-999999 > > > > # > > # > > # some output from: smbd -i -d3 > > ....snip... > > ldb_wrap open of secrets.ldb > > check_ntlm_password: winbind authentication for user [teddy] > > succeeded check_ntlm_password: authentication for user [teddy] -> > > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with > > flags: Got NTLMSSP neg_flags=0xe2088215 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0xe2088215 > > Adding homes service for user 'teddy' using home directory: > > '/home/teddy' adding home's share [teddy] for user 'teddy' at > > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) > > Connect path is '/tmp' for service [IPC$] > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > PANIC (pid 23738): sys_setgroups failed > > BACKTRACE: 22 stack frames: > > ....snip.... > > > >Did you actually read the OP's smb.conf ? It is for a Unix domain member and the OP has explicitly set 'server role = standalone server' and the wrong winbind backend for a Unix domain member. I am also unsure, but I think he may be trying to use the users in the ldap machine in AD, this is never going to work. I hope he is just testing at this time, if he is , I would suggest upgrading Ubuntu to 18.04 and provision Samba on the DC again, but this time read this first: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller Then setup a new Unix member server following this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Migrate all the users and groups from the ldap server (or carry out a classicupgrade, see here: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) ) Rowland
Thanks for the feedback. This is not a testing environment. We deployed the Samba AD environment for our office PCs about one year ago. I am now trying to get the Samba file sharing into AD. We use our mixed Linux/Unix environment heavily. All permissions and ACLs are set in Solaris using NFS4 ACLs on a ZFS filesystem. Our users are in active directory but the groups are not. My understanding is that Winbind lets Linux see the users & group membership in AD, is this correct? The groups we have in AD are defined for use with GPOs. All file permissions are set on the filesystem directly. Our current Samba 3.6 file server seems to map my user "Samba teddy" == "Unix teddy" which is what I'd like for AD. Somehow just use "AD Teddy" = "Unix teddy" and give my Samba account the same access to the files that Unix teddy has. From: "samba" <samba at lists.samba.org> To: "samba" <samba at lists.samba.org> Sent: Thursday, June 7, 2018 12:04:06 PM Subject: Re: [Samba] sys_setgroups failed on Solaris 11 On Thu, 7 Jun 2018 17:28:43 +0200 Jean-Christophe Delaye via samba <samba at lists.samba.org> wrote:> On 06/07/2018 04:04 PM, Teddy Brown via samba wrote: > > Hi, > > I'm trying to create a new Samba server to share files. We > > currently have an instance of Samba 3.6 on another server which we > > are using but need to retire that server. > > > > I recently set up a new AD domain on Samba 4.3.11 on Ubuntu 16.04. > > There are two domain controllers. Most of the PCs are joined to > > this AD domain. > > > > Our user accounts and group memberships are maintained in an LDAP > > directory. On our Linux servers SSSD is used to authenticate and > > authorize and Solaris servers use nsswitch ldap directly. > > > > I've followed the instructions here to join the new Samba server > > (Samba 4.4.14 on Solaris 11.3) to the AD domain. > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > My hope is to use AD for authentication, but for the users & groups > > to be read by the Samba server OS as if our users were on > > Unix/Linux directly. Our current Samba 3.6 works this way. We > > assign permissions in Unix. We don't assign permissions using > > Windows. > > > > Anyways, when I connect it seems work when I authenticate but then > > it bails on sys_setgroups. > > > > Not sure what to look for now. What information should I provide > > for help? > Samba may panic when user is a member of more then NGROUPS_MAX Active > Directory groups. > > set ngroups_max to at least the maximum number of groups a Active > Directory user belongs to. > > As an example, the following line in /etc/system will set ngroups_max > to 128: > > set ngroups_max = 128 > > (a reboot is required after changing /etc/system). > > > > > > # > > # smb.conf > > #======================= Global Settings > > ===================================== [global] > > security = ADS > > workgroup = MYDOMAIN-AD > > server string = Samba Server on LEX > > server role = standalone server > > log file = /var/samba/log/log.%m > > max log size = 50 > > realm = MYDOMAIN-AD.CTG.QUEENSU.CA > > passdb backend = tdbsam > > > > interfaces = 10.1.21.220/16 > > bind interfaces only = yes > > wins support = no > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > > > idmap config MYDOMAIN-AD : backend = nss > > idmap config MYDOMAIn-AD : range = 100000-999999 > > > > # > > # > > # some output from: smbd -i -d3 > > ....snip... > > ldb_wrap open of secrets.ldb > > check_ntlm_password: winbind authentication for user [teddy] > > succeeded check_ntlm_password: authentication for user [teddy] -> > > [teddy] -> [teddy] succeeded NTLMSSP Sign/Seal - Initialising with > > flags: Got NTLMSSP neg_flags=0xe2088215 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0xe2088215 > > Adding homes service for user 'teddy' using home directory: > > '/home/teddy' adding home's share [teddy] for user 'teddy' at > > '/home/teddy' Allowed connection from 10.0.61.1 (10.0.61.1) > > Connect path is '/tmp' for service [IPC$] > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > PANIC (pid 23738): sys_setgroups failed > > BACKTRACE: 22 stack frames: > > ....snip.... > > > >Did you actually read the OP's smb.conf ? It is for a Unix domain member and the OP has explicitly set 'server role = standalone server' and the wrong winbind backend for a Unix domain member. I am also unsure, but I think he may be trying to use the users in the ldap machine in AD, this is never going to work. I hope he is just testing at this time, if he is , I would suggest upgrading Ubuntu to 18.04 and provision Samba on the DC again, but this time read this first: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller Then setup a new Unix member server following this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Migrate all the users and groups from the ldap server (or carry out a classicupgrade, see here: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) ) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Teddy Brown Senior Applications Developer Systems Analyst Canadian Cancer Trials Group Queen's University 10 Stuart St, Kingston ON, K7L 3N6 (613) 533-6430 Follow us: [ https://twitter.com/CDNCancerTrials ] [ https://www.linkedin.com/company/canadiancancertrialsgroup | ] [ http://www.cctg.ca/ | cctg.ca ]
On Thu, 7 Jun 2018 15:21:22 -0400 (EDT) Teddy Brown <tbrown at ctg.queensu.ca> wrote:> Thanks for the feedback. This is not a testing environment. We > deployed the Samba AD environment for our office PCs about one year > ago. I am now trying to get the Samba file sharing into AD. > > We use our mixed Linux/Unix environment heavily. All permissions and > ACLs are set in Solaris using NFS4 ACLs on a ZFS filesystem.Samba uses POSIX ACLs not NFS4 ACLs, but this shouldn't really be a problem, as long as you do not run the DC on the ZFS filesystem.> Our users are in active directory but the groups are not.You need to get the groups into AD.> > My understanding is that Winbind lets Linux see the users & group > membership in AD, is this correct?Yes, but depending on where you look from, you may or may not see users and groups, it all depends on how you set up Samba and libnss_winbind> The groups we have in AD are defined for use with GPOs. All file > permissions are set on the filesystem directly.If you moved fully to AD, you could set them from windows.>Our current Samba 3.6 file server seems to map my user "Samba teddy" >== "Unix teddy" which is what I'd like for AD.Doesn't work like that in AD, the AD user 'teddy' is 'teddy' on windows and is either 'DOMAIN\teddy' or 'teddy' on Unix (this depends on whether or not you have 'winbind use default domain = yes' in smb.conf) You also must not have 'teddy' in /etc/passwd or /etc/group (i.e. you cannot have local Unix users or private user groups).> Somehow just use "AD Teddy" = "Unix teddy" and give my Samba account > the same access to the files that Unix teddy has.Correctly set up, you will use the same username everywhere. Rowland