samba - Oct 2019 - Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?

On 05/10/2019 14:10, Rowland penny via samba wrote:
> On 05/10/2019 13:41, lejeczek via samba wrote:
>> hi everyone,
>>
>> I believe a resolution is there -
>> https://access.redhat.com/solutions/4367771
> Which is behind a paywall ;-)
>>
>> But what I'm hoping for is an expert would comment how
>> would this apply
>> to Samba with LDAP backend?
>
> What do you mean 'Samba with LDAP backend' ????
>
> You really shouldn't be running Samba with LDAP any more
> and the problem only occurred on a standalone server and
> was fixed here:
> https://bugzilla.samba.org/show_bug.cgi?id=13697
>
> Rowland
>
>>
>> many thanks, L.
>>
>
>
It's not a paywall, suffices to register with Redhat and to
this content access if free of charge.
Here:

Environment

??? Red Hat Enterprise Linux 7

Issue

After upgrading to samba-4.9.1, samba failed to restart with
error messages like:
Raw

Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
10:00:00.000000,? 0]
../source3/auth/auth_util.c:1382(make_new_session_info_guest)
Nov 09 10:00:00 example.com smbd[13641]:??
create_local_token failed: NT_STATUS_ACCESS_DENIED
Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
10:00:00.000200,? 0] ../source3/smbd/server.c:2000(main)
Nov 09 10:00:00 example.com smbd[13641]:?? ERROR: failed to
setup guest info.

Resolution

1) Ensure the id map is configured in smb.conf, like:
Raw

??? [global]
????? ...
????? idmap config * : backend = tdb
????? idmap config * : range 10000-199999
????? idmap config DOMAIN : backend = autorid
????? idmap config DOMAIN : range = 200000-2147483647

2) Map group BUILTIN\Guests to group nobody with following
command:
Raw

??? # net -s /dev/null groupmap add sid=S-1-5-32-546
unixgroup=nobody type=builtin

3) Restart samba services and replicate the issue:
Raw

??? # systemctl restart {smb,nmb,winbind}
??? # smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10

Root Cause

??? samba-4.9.x expands guest handling to differentiate
between anonymous and guest sessions. This required a proper
handling of BUILTIN\Guests.
??? Old-style configuration does not handle BUILTIN\Guest.
Thus samba fails after upgrade when administrators unaware
of this change.

Diagnostic Steps

??? Ensure the id map is configured in smb.conf, like:
??? Raw

??? [global]
????? ...
????? idmap config * : backend = tdb
????? idmap config * : range 10000-199999
????? idmap config DOMAIN : backend = autorid
????? idmap config DOMAIN : range = 200000-2147483647

??? Ensure the BUILTIN\Guests is mapped
??? Raw

??? net groupman list sid=S-1-5-32-546


Does not bother me shoulds and shouldnots, I'm doing it, and
facing a problem which I'd hope can be solved without
changing a lot. User db is in LDAP and winbind is not used.
many thanks, L.

On 05/10/2019 15:20, lejeczek via samba wrote:
>
> On 05/10/2019 14:10, Rowland penny via samba wrote:
>> On 05/10/2019 13:41, lejeczek via samba wrote:
>>> hi everyone,
>>>
>>> I believe a resolution is there -
>>> https://access.redhat.com/solutions/4367771
>> Which is behind a paywall ;-)
>>> But what I'm hoping for is an expert would comment how
>>> would this apply
>>> to Samba with LDAP backend?
>> What do you mean 'Samba with LDAP backend' ????
>>
>> You really shouldn't be running Samba with LDAP any more
>> and the problem only occurred on a standalone server and
>> was fixed here:
>> https://bugzilla.samba.org/show_bug.cgi?id=13697
>>
>> Rowland
>>
>>> many thanks, L.
>>>
>>
> It's not a paywall, suffices to register with Redhat and to
> this content access if free of charge.
> Here:
>
> Environment
>
>  ??? Red Hat Enterprise Linux 7
>
> Issue
>
> After upgrading to samba-4.9.1, samba failed to restart with
> error messages like:
> Raw
>
> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
> 10:00:00.000000,? 0]
> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> Nov 09 10:00:00 example.com smbd[13641]:
> create_local_token failed: NT_STATUS_ACCESS_DENIED
> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
> 10:00:00.000200,? 0] ../source3/smbd/server.c:2000(main)
> Nov 09 10:00:00 example.com smbd[13641]:?? ERROR: failed to
> setup guest info.
>
> Resolution
>
> 1) Ensure the id map is configured in smb.conf, like:
> Raw
>
>  ??? [global]
>  ????? ...
>  ????? idmap config * : backend = tdb
>  ????? idmap config * : range 10000-199999
>  ????? idmap config DOMAIN : backend = autorid
>  ????? idmap config DOMAIN : range = 200000-2147483647
>
> 2) Map group BUILTIN\Guests to group nobody with following
> command:
> Raw
>
>  ??? # net -s /dev/null groupmap add sid=S-1-5-32-546
> unixgroup=nobody type=builtin
>
> 3) Restart samba services and replicate the issue:
> Raw
>
>  ??? # systemctl restart {smb,nmb,winbind}
>  ??? # smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10
>
> Root Cause
>
>  ??? samba-4.9.x expands guest handling to differentiate
> between anonymous and guest sessions. This required a proper
> handling of BUILTIN\Guests.
>  ??? Old-style configuration does not handle BUILTIN\Guest.
> Thus samba fails after upgrade when administrators unaware
> of this change.
>
> Diagnostic Steps
>
>  ??? Ensure the id map is configured in smb.conf, like:
>  ??? Raw
>
>  ??? [global]
>  ????? ...
>  ????? idmap config * : backend = tdb
>  ????? idmap config * : range 10000-199999
>  ????? idmap config DOMAIN : backend = autorid
>  ????? idmap config DOMAIN : range = 200000-2147483647
>
>  ??? Ensure the BUILTIN\Guests is mapped
>  ??? Raw
>
>  ??? net groupman list sid=S-1-5-32-546
>
>
> Does not bother me shoulds and shouldnots, I'm doing it, and
> facing a problem which I'd hope can be solved without
> changing a lot. User db is in LDAP and winbind is not used.
> many thanks, L.
>
>
>
OK, then it is behind a registerwall ;-)

But it has been fixed in 4.9.2, if you are still using 4.9.1 then 
upgrade or if you cannot and red-hat hasn't backported the fix to 4.9.1, 
then ask them to.

Rowland

On 05/10/2019 15:20, lejeczek via samba wrote:
>
> On 05/10/2019 14:10, Rowland penny via samba wrote:
>> On 05/10/2019 13:41, lejeczek via samba wrote:
>>> hi everyone,
>>>
>>> I believe a resolution is there -
>>> https://access.redhat.com/solutions/4367771
>> Which is behind a paywall ;-)
>>> But what I'm hoping for is an expert would comment how
>>> would this apply
>>> to Samba with LDAP backend?
>> What do you mean 'Samba with LDAP backend' ????
>>
>> You really shouldn't be running Samba with LDAP any more
>> and the problem only occurred on a standalone server and
>> was fixed here:
>> https://bugzilla.samba.org/show_bug.cgi?id=13697
>>
>> Rowland
>>
>>> many thanks, L.
>>>
>>
> It's not a paywall, suffices to register with Redhat and to
> this content access if free of charge.
> Here:
>
> Environment
>
> ??? Red Hat Enterprise Linux 7
>
> Issue
>
> After upgrading to samba-4.9.1, samba failed to restart with
> error messages like:
> Raw
>
> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
> 10:00:00.000000,? 0]
> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> Nov 09 10:00:00 example.com smbd[13641]:??
> create_local_token failed: NT_STATUS_ACCESS_DENIED
> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
> 10:00:00.000200,? 0] ../source3/smbd/server.c:2000(main)
> Nov 09 10:00:00 example.com smbd[13641]:?? ERROR: failed to
> setup guest info.
>
> Resolution
>
> 1) Ensure the id map is configured in smb.conf, like:
> Raw
>
> ??? [global]
> ????? ...
> ????? idmap config * : backend = tdb
> ????? idmap config * : range 10000-199999
> ????? idmap config DOMAIN : backend = autorid
> ????? idmap config DOMAIN : range = 200000-2147483647
>
> 2) Map group BUILTIN\Guests to group nobody with following
> command:
> Raw
>
> ??? # net -s /dev/null groupmap add sid=S-1-5-32-546
> unixgroup=nobody type=builtin
>
> 3) Restart samba services and replicate the issue:
> Raw
>
> ??? # systemctl restart {smb,nmb,winbind}
> ??? # smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10
>
> Root Cause
>
> ??? samba-4.9.x expands guest handling to differentiate
> between anonymous and guest sessions. This required a proper
> handling of BUILTIN\Guests.
> ??? Old-style configuration does not handle BUILTIN\Guest.
> Thus samba fails after upgrade when administrators unaware
> of this change.
>
> Diagnostic Steps
>
> ??? Ensure the id map is configured in smb.conf, like:
> ??? Raw
>
> ??? [global]
> ????? ...
> ????? idmap config * : backend = tdb
> ????? idmap config * : range 10000-199999
> ????? idmap config DOMAIN : backend = autorid
> ????? idmap config DOMAIN : range = 200000-2147483647
>
> ??? Ensure the BUILTIN\Guests is mapped
> ??? Raw
>
> ??? net groupman list sid=S-1-5-32-546
>
>
> Does not bother me shoulds and shouldnots, I'm doing it, and
> facing a problem which I'd hope can be solved without
> changing a lot. User db is in LDAP and winbind is not used.
> many thanks, L.
>
>
>
any experts roaming around?

To make it a bit bizarre - it only happens to one of the three Sambas
which re virtually identical(same versions on the same Centoses). LDAP
user db replicates so all three Sambas see the same stuff yet only one
fails spitting errors as in the subject.

Would there be someting outside of LDAP which might be different on the
one Samba which is the root problem?

many thanks, L.

On 07/10/2019 09:19, lejeczek via samba wrote:
> On 05/10/2019 15:20, lejeczek via samba wrote:
>> On 05/10/2019 14:10, Rowland penny via samba wrote:
>>> On 05/10/2019 13:41, lejeczek via samba wrote:
>>>> hi everyone,
>>>>
>>>> I believe a resolution is there -
>>>> https://access.redhat.com/solutions/4367771
>>> Which is behind a paywall ;-)
>>>> But what I'm hoping for is an expert would comment how
>>>> would this apply
>>>> to Samba with LDAP backend?
>>> What do you mean 'Samba with LDAP backend' ????
>>>
>>> You really shouldn't be running Samba with LDAP any more
>>> and the problem only occurred on a standalone server and
>>> was fixed here:
>>> https://bugzilla.samba.org/show_bug.cgi?id=13697
>>>
>>> Rowland
>>>
>>>> many thanks, L.
>>>>
>> It's not a paywall, suffices to register with Redhat and to
>> this content access if free of charge.
>> Here:
>>
>> Environment
>>
>>  ??? Red Hat Enterprise Linux 7
>>
>> Issue
>>
>> After upgrading to samba-4.9.1, samba failed to restart with
>> error messages like:
>> Raw
>>
>> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
>> 10:00:00.000000,? 0]
>> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
>> Nov 09 10:00:00 example.com smbd[13641]:
>> create_local_token failed: NT_STATUS_ACCESS_DENIED
>> Nov 09 10:00:00 example.com smbd[13641]: [2018/11/09
>> 10:00:00.000200,? 0] ../source3/smbd/server.c:2000(main)
>> Nov 09 10:00:00 example.com smbd[13641]:?? ERROR: failed to
>> setup guest info.
>>
>> Resolution
>>
>> 1) Ensure the id map is configured in smb.conf, like:
>> Raw
>>
>>  ??? [global]
>>  ????? ...
>>  ????? idmap config * : backend = tdb
>>  ????? idmap config * : range 10000-199999
>>  ????? idmap config DOMAIN : backend = autorid
>>  ????? idmap config DOMAIN : range = 200000-2147483647
>>
>> 2) Map group BUILTIN\Guests to group nobody with following
>> command:
>> Raw
>>
>>  ??? # net -s /dev/null groupmap add sid=S-1-5-32-546
>> unixgroup=nobody type=builtin
>>
>> 3) Restart samba services and replicate the issue:
>> Raw
>>
>>  ??? # systemctl restart {smb,nmb,winbind}
>>  ??? # smbclient //$(hostname)/<share> -U DOMAIN\\<user>
-d10
>>
>> Root Cause
>>
>>  ??? samba-4.9.x expands guest handling to differentiate
>> between anonymous and guest sessions. This required a proper
>> handling of BUILTIN\Guests.
>>  ??? Old-style configuration does not handle BUILTIN\Guest.
>> Thus samba fails after upgrade when administrators unaware
>> of this change.
>>
>> Diagnostic Steps
>>
>>  ??? Ensure the id map is configured in smb.conf, like:
>>  ??? Raw
>>
>>  ??? [global]
>>  ????? ...
>>  ????? idmap config * : backend = tdb
>>  ????? idmap config * : range 10000-199999
>>  ????? idmap config DOMAIN : backend = autorid
>>  ????? idmap config DOMAIN : range = 200000-2147483647
>>
>>  ??? Ensure the BUILTIN\Guests is mapped
>>  ??? Raw
>>
>>  ??? net groupman list sid=S-1-5-32-546
>>
>>
>> Does not bother me shoulds and shouldnots, I'm doing it, and
>> facing a problem which I'd hope can be solved without
>> changing a lot. User db is in LDAP and winbind is not used.
>> many thanks, L.
>>
>>
>>
> any experts roaming around?
Sort of ;-)
>
> To make it a bit bizarre - it only happens to one of the three Sambas
> which re virtually identical(same versions on the same Centoses). LDAP
> user db replicates so all three Sambas see the same stuff yet only one
> fails spitting errors as in the subject.
>
> Would there be someting outside of LDAP which might be different on the
> one Samba which is the root problem?
This sounds like it is a problem with just that one machine, you will 
have to compare it with the other two, to try and find any differences.

I have done some checking, your link becomes this:

https://bugzilla.redhat.com/show_bug.cgi?id=1648399

Which links to this:

https://lists.samba.org/archive/samba-technical/2018-September/130375.html

Which ultimately links to this:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465%C2%A0

Which links to this Samba bug report:

https://bugzilla.samba.org/show_bug.cgi?id=13697

Which shows that it is fixed and went into Samba at 4.9.5

Having got that out of the way, I cannot recommend you continue running 
Samba in this way, you might just as well upgrade to AD, but it is your 
network ;-)

Rowland