Share permission problem if user is member in more than 16 groups on AD
in [Samba]
|
From: Gaiseric Vandal on 14 Jul 2010 12:50 Here is the catch (at least for some people.) This can break NFS stuff. On my PDC I made a similar change. Home directories are not on the PDC. This fixed the problem of people getting login failures when logging into windows if they had more than 16 groups. But if a user tries to ssh into the PDC, and he is in more than 16 groups, his login will fail because the home directory can not be mounted. But if your samba server is not functioning as an nfs client then it shouldn't be an issue. My PDC is samba 3.4.x. The BDC's are 3.0.x. Samba 3.0.x domain controllers didn't check if your Windows groups exceeded the system group max. You could login- you might not have all the access to directories you thought you should since your effective group list was still getting truncated. With Samba 3.4.x, samba checks to see how may groups you are in, and if the exceeds the ngroups_max it aborts your login. I don't know why. It isn't like it is fixing a security hole. It just gets people mad at me. On 07/14/2010 07:39 AM, Marcis Lielturks wrote: > Hi! > > Running OpenSolaris snv_134 with Samba 3.0.37. Samba is successfully > joined to AD domain. AD user "user1" is member in 17 AD groups > including "group1", but he cannot access Samba share which have read > permissions for "group1". If user account is modified and "group1" > becomes users primary group, then he can access shares. If user is > member of only 16 groups, then permissions work as expected regardless > of users primary group. > > Operating systems "ngroups_max" is set to 1024. I tested with local > user and was able to add user to 1024 local groups. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jeremy Allison on 14 Jul 2010 17:30 On Thu, Jul 15, 2010 at 12:26:05AM +0300, MÄrcis Lielturks wrote: > Thanks, machine wont provide NFS or ssh login services, so fiddling with max > groups should do no harm! > > I googled a bit at found that samba should be recompiled to take advantage > of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is > evaluated only at compile time. Yep. Recompilation should do the trick once the kernel understands large numbers of groups. > Can anybody share experience on compiling samba on OpenSolaris? What's the > most painless way? I'm considering to use latest 3.5.5 but maybe I should > use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 > servers, which already replicate storage, so ID mapping must be consistent > between both Samba servers. Servers have to provide shares also to trusted > domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not > supported to provide mappings for more than one domain, so anything newer > than 3.0.37 sounds like the right choice. The only reason they use 3.0.x is they're still unable to cope with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle Linux has been shipping GPLv3 Samba for a while. But it's a big company, you can't expect one part to know what another part is up to :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 15 Jul 2010 09:40 I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc with two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support Windows 7 clients (don't have any yet but it is probably inevitable) and doesn't seem to support trusts with Windows 2003 Native domains (at least it didn't for me.) If you following the opensolaris forums it seems unlikely that there will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or OpenSolaris in the near future. I don't think it really is a licensing or even major technical issue. There is seems to more interest in CIFS project as an alternative to Samba. Oracle/Sun sells a NAS server that runs on opensolaris and users CIFS so I don't think they have much interest in Samba. I don't see Oracle/Sun paying any one work on Samba 3.4.x or 3.5.x integration when they have "better" solutions and more important priorities. To be specific, Samba doesn't require OpenLDAP but it does require LDAP with certain functionality. The Solaris-bundled Samba does use OpenLDAP. But if you are compiling it yourself OpenLDAP is the way to do it. Easiest to just get the openldap precompiled from blastwave or sunfreeware.com. And there is precompiled Samba available from Sunfreeware and Blastwave but it may lack the features you need, so you probably need to compile anyway. If you don't need AD support, then then the Sun ldap client functionality should be sufficient. I didn't know about the NGROUPS_MAX option. I would have disabled it if I had known, since I am subject to the 16 group NFS v3 limit. (What I really need to do is switch to NFS v4 and use kerberos authentication for NFS clients.) The OpenSolaris developer build (from earlier this year- not the official release from last year- has updated GCC and other tools that may make compiling easier. Gcc from Sun (and even Sunfreeware) use "/usr/ccs/bin/ld" as the linker. You may need to renamed the file and symlink it to gld (gnu linker.) Samba compiling also requires that you get set the CPPFLAGS and LDFLAGS as well. e.g. PATH=/usr/swf/bin:/usr/ccs/bin:$PATH PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH LD_LIBRARY_PATH=/usr/local/samba- 3.4.5:$LD_LIBRARY_PATH export LD_LIBRARY_PATH export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include -I/usr/include" export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib" I posted questions/results to the list earlier this year about my experiences. On 07/14/2010 05:38 PM, MÄrcis Lielturks wrote: > > > On 15 July 2010 00:28, Jeremy Allison <jra(a)samba.org > <mailto:jra(a)samba.org>> wrote: > > On Thu, Jul 15, 2010 at 12:26:05AM +0300, MÄrcis Lielturks wrote: > > Thanks, machine wont provide NFS or ssh login services, so > fiddling with max > > groups should do no harm! > > > > I googled a bit at found that samba should be recompiled to take > advantage > > of new NGROUPS_MAX. "./configure" logs also suggested that > NGROUPS_MAX is > > evaluated only at compile time. > > Yep. Recompilation should do the trick once the kernel understands > large numbers of groups. > > > Can anybody share experience on compiling samba on OpenSolaris? > What's the > > most painless way? I'm considering to use latest 3.5.5 but maybe > I should > > use same version Sun (Oracle) is using - 3.0.37? I have to set > up Samba on 2 > > servers, which already replicate storage, so ID mapping must be > consistent > > between both Samba servers. Servers have to provide shares also > to trusted > > domains, but 3.0.37 doesn't have idmap_hash and seems that > idmap_rid is not > > supported to provide mappings for more than one domain, so > anything newer > > than 3.0.37 sounds like the right choice. > > The only reason they use 3.0.x is they're still unable to cope > with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle > Linux has been shipping GPLv3 Samba for a while. But it's a big > company, you can't expect one part to know what another part is > up to :-). > > Yeah, I read about that, but still, I was thinking that as they ship > 3.0.37, it should also be easier to compile because OS has all that's > necessary for 3.0.37. Newer Samba versions may have some dependencies > (new libs or newer version of libs), that might be harder to satisfy. > I have never compiled samba so far and all I know at the moment (from > documentation) is that AD support requires krb5 and openldap > development libraries and files. > > > Jeremy. > > > > > -- > ML -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Marcis Lielturks on 15 Jul 2010 10:00 Compiled 3.5.4 successfully, but new binaries seem to be defective or missing something. I get errors about PKCS 11 library calls when trying to join domain. I've seen these errors with "original" Samba 3.0.37 in "log.winbindd" and "log.wb-DOMAIN", but besides that, 3.0.37 worked and could join domain. # ./net -U 'Administrator%password' ads join [2010/07/15 16:17:48.692586, 0] libads/sasl.c:818(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Error in the PKCS 11 library calls Failed to join domain: failed to connect to AD: Error in the PKCS 11 library calls I'm using Sun's cc for compilation and gnu make (configure didn't generate Makefile, until gmake was not installed). 1. I installed openldap stable 20100219 with 1. ./configure --disable-slapd --prefix=/opt/samba" 2. Installed Samba with 1. export CFLAGS="-I/usr/include/kerberosv5 -I/usr/include/gssapi" 2. export LDFLAGS="-lsasl -lgss" 3. ./configure --prefix=/opt/samba --with-ads --with-krb5=/usr --with-aio-support --with-static modules=vfs_zfsacl,idmap_rid,idmap_hash --with-automount Where to look next? Maybe I have compiled with wrong options? Should I try using only gnu build tools? What about openldap compilation, I've red somewhere that it may leave some important header files and/or libraries and --enable-null option should be used, if I don't need daemon. Should I try that? I also attached "smbd -b" output differences between original 3.0.37 and my 3.5.4 samba versions. I don't like the line which tells that new version doesn't have "HAVE_KRB5_MIT" option. Thanks! MMM On 07/15/10 12:28 AM, Jeremy Allison wrote: > On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote: > >> Thanks, machine wont provide NFS or ssh login services, so fiddling with max >> groups should do no harm! >> >> I googled a bit at found that samba should be recompiled to take advantage >> of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is >> evaluated only at compile time. >> > Yep. Recompilation should do the trick once the kernel understands > large numbers of groups. > > >> Can anybody share experience on compiling samba on OpenSolaris? What's the >> most painless way? I'm considering to use latest 3.5.5 but maybe I should >> use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 >> servers, which already replicate storage, so ID mapping must be consistent >> between both Samba servers. Servers have to provide shares also to trusted >> domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not >> supported to provide mappings for more than one domain, so anything newer >> than 3.0.37 sounds like the right choice. >> > The only reason they use 3.0.x is they're still unable to cope > with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle > Linux has been shipping GPLv3 Samba for a while. But it's a big > company, you can't expect one part to know what another part is > up to :-). > > Jeremy. >
From: Marcis Lielturks on 16 Jul 2010 05:30
Hi! First of all, thanks for replies to all ;)! Using GCC was a fail for me - too much errors and 2 additional things must be compiled (tdb & talloc) . I only managed to compile using Sun's cc and gmake and will stick to them. I'm a bit further now. Now I don't get PKCS 11 erros, when trying to do "net ads join". I recompiled openldap with slapd (but with null backend) and "-lpkcs11" in LDFLAGS (I think this is what helped). However now I'm getting following when doing "net ads join" [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) lp_load_ex: refreshing parameters [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) Initialising global parameters [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) rlimit_max: rlimit_max (256) below minimum Windows limit (16384) [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/opt/samba/lib/smb.conf" [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) Processing section "[global]" [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 netmask=255.255.255.0 [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SAMBA-DEV' domain_name : * domain_name : 'mydomain.COM' account_ou : NULL admin_account : 'Administrator' admin_password : * machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT [2010/07/16 12:17:00.141661, 3] libsmb/cliconnect.c:2201(cli_start_connection) Connecting to host=BORED.mydomain.com [2010/07/16 12:17:00.141828, 3] lib/util_sock.c:974(open_socket_out_send) Connecting to 192.168.0.94 at port 445 [2010/07/16 12:17:00.143207, 3] libsmb/cliconnect.c:991(cli_session_setup_spnego) Doing spnego session setup (blob length=107) [2010/07/16 12:17:00.143274, 3] libsmb/cliconnect.c:1019(cli_session_setup_spnego) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2010/07/16 12:17:00.143302, 3] libsmb/cliconnect.c:1029(cli_session_setup_spnego) got principal=bored$@mydomain.COM [2010/07/16 12:17:00.143856, 3] libsmb/ntlmssp.c:1101(ntlmssp_client_challenge) Got challenge flags: [2010/07/16 12:17:00.143870, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62898215 [2010/07/16 12:17:00.143883, 3] libsmb/ntlmssp.c:1123(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2010/07/16 12:17:00.143894, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2010/07/16 12:17:00.143984, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2010/07/16 12:17:00.143997, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2010/07/16 12:17:00.177128, 3] libsmb/cliconnect.c:1249(cli_session_setup) SPNEGO login failed: Logon failure [2010/07/16 12:17:00.177159, 1] libsmb/cliconnect.c:2307(cli_full_connection) failed session setup with NT_STATUS_LOGON_FAILURE [2010/07/16 12:17:00.177271, 1] libnet/libnet_join.c:1978(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'mydomain.COM' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE [2010/07/16 12:17:00.177442, 2] utils/net.c:916(main) Intersting is that if I supply wrong username output doesn't differ much. Below you can see differences (I stripped time to be able to use diff). --- pass_ok_stripped.txt 2010-07-16 12:19:11.869234402 +0300 +++ pass_wrong_stripped.txt 2010-07-16 12:19:22.318101275 +0300 @@ -19,7 +19,7 @@ domain_name : * domain_name : 'mydomain.COM' account_ou : NULL - admin_account : 'Administrator' + admin_account : 'Adminisdgasgasdtor' admin_password : * machine_password : NULL join_flags : 0x00000023 (35) @@ -43,8 +43,6 @@ debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) - libads/cldap.c:97(ads_cldap_netlogon) - cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT libsmb/cliconnect.c:2201(cli_start_connection) Connecting to host=BORED.ProServe.com lib/util_sock.c:974(open_socket_out_send) Maybe I'm missing some rpc things? "smbd -b | tail -2" says: Builtin modules: pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam rpc_lsarpc rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl rpc_ntsvcs rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss idmap_rid idmap_hash nss_info_template auth_sam auth_unix auth_winbind auth_wbc auth_server auth_domain auth_builtin auth_netlogond vfs_default vfs_solarisacl vfs_zfsacl MMM On 07/15/10 04:32 PM, Gaiseric Vandal wrote: > I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc > with two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support > Windows 7 clients (don't have any yet but it is probably inevitable) > and doesn't seem to support trusts with Windows 2003 Native domains > (at least it didn't for me.) > > > If you following the opensolaris forums it seems unlikely that there > will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or > OpenSolaris in the near future. I don't think it really is a > licensing or even major technical issue. There is seems to more > interest in CIFS project as an alternative to Samba. Oracle/Sun > sells a NAS server that runs on opensolaris and users CIFS so I don't > think they have much interest in Samba. I don't see Oracle/Sun paying > any one work on Samba 3.4.x or 3.5.x integration when they have > "better" solutions and more important priorities. > > To be specific, Samba doesn't require OpenLDAP but it does require > LDAP with certain functionality. The Solaris-bundled Samba does use > OpenLDAP. But if you are compiling it yourself OpenLDAP is the way > to do it. Easiest to just get the openldap precompiled from > blastwave or sunfreeware.com. And there is precompiled Samba > available from Sunfreeware and Blastwave but it may lack the features > you need, so you probably need to compile anyway. > > If you don't need AD support, then then the Sun ldap client > functionality should be sufficient. > > > I didn't know about the NGROUPS_MAX option. I would have disabled it > if I had known, since I am subject to the 16 group NFS v3 limit. > (What I really need to do is switch to NFS v4 and use kerberos > authentication for NFS clients.) > > The OpenSolaris developer build (from earlier this year- not the > official release from last year- has updated GCC and other tools that > may make compiling easier. Gcc from Sun (and even Sunfreeware) use > "/usr/ccs/bin/ld" as the linker. You may need to renamed the file > and symlink it to gld (gnu linker.) Samba compiling also requires > that you get set the CPPFLAGS and LDFLAGS as well. > > e.g. > > > PATH=/usr/swf/bin:/usr/ccs/bin:$PATH > PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH > LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH > LD_LIBRARY_PATH=/usr/local/samba- 3.4.5:$LD_LIBRARY_PATH > > export LD_LIBRARY_PATH > export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include > -I/usr/include" > export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib > -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib" > > > > > I posted questions/results to the list earlier this year about my > experiences. > > > > > > > > > > > > On 07/14/2010 05:38 PM, MÄrcis Lielturks wrote: >> >> >> On 15 July 2010 00:28, Jeremy Allison <jra(a)samba.org >> <mailto:jra(a)samba.org>> wrote: >> >> On Thu, Jul 15, 2010 at 12:26:05AM +0300, MÄrcis Lielturks wrote: >> > Thanks, machine wont provide NFS or ssh login services, so >> fiddling with max >> > groups should do no harm! >> > >> > I googled a bit at found that samba should be recompiled to take >> advantage >> > of new NGROUPS_MAX. "./configure" logs also suggested that >> NGROUPS_MAX is >> > evaluated only at compile time. >> >> Yep. Recompilation should do the trick once the kernel understands >> large numbers of groups. >> >> > Can anybody share experience on compiling samba on OpenSolaris? >> What's the >> > most painless way? I'm considering to use latest 3.5.5 but maybe >> I should >> > use same version Sun (Oracle) is using - 3.0.37? I have to set >> up Samba on 2 >> > servers, which already replicate storage, so ID mapping must be >> consistent >> > between both Samba servers. Servers have to provide shares also >> to trusted >> > domains, but 3.0.37 doesn't have idmap_hash and seems that >> idmap_rid is not >> > supported to provide mappings for more than one domain, so >> anything newer >> > than 3.0.37 sounds like the right choice. >> >> The only reason they use 3.0.x is they're still unable to cope >> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle >> Linux has been shipping GPLv3 Samba for a while. But it's a big >> company, you can't expect one part to know what another part is >> up to :-). >> >> Yeah, I read about that, but still, I was thinking that as they ship >> 3.0.37, it should also be easier to compile because OS has all that's >> necessary for 3.0.37. Newer Samba versions may have some dependencies >> (new libs or newer version of libs), that might be harder to satisfy. >> I have never compiled samba so far and all I know at the moment (from >> documentation) is that AD support requires krb5 and openldap >> development libraries and files. >> >> >> Jeremy. >> >> >> >> >> -- >> ML > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |