Bug 1740986
Summary: | Samba 4.9.1-6: Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Glen Babiano <gbabiano> | |
Component: | samba | Assignee: | Andreas Schneider <asn> | |
Status: | CLOSED ERRATA | QA Contact: | Niranjan Mallapadi Raghavender <mniranja> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.6 | CC: | asn, dkarpele, gdeschner, iboukris, jarrpa, jstephen, mniranja, sgoveas, tscherf | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | samba-4.10.4-4.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1754835 (view as bug list) | Environment: | ||
Last Closed: | 2020-03-31 19:56:34 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1754835 |
Description
Glen Babiano
2019-08-14 04:52:01 UTC
The net command doesn't need to be run if winbind is running and Samba is configured correctly. It is likely that the customer is running sssd and did not start winbind which caused those issues. Hi Andreas, Thanks for the feedback. I have reached out to the customer and here's what he has to say: ----- I'm afraid that's not correct, we do start winbind before starting samba. ----- Any other thoughts? Thanks and regards, Glen Hi, I seems to me that this issue was addressed upstream and the patch is actually included in the latest samba package samba-4.10.4-1.el7, please try using this package. Hi Isaac, Customer found that Samba version 4.10.x is available upstream but not on the RHEL 7 repos. Is there any chance this will be ported in RHEL 7? Thanks and regards, Glen Problems could happen if winbind is not running or idmap is not set up correctly. If this is the case there should be no problems. However we improved the code in this area. Version: samba-common-4.10.4-9.el7.noarch samba-libs-4.10.4-9.el7.x86_64 samba-common-tools-4.10.4-9.el7.x86_64 samba-4.10.4-9.el7.x86_64 samba-common-libs-4.10.4-9.el7.x86_64 samba-winbind-modules-4.10.4-9.el7.x86_64 samba-winbind-clients-4.10.4-9.el7.x86_64 samba-client-libs-4.10.4-9.el7.x86_64 samba-winbind-4.10.4-9.el7.x86_64 1. Test using winbind and samba ================================ 1. Join system to Windows 2012 R2 using realm with winbind and samba [root@qe-blade-11 ~]# realm join -U Administrator --client-software=winbind --membership-software=samba -v CYGNUS.TEST * Resolving: _ldap._tcp.cygnus.test * Performing LDAP DSE lookup on: 10.65.201.120 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895 * Successfully discovered: cygnus.test Password for Administrator: * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads join cygnus.test Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL Using short domain name -- CYGNUS Joined 'QE-BLADE-11' to dns domain 'cygnus.test' DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads keytab create Enter Administrator's password: * /usr/bin/systemctl enable winbind.service Created symlink from /etc/systemd/system/multi-user.target.wants/winbind.service to /usr/lib/systemd/system/winbind.service. * /usr/bin/systemctl restart winbind.service * /usr/bin/sh -c /usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service * Successfully enrolled machine in realm 2. Run testparam [root@qe-blade-11 samba]# net groupmap list Guests (S-1-5-32-546) -> BUILTIN\guests Administrators (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users [root@qe-blade-11 samba]# testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] kerberos method = system keytab printcap name = cups realm = CYGNUS.TEST security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = CYGNUS idmap config * : range = 10000-999999 idmap config cygnus : backend = rid idmap config cygnus : range = 2000000-2999999 idmap config * : backend = tdb cups options = raw [homes] browseable = No comment = Home Directories inherit acls = Yes read only = No valid users = %S %D%w%S [printers] browseable = No comment = All Printers create mask = 0600 path = /var/tmp printable = Yes [print$] comment = Printer Drivers create mask = 0664 directory mask = 0775 force group = @printadmin path = /var/lib/samba/drivers write list = @printadmin root 3. Start smb service and verify net groupmap list lists builtin groups [root@qe-blade-11 samba]# systemctl start smb [root@qe-blade-11 samba]# net groupmap list Guests (S-1-5-32-546) -> BUILTIN\guests Administrators (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users [root@qe-blade-11 samba]# testparm Test using sssd and samba ========================== [root@qe-blade-11 ~]# realm join -U Administrator --client-software=sssd --membership-software=samba -v CYGNUS.TEST * Resolving: _ldap._tcp.cygnus.test * Performing LDAP DSE lookup on: 10.65.201.120 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895 * Successfully discovered: cygnus.test Password for Administrator: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads join cygnus.test Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL Using short domain name -- CYGNUS Joined 'QE-BLADE-11' to dns domain 'cygnus.test' DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads keytab create Enter Administrator's password: * /usr/bin/systemctl enable sssd.service Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service. * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service * Successfully enrolled machine in realm 2. Configure /etc/samba/smb.conf as below: [global] server string = File Server passdb backend = tdbsam # log files split per-machine: log file = /var/log/samba/log.%m # maximum size of 200KB per log file, then rotate: max log size = 200 log level = 2 # Domain Config realm = CYGNUS.TEST workgroup = CYGNUS security = ADS kerberos method = secrets and keytab idmap config * : backend = autorid idmap config * : range = 1000000-19999999 idmap config * : rangesize = 1000000 template shell = /bin/bash template homedir = /home/%U [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [share1] path = /mnt/samba/share1 comment = test share1 writable = yes printable = no </snip> 3. start winbind and smb service [root@qe-blade-11 samba]# net groupmap list Guests (S-1-5-32-546) -> 1000002 Administrators (S-1-5-32-544) -> 1000000 Users (S-1-5-32-545) -> 1000001 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1084 |