with most recent git master smbd fails to start in AD DC mode
Günter Kukkukk
linux at kukkukk.com
Sat Mar 22 11:37:57 MDT 2014
Am 22.03.2014 18:27, schrieb Günter Kukkukk:
> Am 22.03.2014 18:10, schrieb Jeremy Allison:
>> On Sat, Mar 22, 2014 at 04:31:32AM +0100, Günter Kukkukk wrote:
>>> http://git.samba.org/?p=samba.git;a=commit;h=6034ab521c47fc5f4732398652c9c6847ff92035
>>>
>>> introduced the following failure (in AD DC mode):
>>>
>>> ....
>>> /usr/local/samba/sbin/smbd: smbd version 4.2.0pre1-GIT-7fdb21c started.
>>> /usr/local/samba/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2014
>>> /usr/local/samba/sbin/smbd: Registered MSG_REQ_POOL_USAGE
>>> /usr/local/samba/sbin/smbd: Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>> /usr/local/samba/sbin/smbd: lp_load_ex: refreshing parameters
>>> /usr/local/samba/sbin/smbd: Initialising global parameters
>>> /usr/local/samba/sbin/smbd: rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>>> /usr/local/samba/sbin/smbd: params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
>>> /usr/local/samba/sbin/smbd: Processing section "[global]"
>>> /usr/local/samba/sbin/smbd: Processing section "[netlogon]"
>>> /usr/local/samba/sbin/smbd: Processing section "[sysvol]"
>>> /usr/local/samba/sbin/smbd: Processing section "[test]"
>>> /usr/local/samba/sbin/smbd: adding IPC service
>>> /usr/local/samba/sbin/smbd: added interface eno16777736 ip=2a02:8109:8f40:107c:20c:29ff:fe3b:8649 bcast= netmask=ffff:ffff:ffff:ffff::
>>> /usr/local/samba/sbin/smbd: added interface eno16777736 ip=192.168.200.70 bcast=192.168.200.255 netmask=255.255.255.0
>>> /usr/local/samba/sbin/smbd: added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
>>> /usr/local/samba/sbin/smbd: added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
>>> /usr/local/samba/sbin/smbd: loaded services
>>> /usr/local/samba/sbin/smbd: Becoming a daemon.
>>> /usr/local/samba/sbin/smbd: ldb_wrap open of idmap.ldb
>>> /usr/local/samba/sbin/smbd: getpwuid(3000011) failed <<<<<===== !!!!!?
>>> /usr/local/samba/sbin/smbd: Failed to finalize nt token
>>> /usr/local/samba/sbin/smbd: create_local_token failed: NT_STATUS_UNSUCCESSFUL
>>> /usr/local/samba/sbin/smbd: ERROR: failed to setup guest info.
>>> Child /usr/local/samba/sbin/smbd exited with status 255 - Unknown error 255
>>> file_server smbd daemon died with exit status 255
>>> task_server_terminate: [smbd child process exited]
>>> samba_terminate: smbd child process exited
>>> ------------
>>>
>>> When i revert this patch at least all former stuff is working again.
>>
>> So here is a patch that will allow the getpwuid to
>> fail on guest tokens. Try this on top of current
>> master to see if it fixes your issue.
>>
>> I don't like it though :-).
>>
>> As far as I'm concerned, if :
>>
>> username --> getpwnam() returns struct pwd
>>
>> succeeds, then the following should
>> *always* succeed.
>>
>> pwd->uid --> uid_to_sid() returns SID.
>> SID --> sid_to_uid() returns uid (must be identical to pwd->uid).
>> uid --> getpwuid() should return *idential* struct pwd.
>>
>> If any of these fail, then I think something
>> is setup incorrectly on the system.
>>
>> As I said, need more info to understand your
>> specific failure case.
>>
>> Jeremy.
>>
>
> Hi Jeremy,
>
> i'll try your patch later today - must first finish some private stuff.
>
> I just did a new test using a "most fresh and simple" setup (not using your patch atm):
>
> 1.) built recent git master
> 2.) "make install"
> 3.) samba-tool domain provision --interactive
> 4.) /usr/local/samba/sbin/samba -i -M single -d3
> This very _first_ start is already failing!
> ----
>
> Some more detailed output during these steps:
>
> Step 3.)
> ========
> li4771-131:/usr/local # samba-tool domain provision --interactive
> Realm [ADDLZ.KUKKUKK.COM]:
> Domain [ADDLZ]:
> Server Role (dc, member, standalone) [dc]:
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
> Administrator password:
> Retype password:
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=addlz,DC=kukkukk,DC=com
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=addlz,DC=kukkukk,DC=com
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> See /usr/local/samba/private/named.conf for an example configuration include file for BIND
> and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
> Once the above files are installed, your Samba4 server will be ready to use
> Server Role: active directory domain controller
> Hostname: li4771-131
> NetBIOS Domain: ADDLZ
> DNS Domain: addlz.kukkukk.com
> DOMAIN SID: S-1-5-21-492026120-2389038717-3823988468
> ----------------
>
> RESULTING SMB.CONF:
> ===================
> li4771-131:/usr/local/samba # cat etc/smb.conf
> # Global parameters
> [global]
> workgroup = ADDLZ
> realm = ADDLZ.KUKKUKK.COM
> netbios name = LI4771-131
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/addlz.kukkukk.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> ------------
>
> Step 4.)
> ========
> li4771-131:/usr/local/samba # sbin/samba -i -M single -d3
> .... snip
> Calling DNS name update script
> Calling SPN name update script
> /usr/local/samba/sbin/smbd: smbd version 4.2.0pre1-GIT-7fdb21c started.
> /usr/local/samba/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2014
> request interface version (version = 27)
> Terminating connection - 'wbsrv: wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[wbsrv: wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> Terminating connection - 'wbsrv: wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[wbsrv: wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> /usr/local/samba/sbin/smbd: create_local_token failed: NT_STATUS_UNSUCCESSFUL
> /usr/local/samba/sbin/smbd: ERROR: failed to setup guest info.
> Child /usr/local/samba/sbin/smbd exited with status 255 - Unknown error 255
> file_server smbd daemon died with exit status 255
> task_server_terminate: [smbd child process exited]
> samba_terminate: smbd child process exited
>
> Cheers, Günter
>
Sorry, forgot to mention that there's a
Step 4.a) start ISC bind nameserver (here i used the DLZ module)
which i did properly ...
But another fresh setup with the internal DNS server shows the same
failing smbd symptoms ....
Just to sent "complete report" ! :-)
Cheers, Günter
--
More information about the samba-technical
mailing list