winbindd: Failed to fetch our own, local AD domain join password for winbindd's internal use

[Tom]

Hello,

I apologize in advance for cross-posting (and posting for help) to
samba-technical, but I've been seeking help on the samba list and bugzilla
since last week and have had no replies. Using Google, I've found this
issue referenced only once on the mailing list and once in a bugzilla bug
(10991). Unfortunately, I've found no resolutions.

The problem appears to be specific to Samba 4.2, where domains were
provisioned using classicupgrade. In my case, the classicupgrade provision
was performed just a few weeks after 4.0.0 was released, going from version
3.6.x > 4.0.0. I have since kept my install fairly up to date throughout
the 4.0 and 4.1 cycles. I am currently trying to upgrade from 4.1.16 to
4.2.0. After this latest upgrade, S4 fails to start, with the above
mentioned error being logged to log.winbindd. I have found that adding
"server services = -winbindd +winbind" allows 4.2.0 to start correctly.
That said, I decided to revert to the 4.1.16 backup that I took immediately
before the upgrade. I did this just to be safe, as it appears to be
something specific to my AD directory, possibly related to the
classicupgrade. I say this because I do not have the issue with my test
domain, which was newly provisioned from 4.0.0.

I have moved a copy of my live 4.1.16 instance to a VM environment for
testing, and have duplicated the problem in testing. My goal was to upgrade
to 4.2.0 and setup a secondary DC here on-site before standing up 3 more
DCs at branch offices. I am wary of moving forward with this deployment
knowing this problem exists, or without at least better understanding what
is happening. The concern that something wrong with my AD directory
(stemming from the classicupgrade) is what really worries me and I
certainly don't want to start replicating "bad" data to remote sites.

If anyone has the time and can help me figure out this issue, it would be
much appreciated. I have included links to the bugzilla entry and the only
reference to this issue that I could find. If someone could help me
understand, what is Winbindd looking for when it throws the error "Failed
to fetch our own, local AD domain join password for winbindd's internal
use", perhaps that would get me looking in the right direction.

Bugzilla:
https://bugzilla.samba.org/show_bug.cgi?id=10991

Samba List:
https://lists.samba.org/archive/samba/2014-September/185031.html

log.winbindd
/usr/local/samba/sbin/winbindd: winbindd version 4.2.0 started.
/usr/local/samba/sbin/winbindd: Copyright Andrew Tridgell and the Samba
Team 1992-2014
/usr/local/samba/sbin/winbindd: Maximum core file size limits now
16777216(soft) -1(hard)
/usr/local/samba/sbin/winbindd: Registered MSG_REQ_POOL_USAGE
/usr/local/samba/sbin/winbindd: Registered MSG_REQ_DMALLOC_MARK and
LOG_CHANGED
/usr/local/samba/sbin/winbindd: lp_load_ex: refreshing parameters
/usr/local/samba/sbin/winbindd: Initialising global parameters
/usr/local/samba/sbin/winbindd: rlimit_max: increasing rlimit_max (1024) to
minimum Windows limit (16384)
/usr/local/samba/sbin/winbindd: Processing section "[global]"
/usr/local/samba/sbin/winbindd: added interface enp0s3 ip=10.0.2.100
bcast=10.0.2.255 netmask=255.255.255.0
/usr/local/samba/sbin/winbindd: added interface enp0s3 ip=10.0.2.100
bcast=10.0.2.255 netmask=255.255.255.0
/usr/local/samba/sbin/winbindd: initialize_winbindd_cache: clearing cache
and re-creating with version number 2
/usr/local/samba/sbin/winbindd: Added domain BUILTIN (null) S-1-5-32
/usr/local/samba/sbin/winbindd: Added domain TESTDOM internal.testdom.com
SID_REMOVED
/usr/local/samba/sbin/winbindd: Failed to fetch our own, local AD domain
join password for winbindd's internal use
/usr/local/samba/sbin/winbindd: unable to initialize domain list
Child /usr/local/samba/sbin/winbindd exited with status 1 - Operation not
permitted
winbindd daemon died with exit status 1
task_server_terminate: [winbindd child process exited]
samba_terminate: winbindd child process exited