Samba package 4.9.x samba smbd not playing with winbind.

L.P.H. van Belle belle at bazuin.nl
Mon Dec 3 12:52:12 UTC 2018 

Hai, 

If i may say..  nased on what i've seen, and i'm only talking debian/ubuntu systems. 
I dont run any RH/Centos. 

If samba is installed without winbind
Smbd starts but gets the unable to find Guest message. 

If samba and winbind are installed together, the installer tries to start winbind before smbd.
And the installer fails, basicly because of the same error. 

What i suspect are 1 or 2 things causing these, i've not figured this out yet. 
But im not a dev like you guys. 


The changes in samba-ad-dc are inhereted in samba (smbd/nmbd/winbind) 
And since samba-ad-dc is starting winbind , i suspect a relation here.
I've seen some bugs for ID_BOTH are getting adressed now. ( for BUILTIN & NT Authority ) 
I saw a few e-mails on technical about this, i dont know the state of them.

Due to above samba fails to start since its unable to resolve the "nobody/nogroup" id's. 
This is why i added the changes do smb.conf. 

If one is running a setup with the paramaters already enable, then you dont see problems and no changes are done. 
This is not seen when you run a member or AD DC server, since these already use the idmap settings. 

If you install a new server, then its ( in my opinion ) better to "See" what changed then added the group mapping in the background. 
And specially when its a workaround.

In Alexander Bokovoy install example, its shows. 
idmap config * : backend = tdb
This is why it starts without problems for him. 

Should we enable the tdb backend by default these days, and if thats the case, should this not be one of the new defaults in smb.conf? 
So @Andreas Hasenack, the install you tried, can you add only the line : idmap config * : backend = tdb 
And rerun the install. 


>> is this maybe the relevant change? Using the presence of a running
>> winbind to make this decision of where to allocate the BUILTIN guests
>> group, instead of settings smb.conf?
>If you consider this a bug, please open a bugzilla and provide logs
>there that demonstrate your configuration and a specific issue that is
>not fixed by mapping BUILTIN\Guests.

Did you have a look/search for builtin and NT authority in bugzilla.?? 
It all comes back to ID_BOTH problems. 
Numbers 13697 13186 12164 10929 to name a few or a regression of  https://bugzilla.samba.org/show_bug.cgi?id=13225



Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> Andreas Hasenack via samba-technical
> Verzonden: zondag 2 december 2018 13:41
> Aan: ab at samba.org
> CC: samba-technical at lists.samba.org
> Onderwerp: Re: Samba package 4.9.x samba smbd not playing 
> with winbind.
> 
> > I have no winbindd at all on the system:
> >
> > [root at fserver ~]# rpm -qa|grep winbind
> > <empty output>
> 
> Thanks for replying.
> 
> I think there has been a misunderstanding in this whole thread. Let me
> restate the issue.
> 
> In 4.9.x (at least .2 and .3), when winbind is running, smbd will fail
> to start in standalone mode ("security = user").
> 
> I think when people read that, and saw "winbind is running", they
> assumed domain security. This is not the case. It just so happens that
> winbind was installed and running.
> 
> And it fails in fedora29 too, I just tried:
> 
> andreas at nsnx:~$ lxc launch images:fedora/29 fedora29
> Creating fedora29
> Starting fedora29
> andreas at nsnx:~$ lxc exec fedora29 bash
> [root at fedora29 ~]# dnf update -y && dnf install -y samba-winbind
> samba-client samba
> ...
> [root at fedora29 ~]# service winbind start
> Redirecting to /bin/systemctl start winbind.service
> 
> [root at fedora29 ~]# systemctl start smb
> Job for smb.service failed because the control process exited 
> with error code.
> See "systemctl status smb.service" and "journalctl -xe" for details.
> [root at fedora29 ~]# journalctl -u smb
> -- Logs begin at Sun 2018-12-02 12:30:19 UTC, end at Sun 2018-12-02
> 12:33:06 UTC. --
> Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed to reset
> devices.list: Operation not permitted
> Dec 02 12:33:06 fedora29 systemd[1]: Starting Samba SMB Daemon...
> Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278094,  0]
> ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> Dec 02 12:33:06 fedora29 smbd[247]:   create_local_token failed:
> NT_STATUS_ACCESS_DENIED
> Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278480,  0]
> ../source3/smbd/server.c:2000(main)
> Dec 02 12:33:06 fedora29 smbd[247]:   ERROR: failed to setup 
> guest info.
> Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Main process exited,
> code=exited, status=255/n/a
> Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Killing process 249
> (smbd-notifyd) with signal SIGKILL.
> Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Killing process 250
> (cleanupd) with signal SIGKILL.
> Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed with result
> 'exit-code'.
> Dec 02 12:33:06 fedora29 systemd[1]: Failed to start Samba SMB Daemon.
> 
> [root at fedora29 ~]# rpm -qa|grep samba
> samba-client-libs-4.9.3-0.fc29.x86_64
> samba-common-tools-4.9.3-0.fc29.x86_64
> samba-winbind-4.9.3-0.fc29.x86_64
> samba-common-libs-4.9.3-0.fc29.x86_64
> samba-libs-4.9.3-0.fc29.x86_64
> samba-winbind-modules-4.9.3-0.fc29.x86_64
> samba-client-4.9.3-0.fc29.x86_64
> samba-4.9.3-0.fc29.x86_64
> samba-common-4.9.3-0.fc29.noarch
> 
> [root at fedora29 ~]# cat /etc/samba/smb.conf
> # See smb.conf.example for a more detailed config file or
> # read the smb.conf manpage.
> # Run 'testparm' to verify the config is correct after
> # you modified it.
> 
> [global]
> workgroup = SAMBA
> security = user
> 
> passdb backend = tdbsam
> 
> printing = cups
> printcap name = cups
> load printers = yes
> cups options = raw
> 
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> 
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> 
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @printadmin root
> force group = @printadmin
> create mask = 0664
> directory mask = 0775
> 
>

More information about the samba-technical mailing list