Samba package 4.9.x samba smbd not playing with winbind.

Alexander Bokovoy ab at samba.org
Mon Dec 3 13:10:04 UTC 2018


On ma, 03 joulu 2018, L.P.H. van Belle via samba-technical wrote:
> Hai, 
> 
> If i may say..  nased on what i've seen, and i'm only talking debian/ubuntu systems. 
> I dont run any RH/Centos. 
> 
> If samba is installed without winbind
> Smbd starts but gets the unable to find Guest message. 
> 
> If samba and winbind are installed together, the installer tries to start winbind before smbd.
> And the installer fails, basicly because of the same error. 
> 
> What i suspect are 1 or 2 things causing these, i've not figured this out yet. 
> But im not a dev like you guys. 
> 
> 
> The changes in samba-ad-dc are inhereted in samba (smbd/nmbd/winbind) 
> And since samba-ad-dc is starting winbind , i suspect a relation here.
> I've seen some bugs for ID_BOTH are getting adressed now. ( for BUILTIN & NT Authority ) 
> I saw a few e-mails on technical about this, i dont know the state of them.
> 
> Due to above samba fails to start since its unable to resolve the "nobody/nogroup" id's. 
> This is why i added the changes do smb.conf. 
> 
> If one is running a setup with the paramaters already enable, then you dont see problems and no changes are done. 
> This is not seen when you run a member or AD DC server, since these already use the idmap settings. 
> 
> If you install a new server, then its ( in my opinion ) better to "See" what changed then added the group mapping in the background. 
> And specially when its a workaround.
> 
> In Alexander Bokovoy install example, its shows. 
> idmap config * : backend = tdb
> This is why it starts without problems for him. 
I don't have that in the smb.conf itself, this is the default as
reported by `testparm -s`.

> Should we enable the tdb backend by default these days, and if thats
> the case, should this not be one of the new defaults in smb.conf?  So
> @Andreas Hasenack, the install you tried, can you add only the line :
> idmap config * : backend = tdb 
> And rerun the install. 
It *is* enabled by default. Below I'm using empty smb.conf (/dev/null):

# testparm /dev/null -s -v|grep ' tdb'
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /dev/null
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_STANDALONE

	idmap backend = tdb
	passdb backend = tdbsam
	idmap config * : backend = tdb

> >> is this maybe the relevant change? Using the presence of a running
> >> winbind to make this decision of where to allocate the BUILTIN guests
> >> group, instead of settings smb.conf?
> >If you consider this a bug, please open a bugzilla and provide logs
> >there that demonstrate your configuration and a specific issue that is
> >not fixed by mapping BUILTIN\Guests.
> 
> Did you have a look/search for builtin and NT authority in bugzilla.?? 
> It all comes back to ID_BOTH problems. 
> Numbers 13697 13186 12164 10929 to name a few or a regression of  https://bugzilla.samba.org/show_bug.cgi?id=13225
> 
> 
> 
> Greetz, 
> 
> Louis 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba-technical 
> > [mailto:samba-technical-bounces at lists.samba.org] Namens 
> > Andreas Hasenack via samba-technical
> > Verzonden: zondag 2 december 2018 13:41
> > Aan: ab at samba.org
> > CC: samba-technical at lists.samba.org
> > Onderwerp: Re: Samba package 4.9.x samba smbd not playing 
> > with winbind.
> > 
> > > I have no winbindd at all on the system:
> > >
> > > [root at fserver ~]# rpm -qa|grep winbind
> > > <empty output>
> > 
> > Thanks for replying.
> > 
> > I think there has been a misunderstanding in this whole thread. Let me
> > restate the issue.
> > 
> > In 4.9.x (at least .2 and .3), when winbind is running, smbd will fail
> > to start in standalone mode ("security = user").
> > 
> > I think when people read that, and saw "winbind is running", they
> > assumed domain security. This is not the case. It just so happens that
> > winbind was installed and running.
> > 
> > And it fails in fedora29 too, I just tried:
> > 
> > andreas at nsnx:~$ lxc launch images:fedora/29 fedora29
> > Creating fedora29
> > Starting fedora29
> > andreas at nsnx:~$ lxc exec fedora29 bash
> > [root at fedora29 ~]# dnf update -y && dnf install -y samba-winbind
> > samba-client samba
> > ...
> > [root at fedora29 ~]# service winbind start
> > Redirecting to /bin/systemctl start winbind.service
> > 
> > [root at fedora29 ~]# systemctl start smb
> > Job for smb.service failed because the control process exited 
> > with error code.
> > See "systemctl status smb.service" and "journalctl -xe" for details.
> > [root at fedora29 ~]# journalctl -u smb
> > -- Logs begin at Sun 2018-12-02 12:30:19 UTC, end at Sun 2018-12-02
> > 12:33:06 UTC. --
> > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed to reset
> > devices.list: Operation not permitted
> > Dec 02 12:33:06 fedora29 systemd[1]: Starting Samba SMB Daemon...
> > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278094,  0]
> > ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
> > Dec 02 12:33:06 fedora29 smbd[247]:   create_local_token failed:
> > NT_STATUS_ACCESS_DENIED
> > Dec 02 12:33:06 fedora29 smbd[247]: [2018/12/02 12:33:06.278480,  0]
> > ../source3/smbd/server.c:2000(main)
> > Dec 02 12:33:06 fedora29 smbd[247]:   ERROR: failed to setup 
> > guest info.
> > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Main process exited,
> > code=exited, status=255/n/a
> > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Killing process 249
> > (smbd-notifyd) with signal SIGKILL.
> > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Killing process 250
> > (cleanupd) with signal SIGKILL.
> > Dec 02 12:33:06 fedora29 systemd[1]: smb.service: Failed with result
> > 'exit-code'.
> > Dec 02 12:33:06 fedora29 systemd[1]: Failed to start Samba SMB Daemon.
> > 
> > [root at fedora29 ~]# rpm -qa|grep samba
> > samba-client-libs-4.9.3-0.fc29.x86_64
> > samba-common-tools-4.9.3-0.fc29.x86_64
> > samba-winbind-4.9.3-0.fc29.x86_64
> > samba-common-libs-4.9.3-0.fc29.x86_64
> > samba-libs-4.9.3-0.fc29.x86_64
> > samba-winbind-modules-4.9.3-0.fc29.x86_64
> > samba-client-4.9.3-0.fc29.x86_64
> > samba-4.9.3-0.fc29.x86_64
> > samba-common-4.9.3-0.fc29.noarch
> > 
> > [root at fedora29 ~]# cat /etc/samba/smb.conf
> > # See smb.conf.example for a more detailed config file or
> > # read the smb.conf manpage.
> > # Run 'testparm' to verify the config is correct after
> > # you modified it.
> > 
> > [global]
> > workgroup = SAMBA
> > security = user
> > 
> > passdb backend = tdbsam
> > 
> > printing = cups
> > printcap name = cups
> > load printers = yes
> > cups options = raw
> > 
> > [homes]
> > comment = Home Directories
> > valid users = %S, %D%w%S
> > browseable = No
> > read only = No
> > inherit acls = Yes
> > 
> > [printers]
> > comment = All Printers
> > path = /var/tmp
> > printable = Yes
> > create mask = 0600
> > browseable = No
> > 
> > [print$]
> > comment = Printer Drivers
> > path = /var/lib/samba/drivers
> > write list = @printadmin root
> > force group = @printadmin
> > create mask = 0664
> > directory mask = 0775
> > 
> > 
> 
> 

-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list