[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help

Frank Steiner fsteiner-mail1 at bio.ifi.lmu.de
Thu Nov 28 16:46:16 UTC 2019 

Hi,

we've problems getting samba shares to work after upgrading from 4.7 to 4.9. We have one samba PDC server providing some shares and the users via local passdb.tdb file. Its smb.conf (names/ips changed):

[global]
         security = user
         encrypt passwords = yes
         passdb backend = tdbsam:/etc/samba/passdb.tdb
         workgroup = OURWORKGROUP
         netbios name = SERVER1
         server string = main server
         map untrusted to domain = Yes

         local master = yes
         preferred master = yes
         domain master = yes
         os level = 255
         wins support = yes

         dns proxy = yes
         name resolve order = host wins bcast

         hosts allow = <our networks>

[... the shares ...]


And one server that is providing some shares and does user authentification via the PDC. It's smb.conf:
[global]
         security = domain
         password server = SERVER1
         encrypt passwords = yes
         guest ok = no

         workgroup = OURWORKGROUP
         netbios name = SERVER2
         server string = secondary server

         local master = yes
         preferred master = no
         domain master = no
         os level = 40
         wins server = SERVER1

         dns proxy = yes
         name resolve order = host wins bcast

         hosts allow = <our networks>

[ ... the shares ... ]


We have windows terminal server using these shares, some win 10 clients and some linux clients.

This all worked fine when both servers ran samba 4.7. Now SERVER2 was upgraded to samba 4.9 (because SuSE Linux Enterprise 15 was updated to 15 SP1, SERVER1 is still running 15 without SP1) and I learned that "security = domain" no longer works without winbind. I thought I could just start winbind to use the "netlogon proxy only mode", so I did that on both servers.

So, winbindd is running on SERVER2:

server2 /root# rcwinbind status
* winbind.service - Samba Winbind Daemon
    Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled)
    Active: active (running) since Thu 2019-11-28 15:47:13 CET; 1h 21min ago
  Main PID: 20444 (winbindd)
    Status: "winbindd: ready to serve connections..."
     Tasks: 2 (limit: 4915)
    CGroup: /system.slice/winbind.service
            |-20444 /usr/sbin/winbindd --foreground --no-process-group
            `-20446 /usr/sbin/winbindd --foreground --no-process-group

Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.100030,  0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Nov 28 15:47:13 server2 winbindd[20444]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.101272,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 15:47:13 server2 winbindd[20444]:   daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections


But even after restaring smbd, it doesn't find winbindd:
server2 /root# rcsmb status
* smb.service - Samba SMB Daemon
    Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
    Active: active (running) since Thu 2019-11-28 16:47:35 CET; 22min ago
  Main PID: 26379 (smbd)
    Status: "smbd: ready to serve connections..."
     Tasks: 4 (limit: 4915)
    CGroup: /system.slice/smb.service
            |-26379 /usr/sbin/smbd --foreground --no-process-group
            |-26381 /usr/sbin/smbd --foreground --no-process-group
            |-26382 /usr/sbin/smbd --foreground --no-process-group
            `-26383 /usr/sbin/smbd --foreground --no-process-group

Nov 28 16:47:35 server2 smbd[26379]: [2019/11/28 16:47:35.114442,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 16:47:35 server2 smbd[26379]:   daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Nov 28 17:10:16 server2 smbd[29446]: [2019/11/28 17:10:16.947758,  0] ../source3/auth/auth_winbind.c:122(check_winbind_security)
Nov 28 17:10:16 server2 smbd[29446]:   check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS

The last two lines appear in the log after doing a "smbclient -D OURWORKGROUP -U someuser -L //SERVER2/" which returns
Enter WORKGROUP\somuser's password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

Do I need to setup some winbind options for just using the "netlogon proxy only mode"? All documentation I find is only about using winbind with nss or kerberos or windows ad controllers etc., nothing is explained about the proxy only mode. Just this mail: https://lists.samba.org/archive/samba/2014-January/178375.html which indicates that I must do nothing but only start winbind...

What do I do wrong? For the moment I had to downgrade to 4.7 again to make the shares work.

cu,
Frank
-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

More information about the samba mailing list