[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2

MORILLO Jordi j.morillo at educationetformation.fr
Sun Nov 22 14:42:56 UTC 2020

Hello !

I have just upgraded 40 x Samba domain member file server from 4.11.14 to 4.13.2

-          No problem with 20 x domain member that are in a unique Samba domain (only samba DC)

-          But for my other domain (with composed of Windows 2016 DC), all of 20 x Samba domain member failed to desserve file after this upgrade :-/

I have triple check /etc/hosts, hostname, krb5 etc .... And nothings was wrong. Thus samba domain members were working fine with 4.11.14.
Kerberos parts is OK (kinit/klist)

Here is some interesting logs (error only):
net ads testjoin
Join to domain is not valid: LDAP_OPERATIONS_ERROR

/var/log/samba/log.smbd :
[2020/11/22 13:13:18.319090,  0] ../../source3/printing/nt_printing.c:252(nt_printing_init)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

[2020/11/22 12:14:31.081839,  0] ../../source3/winbindd/winbindd_cm.c:1874(wb_open_internal_pipe)
  open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_RPC_INTERFACE_NOT_FOUND
[2020/11/22 12:14:31.094251,  0] ../../source3/rpc_server/rpc_ncacn_np.c:456(rpcint_dispatch)
  rpcint_dispatch: DCE/RPC fault in call lsarpc:2E - DCERPC_NCA_S_OP_RNG_ERROR

After searching for some hours, i downgrade to 4.11.14 to solve this problem.

I use tranquil.it repo, could it be some miss-build packages ?

Bellow the result of debug script :

Collected config  --- 2020-11-22-15:37 -----------

Hostname: ef540
DNS Domain: educ-for.local
FQDN: ef540.educ-for.local


Kerberos SRV _kerberos._tcp.educ-for.local record verified ok, sample output:

_kerberos._tcp.educ-for.local   service = 0 100 88 Yoda.educ-for.local.
_kerberos._tcp.educ-for.local   service = 0 100 88 palpatine.educ-for.local.
_kerberos._tcp.educ-for.local   service = 0 100 88 yoda.educ-for.local.
_kerberos._tcp.educ-for.local   service = 0 100 88 vader.educ-for.local.
Samba is running as a Unix domain member
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION="10 (buster)"


This computer is running Debian 10.6 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether ee:26:ac:b2:ea:04 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0

       Checking file: /etc/hosts       localhost       ef540.educ-for.local


       Checking file: /etc/resolv.conf

domain educ-for.local
search educ-for.local


       Checking file: /etc/krb5.conf

        default_realm = EDUC-FOR.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
        clockskew = 3600


       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind systemd
group:          compat winbind systemd
shadow:         compat winbind
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


       Checking file: /etc/samba/smb.conf

   workgroup = EDUC-FOR
   security = ADS
   realm = EDUC-FOR.LOCAL
   server role = member server

   bind interfaces only = yes
   interfaces = lo eth0

   # Disable Netbios
   disable netbios = Yes
   smb ports = 445

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config EDUC-FOR:backend  = rid
   idmap config EDUC-FOR:range  = 10000-70000

   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

   domain master = no
   local master = no

   # For ACL support on member file server
   vfs objects = acl_xattr
   map acl inherit = Yes

   # Printing global configuration
   printcap cache time = 60
   printcap name = cups
   rpc_server:spoolss = external
   rpc_daemon:spoolssd = fork
   enumports command = /usr/local/bin/show-ports.sh

   # Disable offline mode on all shares
   csc policy = disable

        path = /home/commun
        read only = no

        path = /home/users
        read only = no

        path = /var/spool/samba
        comment = All Printers
        printable = yes
        printing = CUPS
        create mask = 0700
        guest ok = yes
        print ok = yes
        browseable = no

        comment = Printer Drivers
        path = /var/lib/samba/printing
        writable = yes
        read only = no
        write list = root Administrateur @"Admins du domaine"


Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
    Warning, /etc/idmapd.conf does not exist


Installed packages:
ii  acl                               2.2.53-4                     amd64        access control list - utilities
ii  attr                              1:2.4.48-4                   amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                       2.6                          all          Configuration files for Kerberos Version 5
ii  krb5-locales                      1.17-3+deb10u1               all          internationalization support for MIT Kerberos
ii  krb5-user                         1.17-3+deb10u1               amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                     2.2.53-4                     amd64        access control list - shared library
ii  libattr1:amd64                    1:2.4.48-4                   amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64            1.17-3+deb10u1               amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                   1.17-3+deb10u1               amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64             1.17-3+deb10u1               amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64              2:4.13.2+dfsg-0.1buster1     amd64        Samba nameservice integration plugins
ii  libsmbclient:amd64                2:4.13.2+dfsg-0.1buster1     amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                2:4.13.2+dfsg-0.1buster1     amd64        Samba winbind client library
ii  python3-samba                     2:4.13.2+dfsg-0.1buster1     amd64        Python 3 bindings for Samba
ii  samba                             2:4.13.2+dfsg-0.1buster1     amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.13.2+dfsg-0.1buster1     all          common files used by both the Samba server and client
ii  samba-common-bin                  2:4.13.2+dfsg-0.1buster1     amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64          2:4.13.2+dfsg-0.1buster1     amd64        Samba Directory Services Database
ii  samba-libs:amd64                  2:4.13.2+dfsg-0.1buster1     amd64        Samba core libraries
ii  samba-vfs-modules:amd64           2:4.13.2+dfsg-0.1buster1     amd64        Samba Virtual FileSystem plugins
ii  smbclient                         2:4.13.2+dfsg-0.1buster1     amd64        command-line SMB/CIFS clients for Unix
ii  winbind                           2:4.13.2+dfsg-0.1buster1     amd64        service to resolve user and group information from Windows NT servers


More information about the samba mailing list