[Samba] accidentally upgraded DC to 4.17.3 ... didn't work

Michael Tokarev mjt at tls.msk.ru
Thu Nov 24 08:33:32 UTC 2022 

24.11.2022 11:12, Stefan G. Weichinger wrote:
..

> # wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

So your wbinfo can't contact you winbindd running on the same host.
I just checked the strace of wbinfo, knowing nothing about how it
works internally.  It only makes connections to /run/samba/winbindd/pipe,
a local unix-domain socket which is created by winbindd.

So winbindd is not running on this host.  And this is consistent with what
you've seen before, when one winbindd process hasn't been starting,
logging an error of some sort.  Is it the same error message now?
It's been in your message with Date: Tue, 22 Nov 2022 14:07:23 +0100.

And at Tue, 22 Nov 2022 13:23:06 +0100:
[2022/11/22 13:19:27.912603,  5] ../../source3/winbindd/winbindd_dual_srv.c:72(_wbint_InitConnection)
   _wbint_InitConnection: ARBEITSGRUPPE returning without initialization online = 1

this seem to be about ARBEITSGRUPPE, not about idmap part, but let's
see..

It's better to see *current* situation and *current* error messages
instead of assuming it's the same as on another machine.

Is there anything interesting in /var/log/samba/log.winbindd-idmap?
You had idmap process failing, that's the log of it.

You can also try stopping samba-ad-dc and run winbindd manually:

  /usr/sbin/winbindd -D --option="server role check:inhibit=yes" --foreground --debug=10

and take a look at the log files. There should be some errors in there
hopefully.

If not, here's a hammer debugging tool:

systemctl stop samba-ad-dc
apt install strace   # if not installed already)
strace -ff -o /tmp/trc /usr/sbin/winbindd -D --option="server role check:inhibit=yes" --foreground
(and hit Ctrl+C to stop it).

and maybe take a look at /tmp/trc.* or make them available for download
somewhere?

it will show what exactly your winbindd is doing, how it is failing.
It *MIGHT* show sensitive data, but should actually not, provided
there's no other activity on this host (samba is not running) which
is asking for sensitive winbindd data.  The important info should
be at the

This is one thing to fix first: why winbindd refuses to start.

idmap child does not open any inet conenctions, it does not use DNS,
it just manages idmap caches and queries. It is one of the simpler
daemons, to mean, it should not depend on any network-related stuff.

The other thing - errors on another DC - is next.

Thanks,

/mjt

More information about the samba mailing list