[Samba] accidentally upgraded DC to 4.17.3 ... didn't work

Stefan G. Weichinger lists at xunil.at
Thu Nov 24 09:05:51 UTC 2022 

Am 24.11.22 um 10:01 schrieb Michael Tokarev:
> 24.11.2022 11:46, Stefan G. Weichinger via samba wrote:
> 
>> Hm, I see it in ps:
>>
>> # ps axf | egrep "winbindd"
>>     5281 pts/0    S+     0:00          \_ grep -E winbindd
>>     5153 ?        S      0:00  |   \_ samba: task[winbindd] pre-fork 
>> master
>>     5159 ?        Ss     0:00  |           \_ /usr/sbin/winbindd -D 
>> --option=server role check:inhibit=yes --foreground
>>     5186 ?        S      0:00  |               \_ winbindd: domain 
>> child [ARBEITSGRUPPE]
> 
> There's no idmap child in there. There should be 3 of them
> (also domain child {builtin]);

ok, I see

>> above that nothing special, just reading config and binding to eno1 
>> and lo
> 
> Nope, That wont work, unfortunately.  It dies on me for an ad dc 
> configuration
> because OTHER parts of samba is not running. It can't be debugged like 
> this.
> My suggestion was completely wrong - including the hammer one.

ah ...

> Does anyone know how to debug this beast?
> 
> It doesn't log anything interesting when it fails, and it can't be started
> manually without all the other parts of samba either.
> 
> Replacing /usr/sbin/winbindd with a wrapper script which runs winbindd 
> under
> strace? Is there other way?
> 
> ..
>> I will try that hammer in a moment, after sending this.
> 
> Nope. Please excuse me for this wrong suggestion. It wont work.

No problem, I appreciate your help.

I'd be happy to help spotting the issue .. but maybe I should start over 
by manually demoting the dc again?

For now the domain seems to work fine with adc2 active ... but I should 
maybe get adc1 up and synced again in the next hours.

there seem to be more issues on adc1, very likely related to my flaky 
demoting/rejoining:

# tail log.samba
[2022/11/24 10:02:49.258482,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:02:49.345700,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:02:49.710229,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:02:56.893658,  1] 
../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth)
   dns_server_process_query_got_auth: Failed to add SOA record: 
WERR_DNS_ERROR_RCODE_FORMAT_ERROR
[2022/11/24 10:02:57.742230,  1] 
../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth)
   dns_server_process_query_got_auth: Failed to add SOA record: 
WERR_DNS_ERROR_RCODE_FORMAT_ERROR

More information about the samba mailing list