[Samba] accidentally upgraded DC to 4.17.3 ... didn't work

Stefan G. Weichinger lists at xunil.at
Thu Nov 24 09:32:48 UTC 2022 

Am 24.11.22 um 10:01 schrieb Michael Tokarev:
> 24.11.2022 11:46, Stefan G. Weichinger via samba wrote:
> 
>> Hm, I see it in ps:
>>
>> # ps axf | egrep "winbindd"
>>     5281 pts/0    S+     0:00          \_ grep -E winbindd
>>     5153 ?        S      0:00  |   \_ samba: task[winbindd] pre-fork 
>> master
>>     5159 ?        Ss     0:00  |           \_ /usr/sbin/winbindd -D 
>> --option=server role check:inhibit=yes --foreground
>>     5186 ?        S      0:00  |               \_ winbindd: domain 
>> child [ARBEITSGRUPPE]
> 
> There's no idmap child in there. There should be 3 of them
> (also domain child {builtin]);

It gets even stranger:

now the processes are there:

# ps axf | egrep "winbindd"
    6516 pts/0    S+     0:00      |   \_ grep -E winbindd
    5960 ?        S      0:00  |   \_ samba: task[winbindd] pre-fork master
    5967 ?        Ss     0:03  |           \_ /usr/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
    5986 ?        S      0:00  |               \_ winbindd: domain child 
[ARBEITSGRUPPE]
    6311 ?        S      0:00  |               \_ winbindd: domain child 
[BUILTIN]
    6312 ?        S      0:00  |               \_ winbindd: idmap child


# tail log.samba
[2022/11/24 10:30:01.604138,  2] 
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
   Got a dns update request.
[2022/11/24 10:30:01.604970,  2] 
../../source4/dns_server/dns_update.c:781(dns_update_allowed)
   Update not allowed for unsigned packet.
[2022/11/24 10:30:01.629463,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:30:01.629577,  1] 
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
   gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing 
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2022/11/24 10:30:01.629641,  1] 
../../source4/dns_server/dns_query.c:888(handle_tkey)
   GSS key negotiation returned NT_STATUS_LOGON_FAILURE

# log.winbindd-idmap

[2022/11/24 10:17:33.421300,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:17:33.423146,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:17:33.423173,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:17:33.424572,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:17:33.424593,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:17:33.426483,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:17:33.426511,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55


# tail log.wb-ARBEITSGRUPPE
[2022/11/24 10:29:55.915181,  3] 
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
   sam_name_to_sid: ARBEITSGRUPPE\POSTFIX
[2022/11/24 10:29:55.915625,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:29:55.917674,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:29:55.917737,  3] 
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
   sam_name_to_sid: ARBEITSGRUPPE\MONIT
[2022/11/24 10:29:55.918105,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55

# tail log.winbindd
[2022/11/24 10:31:40.400440,  3] 
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
   [nss_winbind (3886)] Winbind external command GETPWNAM start.
   Query username '*'.
[2022/11/24 10:31:40.400457,  5] 
../../source3/winbindd/wb_lookupname.c:52(wb_lookupname_send)
   WB command lookupname start.
   Search namespace 'ARBEITSGRUPPE' and domain 'ARBEITSGRUPPE' for name '*'.
[2022/11/24 10:31:40.409343,  1] 
../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2022/11/24 10:31:40.409373,  3] 
../../source3/winbindd/winbindd.c:563(process_request_done)
   process_request_done: [nss_winbind(3886):GETPWNAM]: NT_STATUS_NONE_MAPPED

# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret


I might have to restart samba-ad-dc.service, but wait for feedback ...

More information about the samba mailing list