[Samba] winbind error after startup on Samba member server

Peter Milesson miles at atmos.eu
Fri Jun 14 19:05:51 UTC 2024 


On 13.06.2024 20:33, Peter Milesson via samba wrote:
>
>
> On 13.06.2024 17:21, Rowland Penny via samba wrote:
>> On Thu, 13 Jun 2024 16:26:17 +0200
>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>
>>> Hi folks,
>>>
>>> The last log record from journalctl -xeu winbind directly after
>>> winbind startup is:
>>>
>>>      Jun 13 12:41:36 datasrv winbindd[582]: gpupdate_cmd_done: gpupdate
>>>      failed with exit status 1
>>>
>>> For completeness, the log entries for winbind startup is displayed
>>> below.
>>>
>>> Things seem to work though, but I have never seen it before (I don't
>>> like error messages). When I noticed the message I ran a sysvolcheck,
>>> but that was OK. After restart of winbind the message sequence was
>>> the same. There were no messages in the DC, that could be linked to
>>> the error.
>>>
>>> I would be grateful for a clarification, if the message is important,
>>> or I just shouldn't care.
>>>
>>> Best regards,
>>>
>>> Peter
>>>
>>> OS: Debian Bookworm with bookworm-backports (updated)
>>> Forest and domain levels 2016.
>>>
>>> smb.conf below
>>>
>>> [global]
>>>           apply group policies = Yes
>>>           debug pid = Yes
>>>           debug uid = Yes
>>>           dedicated keytab file = /etc/krb5.keytab
>>>           disable netbios = Yes
>>>           disable spoolss = Yes
>>>           smb ports = 445
>>>           kerberos method = secrets and keytab
>>>           printcap name = /dev/null
>>>           realm = PRIVATE.TALPS
>>>           restrict anonymous = 2
>>>           security = ADS
>>>           server role = member server
>>>           template homedir = /home/%U
>>>           template shell = /bin/bash
>>>           username map = /etc/samba/user.map
>>>           min domain uid = 0
>>>           winbind enum groups = Yes
>>>           winbind enum users = Yes
>>>           winbind expand groups = 4
>>>           winbind refresh tickets = Yes
>>>           winbind use default domain = Yes
>>>           workgroup = PRIVATE
>>>           idmap config private : range = 10000-99999
>>>           idmap config private : backend = rid
>>>           idmap config * : range = 3000-9999
>>>           idmap config * : backend = tdb
>>>           map acl inherit = Yes
>>>           vfs objects = acl_xattr
>>>
>>> (and yes, I sincerely dislike how testparm is messing up smb.conf)
>>> winbind enum is just during on for testing
>>>
>>>
>>> excerpt from journalctl -xeu winbind on the member server
>>>
>>> Jun 13 12:41:35 datasrv samba-dcerpcd[597]:   samba-dcerpcd version
>>> 4.20.1-Debian started.
>>> Jun 13 12:41:35 datasrv samba-dcerpcd[597]:   Copyright Andrew
>>> Tridgell and the Samba Team 1992-2024
>>> Jun 13 12:41:36 datasrv rpcd_lsad[610]: [2024/06/13 12:41:36.064459,
>>> 0, pid=610, effective(0, 0), real(0, 0)]
>>> source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
>>> Jun 13 12:41:36 datasrv rpcd_lsad[610]:   rpcd_lsad version
>>> 4.20.1-Debian started.
>>> Jun 13 12:41:36 datasrv rpcd_lsad[610]:   Copyright Andrew Tridgell
>>> and the Samba Team 1992-2024
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.207955,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> Traceback (most recent call last):
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208001,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> File "/usr/sbin/samba-gpupdate", line 135, in <module>
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208019,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> apply_gp(lp, creds, store, gp_extensions, username,
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208030,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 1011,
>>> in apply_gp Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13
>>> 12:41:36.208413, 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> gpos = get_gpo_list(dc_hostname, creds, lp, username)
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208434,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208444,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 850,
>>> in get_gpo_list
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208597,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> uac, dn = find_samaccount(samdb, username.split('\\')[-1])
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208612,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208621,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 694,
>>> in find_samaccount
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208633,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> res = samdb.search(samdb.get_default_basedn(), ldb.SCOPE_SUBTREE,
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208650,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13 12:41:36.208660,
>>> 0, pid=582, effective(0, 0), real(0, 0)]
>>> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
>>> Jun 13 12:41:36 datasrv winbindd[582]: /usr/sbin/samba-gpupdate:
>>> _ldb.LdbError: (1, '00002020: Operation unavailable without
>>> authentication') Jun 13 12:41:36 datasrv winbindd[582]: [2024/06/13
>>> 12:41:36.230755, 0, pid=582, effective(0, 0), real(0, 0)]
>>> source3/winbindd/winbindd_gpupdate.c:182(gpupdate_cmd_done)
>>> Jun 13 12:41:36 datasrv winbindd[582]:   gpupdate_cmd_done: gpupdate
>>> failed with exit status 1
>> If you wade through all the log output it tells you the reason that
>> gpupdate is failing:
>>
>> (1, '00002020: Operation unavailable without authentication')
>>
>> Now why it is failing is another question.
>> Have you recently upgrading Samba and it has started doing this, or was
>> it working previously on 4.20.1 and is now failing ?
>>
>> Rowland
>>
> Hi Rowland,
>
> It's a completely new installation with the most recent Samba from 
> Bookworm backports. I cannot compare with the previous installation, 
> as the SSD died, and I had to set it up from scratch.
>
> Yes, I noticed that the failure is due to unavailable authentication, 
> but why? And what are the consequences, if any?
>
> I can compare with another member server that started its life as a 
> Debian Bullseye with Samba 4.17.x. It has been upgraded to keep up 
> with the current status of Debian and Samba. The smb.conf is almost 
> identical. But instead, it continues the old nagging (all the way from 
> start):
>
> Jun 13 20:25:07 linuxdev winbindd[704]: [2024/06/13 20:25:07.417641,  
> 0] lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> Jun 13 20:25:07 linuxdev winbindd[704]: /usr/sbin/samba-gpupdate: ldb: 
> Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 
> 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No 
> such file or directory
>
> The two winbindd logs seem to have samba-gpupdate in common, however. 
> But why are they different? Both are now 4.20.1, and should behave 
> similarly. But it does not seem to have any practical impact. BTW, 
> secrets.ldb never existed. There is a secrets.tdb file, however.
>
> I'm not in the position to dig down in the Samba source code, but 
> hopefully somebody with a deeper knowledge could explain what's going on.
>
> Best regards,
>
> Peter
>
>
>
Hi folks,

I think I have sorted it out. Hopefully.

I installed samba-dsdb-modules, and then the complaints stopped. I had 
the impression that samba-dsdb-modules are only required on a AD DC, but 
that's probably not completely true.

On the other server with frequent complaints about "Failed to connect to 
'/var/lib/samba/private/secrets.ldb'", it was a dangling 
misconfiguration in smb.conf. The parameter "inherit acls" seems to be 
the culprit. I set ACLs exclusively from Windows and this parameter is 
used when setting POSIX ACLs. Now, Samba seems to be satisfied.

I wish everybody a nice weekend.

Peter

More information about the samba mailing list