with most recent git master smbd fails to start in AD DC mode

Sat Mar 22 09:49:46 MDT 2014

On Sat, Mar 22, 2014 at 04:38:00PM +0100, Günter Kukkukk wrote:
> Am 22.03.2014 09:55, schrieb Andrew Bartlett:
> > On Sat, 2014-03-22 at 04:31 +0100, Günter Kukkukk wrote:
> >> http://git.samba.org/?p=samba.git;a=commit;h=6034ab521c47fc5f4732398652c9c6847ff92035
> >>
> >> introduced the following failure (in AD DC mode):
> >>
> >> ....
> >> /usr/local/samba/sbin/smbd: smbd version 4.2.0pre1-GIT-7fdb21c started.
> >> /usr/local/samba/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2014
> >> /usr/local/samba/sbin/smbd: Registered MSG_REQ_POOL_USAGE
> >> /usr/local/samba/sbin/smbd: Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> >> /usr/local/samba/sbin/smbd: lp_load_ex: refreshing parameters
> >> /usr/local/samba/sbin/smbd: Initialising global parameters
> >> /usr/local/samba/sbin/smbd: rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> >> /usr/local/samba/sbin/smbd: params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
> >> /usr/local/samba/sbin/smbd: Processing section "[global]"
> >> /usr/local/samba/sbin/smbd: Processing section "[netlogon]"
> >> /usr/local/samba/sbin/smbd: Processing section "[sysvol]"
> >> /usr/local/samba/sbin/smbd: Processing section "[test]"
> >> /usr/local/samba/sbin/smbd: adding IPC service
> >> /usr/local/samba/sbin/smbd: added interface eno16777736 ip=2a02:8109:8f40:107c:20c:29ff:fe3b:8649 bcast= netmask=ffff:ffff:ffff:ffff::
> >> /usr/local/samba/sbin/smbd: added interface eno16777736 ip=192.168.200.70 bcast=192.168.200.255 netmask=255.255.255.0
> >> /usr/local/samba/sbin/smbd: added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> >> /usr/local/samba/sbin/smbd: added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> >> /usr/local/samba/sbin/smbd: loaded services
> >> /usr/local/samba/sbin/smbd: Becoming a daemon.
> >> /usr/local/samba/sbin/smbd: ldb_wrap open of idmap.ldb
> >> /usr/local/samba/sbin/smbd: getpwuid(3000011) failed                     <<<<<===== !!!!!?
> >> /usr/local/samba/sbin/smbd: Failed to finalize nt token
> >> /usr/local/samba/sbin/smbd: create_local_token failed: NT_STATUS_UNSUCCESSFUL
> >> /usr/local/samba/sbin/smbd: ERROR: failed to setup guest info.
> >> Child /usr/local/samba/sbin/smbd exited with status 255 - Unknown error 255
> >> file_server smbd daemon died with exit status 255
> >> task_server_terminate: [smbd child process exited]
> >> samba_terminate: smbd child process exited
> >> ------------
> >>
> >> When i revert this patch at least all former stuff is working again.
> > 
> > It probably would start if you had nss_winbind installed and running,
> > but this isn't a requirement and many sites quite reasonably don't have
> > it enabled.
> > 
> > We also can't just allow it to fail in the AD DC, as then a 'guest only'
> > share would fail.  (But it isn't used otherwise, because of the way the
> > AD DC authz stack is redirected). 
> > 
> > Andrew Bartlett
> > 
> 
> Hi Andrew,
> 
> libnss_winbind.so is installed:
> 
> li131:/lib64 # ls -al libnss_winbind*
> lrwxrwxrwx 1 root root 19 Dec  3 17:46 libnss_winbind.so -> libnss_winbind.so.2
> lrwxrwxrwx 1 root root 40 Dec  3 17:45 libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2
> 
> ldconfig -v | grep winbind
> libnss_winbind.so -> libnss_winbind.so.2
> 
> li131:/lib64 # cat /etc/nsswitch.conf
> ... snip
> passwd: compat winbind
> group:  compat winbind
> 
> Cheers, Günter

Hi Günter,

Don't revert the patch yet as it does fix a fairly
important fileserving bug.

The big questions is why the getpwuid(3000011) is
failing ? Where is that uid coming from ? It should
I think have been created from a SID -> uid mapping,
in which case it should be a valid uid to lookup
in the password db.

It looks like it's a uid being used for 'guest'.
Is it possible a guest uid doesn't actually
exist and can't be looked up in the password db ?

If so and we want to allow that then I can make
the getpwuid look fail a non-fatal error in that
code path. But I'd rather figure that out first :-).

Thanks for catching that one !

Jeremy.