Andrea Venturoli
2019-Feb-17 17:26 UTC
[Samba] Troubles upgrading jailed DC from 4.8.7 to 4.8.9
Hello. On several FreeBSD 11.2/amd64 servers, I've got a jail dedicated to running Samba as an AD DC. Some days ago I upgraded one of them from 4.8.7 to 4.8.9 and suddenly everything stopped working. Since it was a production box, I immediately restored the whole jail from a backup, with no chance to better investigate. Today, with more time, I tried on another server and again I run into trouble (although I'm not sure the details are exactly the same). After the upgrade Samba would not start at all, with the following in the logs:> [2019/02/17 18:15:35.200206, 0] ../source4/smbd/server.c:502(binary_smbd_main) > samba version 4.8.9 started. > Copyright Andrew Tridgell and the Samba Team 1992-2018 > root at dc1:~ # [2019/02/17 18:15:35.379881, 0] ../source4/smbd/server.c:674(binary_smbd_main) > binary_smbd_main: samba: using 'standard' process model > [2019/02/17 18:15:35.384663, 0] ../source4/nbt_server/interfaces.c:228(nbtd_add_socket) > Failed to bind to 10.1.2.34:137 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED > [2019/02/17 18:15:35.384752, 0] ../source4/smbd/service_task.c:36(task_server_terminate) > task_server_terminate: task_server_terminate: [nbtd failed to setup interfaces] > [2019/02/17 18:15:35.396234, 0] ../lib/util/become_daemon.c:138(daemon_ready) > daemon_ready: STATUS=daemon 'samba' finished starting up and ready to serve connections > [2019/02/17 18:15:35.397963, 0] ../source4/smbd/server.c:288(samba_terminate) > samba_terminate: samba_terminate of samba 98006: nbtd failed to setup interfaces10.1.2.34 is the jail's own IP and I'm sure nothing is running on port 137 there. Relevant part of my smb4.conf> [global] > allow dns updates=nonsecure > log level=1 > workgroup = XXXXX > realm = xxxxx.xxxxxxxx.xx > netbios name = DC1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder=10.1.2.13 10.1.2.15 > interfaces=vlan1 10.1.2.34/24 > bind interfaces only=yes > ntlm auth=YESAfter a web search I found the solution is to add: > server services=-nbt Is this problem expected? Or a regression? Will this workaround have any side-effect? bye & Thanks av.
Rowland Penny
2019-Feb-17 19:18 UTC
[Samba] Troubles upgrading jailed DC from 4.8.7 to 4.8.9
On Sun, 17 Feb 2019 18:26:21 +0100 Andrea Venturoli via samba <samba at lists.samba.org> wrote:> Hello. > > On several FreeBSD 11.2/amd64 servers, I've got a jail dedicated to > running Samba as an AD DC. > > Some days ago I upgraded one of them from 4.8.7 to 4.8.9 and suddenly > everything stopped working. > Since it was a production box, I immediately restored the whole jail > from a backup, with no chance to better investigate. > > > > Today, with more time, I tried on another server and again I run into > trouble (although I'm not sure the details are exactly the same). > > After the upgrade Samba would not start at all, with the following in > the logs: > > [2019/02/17 18:15:35.200206, > > 0] ../source4/smbd/server.c:502(binary_smbd_main) samba version > > 4.8.9 started. Copyright Andrew Tridgell and the Samba Team > > 1992-2018 root at dc1:~ # [2019/02/17 18:15:35.379881, > > 0] ../source4/smbd/server.c:674(binary_smbd_main) binary_smbd_main: > > samba: using 'standard' process model [2019/02/17 18:15:35.384663, > > 0] ../source4/nbt_server/interfaces.c:228(nbtd_add_socket) Failed > > to bind to 10.1.2.34:137 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED > > [2019/02/17 18:15:35.384752, > > 0] ../source4/smbd/service_task.c:36(task_server_terminate) > > task_server_terminate: task_server_terminate: [nbtd failed to setup > > interfaces] [2019/02/17 18:15:35.396234, > > 0] ../lib/util/become_daemon.c:138(daemon_ready) daemon_ready: > > STATUS=daemon 'samba' finished starting up and ready to serve > > connections [2019/02/17 18:15:35.397963, > > 0] ../source4/smbd/server.c:288(samba_terminate) samba_terminate: > > samba_terminate of samba 98006: nbtd failed to setup interfaces > > 10.1.2.34 is the jail's own IP and I'm sure nothing is running on > port 137 there. > > Relevant part of my smb4.conf > > > [global] > > allow dns updates=nonsecure > > log level=1 > > workgroup = XXXXX > > realm = xxxxx.xxxxxxxx.xx > > netbios name = DC1 > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > dns forwarder=10.1.2.13 10.1.2.15 > > interfaces=vlan1 10.1.2.34/24 > > bind interfaces only=yes > > ntlm auth=YES > > After a web search I found the solution is to add: > > server services=-nbt > > Is this problem expected?No Possible things to check: Is the ip for vlan1 10.1.2.34 ? Try just setting 'vlan1' Is the 'nmbd' binary being started separately> Or a regression?Possibly, if it worked before the upgrade, it is normally expected to work after the upgrade. There is probably only one exception to this, if what was working, wasn't supposed to and had been fixed. Rowland> Will this workaround have any side-effect?You will not have any network browsing at all, but there is very little with a DC anyway.
Andrea Venturoli
2019-Feb-18 08:13 UTC
[Samba] Troubles upgrading jailed DC from 4.8.7 to 4.8.9
On 2/17/19 8:18 PM, Rowland Penny via samba wrote:> Possible things to check: > Is the ip for vlan1 10.1.2.34 ?Sure. It's the only IP vlan1 has inside the jail; it's shown as an alias on the base host.> Try just setting 'vlan1'You mean change "interfaces=vlan1 10.1.2.34/24" to just "interfaces=vlan1"? It doesn't change anything (still Samba doesn't start unless I disable nbt service).> Is the 'nmbd' binary being started separatelyI don't have nmbd running (not before and not after the upgrade). Isn't this normal on an AD DC?>> Or a regression? > > Possibly, if it worked before the upgrade, it is normally expected to > work after the upgrade. There is probably only one exception to this, > if what was working, wasn't supposed to and had been fixed.That's what I'd like to know :) Is my config ok? Or is there's something wrong in my smb4.conf and I don't see it? Anything I should report?> You will not have any network browsing at all, but there is very little > with a DC anyway.I'm personally fine with that; not sure about other users, though... bye & Thanks av.