samba - Mar 2015 - winbindd: Failed to fetch our own, local AD domain join password for winbindd's internal use

Hello,

I apologize in advance for cross-posting (and posting for help) to
samba-technical, but I've been seeking help on the samba list and bugzilla
since last week and have had no replies. Using Google, I've found this
issue referenced only once on the mailing list and once in a bugzilla bug
(10991). Unfortunately, I've found no resolutions.

The problem appears to be specific to Samba 4.2, where domains were
provisioned using classicupgrade. In my case, the classicupgrade provision
was performed just a few weeks after 4.0.0 was released, going from version
3.6.x > 4.0.0. I have since kept my install fairly up to date throughout
the 4.0 and 4.1 cycles. I am currently trying to upgrade from 4.1.16 to
4.2.0. After this latest upgrade, S4 fails to start, with the above
mentioned error being logged to log.winbindd. I have found that adding
"server services = -winbindd +winbind" allows 4.2.0 to start
correctly.
That said, I decided to revert to the 4.1.16 backup that I took immediately
before the upgrade. I did this just to be safe, as it appears to be
something specific to my AD directory, possibly related to the
classicupgrade. I say this because I do not have the issue with my test
domain, which was newly provisioned from 4.0.0.

I have moved a copy of my live 4.1.16 instance to a VM environment for
testing, and have duplicated the problem in testing. My goal was to upgrade
to 4.2.0 and setup a secondary DC here on-site before standing up 3 more
DCs at branch offices. I am wary of moving forward with this deployment
knowing this problem exists, or without at least better understanding what
is happening. The concern that something wrong with my AD directory
(stemming from the classicupgrade) is what really worries me and I
certainly don't want to start replicating "bad" data to remote
sites.

If anyone has the time and can help me figure out this issue, it would be
much appreciated. I have included links to the bugzilla entry and the only
reference to this issue that I could find. If someone could help me
understand, what is Winbindd looking for when it throws the error "Failed
to fetch our own, local AD domain join password for winbindd's internal
use", perhaps that would get me looking in the right direction.

Bugzilla:
https://bugzilla.samba.org/show_bug.cgi?id=10991

Samba List:
https://lists.samba.org/archive/samba/2014-September/185031.html

log.winbindd
/usr/local/samba/sbin/winbindd: winbindd version 4.2.0 started.
/usr/local/samba/sbin/winbindd: Copyright Andrew Tridgell and the Samba
Team 1992-2014
/usr/local/samba/sbin/winbindd: Maximum core file size limits now
16777216(soft) -1(hard)
/usr/local/samba/sbin/winbindd: Registered MSG_REQ_POOL_USAGE
/usr/local/samba/sbin/winbindd: Registered MSG_REQ_DMALLOC_MARK and
LOG_CHANGED
/usr/local/samba/sbin/winbindd: lp_load_ex: refreshing parameters
/usr/local/samba/sbin/winbindd: Initialising global parameters
/usr/local/samba/sbin/winbindd: rlimit_max: increasing rlimit_max (1024) to
minimum Windows limit (16384)
/usr/local/samba/sbin/winbindd: Processing section "[global]"
/usr/local/samba/sbin/winbindd: added interface enp0s3 ip=10.0.2.100
bcast=10.0.2.255 netmask=255.255.255.0
/usr/local/samba/sbin/winbindd: added interface enp0s3 ip=10.0.2.100
bcast=10.0.2.255 netmask=255.255.255.0
/usr/local/samba/sbin/winbindd: initialize_winbindd_cache: clearing cache
and re-creating with version number 2
/usr/local/samba/sbin/winbindd: Added domain BUILTIN (null) S-1-5-32
/usr/local/samba/sbin/winbindd: Added domain TESTDOM internal.testdom.com
SID_REMOVED
/usr/local/samba/sbin/winbindd: Failed to fetch our own, local AD domain
join password for winbindd's internal use
/usr/local/samba/sbin/winbindd: unable to initialize domain list
Child /usr/local/samba/sbin/winbindd exited with status 1 - Operation not
permitted
winbindd daemon died with exit status 1
task_server_terminate: [winbindd child process exited]
samba_terminate: winbindd child process exited

Hai Tom, 

Im not in 4.2 yet, but maybe i can help analize your problem. ( as long its
possible, big power outage in the netherlands.. )

this : https://lists.samba.org/archive/samba/2014-September/185031.html 
is a good example how not to setup your samba server. 

so before we can think with, please post (and sorry if its again) some info. 

Your OS? 
Compiles samba or os provided samba, or sernet samba? 
and the output of :
cat /etc/hosts
cat /etc/resolv.conf
cat /etc/hostname 
cat /etc/nsswitch.conf 
cat /etc/samba/smb.conf

some commands you can use to check your setup.
sudo net ads info
sudo net ads lookup
wbinfo -D TESTDOM 

Louis




>-----Oorspronkelijk bericht-----
>Van: tsml412101 at gmail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Tom
>Verzonden: donderdag 26 maart 2015 20:18
>Aan: samba-technical at lists.samba.org; samba at lists.samba.org
>Onderwerp: [Samba] winbindd: Failed to fetch our own, local AD 
>domain join password for winbindd's internal use
>
>Hello,
>
>I apologize in advance for cross-posting (and posting for help) to
>samba-technical, but I've been seeking help on the samba list 
>and bugzilla
>since last week and have had no replies. Using Google, I've found this
>issue referenced only once on the mailing list and once in a 
>bugzilla bug
>(10991). Unfortunately, I've found no resolutions.
>
>The problem appears to be specific to Samba 4.2, where domains were
>provisioned using classicupgrade. In my case, the 
>classicupgrade provision
>was performed just a few weeks after 4.0.0 was released, going 
>from version
>3.6.x > 4.0.0. I have since kept my install fairly up to date 
>throughout
>the 4.0 and 4.1 cycles. I am currently trying to upgrade from 4.1.16 to
>4.2.0. After this latest upgrade, S4 fails to start, with the above
>mentioned error being logged to log.winbindd. I have found that adding
>"server services = -winbindd +winbind" allows 4.2.0 to start
correctly.
>That said, I decided to revert to the 4.1.16 backup that I 
>took immediately
>before the upgrade. I did this just to be safe, as it appears to be
>something specific to my AD directory, possibly related to the
>classicupgrade. I say this because I do not have the issue with my test
>domain, which was newly provisioned from 4.0.0.
>
>I have moved a copy of my live 4.1.16 instance to a VM environment for
>testing, and have duplicated the problem in testing. My goal 
>was to upgrade
>to 4.2.0 and setup a secondary DC here on-site before standing 
>up 3 more
>DCs at branch offices. I am wary of moving forward with this deployment
>knowing this problem exists, or without at least better 
>understanding what
>is happening. The concern that something wrong with my AD directory
>(stemming from the classicupgrade) is what really worries me and I
>certainly don't want to start replicating "bad" data to remote
sites.
>
>If anyone has the time and can help me figure out this issue, 
>it would be
>much appreciated. I have included links to the bugzilla entry 
>and the only
>reference to this issue that I could find. If someone could help me
>understand, what is Winbindd looking for when it throws the 
>error "Failed
>to fetch our own, local AD domain join password for winbindd's internal
>use", perhaps that would get me looking in the right direction.
>
>Bugzilla:
>https://bugzilla.samba.org/show_bug.cgi?id=10991
>
>Samba List:
>https://lists.samba.org/archive/samba/2014-September/185031.html
>
>log.winbindd
>/usr/local/samba/sbin/winbindd: winbindd version 4.2.0 started.
>/usr/local/samba/sbin/winbindd: Copyright Andrew Tridgell and the Samba
>Team 1992-2014
>/usr/local/samba/sbin/winbindd: Maximum core file size limits now
>16777216(soft) -1(hard)
>/usr/local/samba/sbin/winbindd: Registered MSG_REQ_POOL_USAGE
>/usr/local/samba/sbin/winbindd: Registered MSG_REQ_DMALLOC_MARK and
>LOG_CHANGED
>/usr/local/samba/sbin/winbindd: lp_load_ex: refreshing parameters
>/usr/local/samba/sbin/winbindd: Initialising global parameters
>/usr/local/samba/sbin/winbindd: rlimit_max: increasing 
>rlimit_max (1024) to
>minimum Windows limit (16384)
>/usr/local/samba/sbin/winbindd: Processing section "[global]"
>/usr/local/samba/sbin/winbindd: added interface enp0s3 ip=10.0.2.100
>bcast=10.0.2.255 netmask=255.255.255.0
>/usr/local/samba/sbin/winbindd: added interface enp0s3 ip=10.0.2.100
>bcast=10.0.2.255 netmask=255.255.255.0
>/usr/local/samba/sbin/winbindd: initialize_winbindd_cache: 
>clearing cache
>and re-creating with version number 2
>/usr/local/samba/sbin/winbindd: Added domain BUILTIN (null) S-1-5-32
>/usr/local/samba/sbin/winbindd: Added domain TESTDOM 
>internal.testdom.com
>SID_REMOVED
>/usr/local/samba/sbin/winbindd: Failed to fetch our own, local 
>AD domain
>join password for winbindd's internal use
>/usr/local/samba/sbin/winbindd: unable to initialize domain list
>Child /usr/local/samba/sbin/winbindd exited with status 1 - 
>Operation not
>permitted
>winbindd daemon died with exit status 1
>task_server_terminate: [winbindd child process exited]
>samba_terminate: winbindd child process exited
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 27/03/15 09:38, L.P.H. van Belle wrote:
> Hai Tom,
>
> Im not in 4.2 yet, but maybe i can help analize your problem. ( as long its
possible, big power outage in the netherlands.. )
>
> this : https://lists.samba.org/archive/samba/2014-September/185031.html
> is a good example how not to setup your samba server.
Er, which part is incorrect ??

Rowland
>
> so before we can think with, please post (and sorry if its again) some
info.
>
> Your OS?
> Compiles samba or os provided samba, or sernet samba?
> and the output of :
> cat /etc/hosts
> cat /etc/resolv.conf
> cat /etc/hostname
> cat /etc/nsswitch.conf
> cat /etc/samba/smb.conf
>
> some commands you can use to check your setup.
> sudo net ads info
> sudo net ads lookup
> wbinfo -D TESTDOM
>
> Louis
>
>
>
>
>
>

# cat /etc/resolv.conf
> domain dc1.domain.com.br
> search domain.com.br
> nameserver 172.17.0.4
>
more cosmetic yes, because of the first domain then search. 
but there should not be domain dc1.domain.com.br there. 
this can mislead others. a "hostname" is not a domain.. 


>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 27 maart 2015 11:22
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] winbindd: Failed to fetch our own, 
>local AD domain join password for winbindd's internal use
>
>On 27/03/15 09:38, L.P.H. van Belle wrote:
>> Hai Tom,
>>
>> Im not in 4.2 yet, but maybe i can help analize your 
>problem. ( as long its possible, big power outage in the 
>netherlands.. )
>>
>> this : 
>https://lists.samba.org/archive/samba/2014-September/185031.html
>> is a good example how not to setup your samba server.
>
>Er, which part is incorrect ??
>
>Rowland
>
>>
>> so before we can think with, please post (and sorry if its 
>again) some info.
>>
>> Your OS?
>> Compiles samba or os provided samba, or sernet samba?
>> and the output of :
>> cat /etc/hosts
>> cat /etc/resolv.conf
>> cat /etc/hostname
>> cat /etc/nsswitch.conf
>> cat /etc/samba/smb.conf
>>
>> some commands you can use to check your setup.
>> sudo net ads info
>> sudo net ads lookup
>> wbinfo -D TESTDOM
>>
>> Louis
>>
>>
>>
>>
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>