samba - Jan 2019 - winbind failed to reset devices.list was: samba.service is masked (Debian 9)

Am 13.01.2019 um 10:44 schrieb Rowland Penny via samba:
> On Sun, 13 Jan 2019 08:09:52 +0100
> Anton Blau via samba <samba at lists.samba.org> wrote:
> Am 12.01.2019 um 23:08 schrieb Rowland Penny via samba:
>>> On Sat, 12 Jan 2019 22:04:50 +0100
>>> Anton Blau via samba <samba at lists.samba.org> wrote:
>>>
>>> Is this all you installed ? :
>>> apt-get install samba
>>>
>>> If so try reading this:
>>>
>>>
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation
>>>
>>>
>> Hello Rowland,
>>
>>
>> thank you for your help. I took a few steps further.
>>
>> * I installed the additional needed packages like
>>
>>
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation
>>
>> apt-get install samba attr winbind krb5-config krb5-user
>>
>> Default Kerberos version 5 realm: DUCK.LOCALLAN
>> Kerberos servers for your realm: fileserver localhost
>> Administrative server for your Kerberos realm: fileserver
> Hmm, you posted this as part of your smb.conf:
>
>    realm = SMBDOMAIN.LOCAL.COMASYS.CH
>    netbios name = FILE
>
> The two do not match.
>
> Can you post the contents of the following files:
>
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
Sorry, this is my

-> smb.conf

# Global parameters
[global]
         netbios name = FILESERVER
         realm = SMBDOMAIN.DUCK.LOCALLAN
         workgroup = SMBDOMAIN
         dns forwarder = 192.168.1.254
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes

[netlogon]
         path = /var/lib/samba/sysvol/smbdomain.duck.locallan/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No


-> /etc/hostname

fileserver

-> /etc/hosts

127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodesff02::2         ip6-allrouters
# --- BEGIN PVE ---
192.168.1.220 fileserver.duck fileserver
# --- END PVE ---

-> /etc/resolv.conf

# --- BEGIN PVE ---
search duck
nameserver 192.168.1.254
# --- END PVE ---

> Also, if you are going to use the DC as a fileserver, you need to
> install more packages from the list.
O. K. I run:

apt-get install samba attr winbind libpam-winbind libnss-winbind libpam-krb5
krb5-config krb5-user

But I got the same error:

Reading package lists... Done
Building dependency tree
Reading state information... Done
attr is already the newest version (1:2.4.47-2+b2).
krb5-config is already the newest version (2.6).
krb5-user is already the newest version (1.15-1+deb9u1).
libpam-krb5 is already the newest version (4.7-4).
libnss-winbind is already the newest version (2:4.5.12+dfsg-2+deb9u4).
libpam-winbind is already the newest version (2:4.5.12+dfsg-2+deb9u4).
samba is already the newest version (2:4.5.12+dfsg-2+deb9u4).
winbind is already the newest version (2:4.5.12+dfsg-2+deb9u4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
3 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up winbind (2:4.5.12+dfsg-2+deb9u4) ...
Job for winbind.service failed because the control process exited with 
error code.
See "systemctl status winbind.service" and "journalctl -xe"
for details.
invoke-rc.d: initscript winbind, action "start" failed.
* winbind.service - Samba Winbind Daemon
    Loaded: loaded (/lib/systemd/system/winbind.service; enabled; vendor 
preset: enabled)
    Active: failed (Result: exit-code) since Sun 2019-01-13 12:14:43 
UTC; 5ms ago
      Docs: man:winbindd(8)
            man:samba(7)
            man:smb.conf(5)
   Process: 533 ExecStart=/usr/sbin/winbindd $WINBINDOPTIONS 
(code=exited, status=1/FAILURE)
  Main PID: 533 (code=exited, status=1/FAILURE)

Jan 13 12:14:43 fileserver systemd[1]: winbind.service: Failed to reset 
devices.list: Operation n…mitted
Jan 13 12:14:43 fileserver systemd[1]: Starting Samba Winbind Daemon...
Jan 13 12:14:43 fileserver systemd[1]: winbind.service: Main process 
exited, code=exited, status=…AILURE
Jan 13 12:14:43 fileserver systemd[1]: Failed to start Samba Winbind Daemon.
Jan 13 12:14:43 fileserver systemd[1]: winbind.service: Unit entered 
failed state.
Jan 13 12:14:43 fileserver systemd[1]: winbind.service: Failed with 
result 'exit-code'.
Hint: Some lines were ellipsized, use -l to show in full.
dpkg: error processing package winbind (--configure):
  subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of libpam-winbind:amd64:
  libpam-winbind:amd64 depends on winbind (= 2:4.5.12+dfsg-2+deb9u4); 
however:
   Package winbind is not configured yet.

dpkg: error processing package libpam-winbind:amd64 (--configure):
  dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of libnss-winbind:amd64:
  libnss-winbind:amd64 depends on winbind (= 2:4.5.12+dfsg-2+deb9u4); 
however:
   Package winbind is not configured yet.

dpkg: error processing package libnss-winbind:amd64 (--configure):
  dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.24-11+deb9u3) ...
Errors were encountered while processing:
  winbind
  libpam-winbind:amd64
  libnss-winbind:amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)

> It looks like winbind was already installed. 
That´s right. So I try:

dpkg --purge winbind libpam-winbind libnss-winbind
(Reading database ... 23532 files and directories currently installed.)
Removing libpam-winbind:amd64 (2:4.5.12+dfsg-2+deb9u4) ...
Removing libnss-winbind:amd64 (2:4.5.12+dfsg-2+deb9u4) ...
Removing winbind (2:4.5.12+dfsg-2+deb9u4) ...
Purging configuration files for winbind (2:4.5.12+dfsg-2+deb9u4) ...
Processing triggers for man-db (2.7.6.1-2) ...
Processing triggers for libc-bin (2.24-11+deb9u3) ...
Processing triggers for systemd (232-25+deb9u6) ...

But after install I got the same error.

That is actually a good thing, on a Samba AD DC you ONLY start
the
> 'samba' binary. This is achieved on Debian by 'systemctl
> start samba-ad-dc', the 'samba' binary will then start
'smbd' &
> 'winbind'
>
O. K. If I start with systemctl start samba-ad-dc I got in /var/log/syslog:


Jan 13 12:22:56 fileserver samba[1036]:   samba version 4.5.12-Debian 
started.
Jan 13 12:22:56 fileserver samba[1036]:   Copyright Andrew Tridgell and 
the Samba Team 1992-2016
Jan 13 12:22:56 fileserver systemd[1]: samba-ad-dc.service: Supervising 
process 1037 which is not our child. We'll most likely not notice when 
it exits.
Jan 13 12:22:57 fileserver samba[1037]: [2019/01/13 12:22:57.599804,  0] 
../source4/smbd/server.c:479(binary_smbd_main)
Jan 13 12:22:57 fileserver samba[1037]:   samba: using 'standard' 
process model
Jan 13 12:22:57 fileserver samba[1042]: [2019/01/13 12:22:57.613205,  0] 
../source4/lib/tls/tlscert.c:72(tls_cert_generate)
Jan 13 12:22:57 fileserver samba[1042]:   Attempting to autogenerate TLS 
self-signed keys for https forhostname
'FILESERVER.smbdomain.duck.locallan'
Jan 13 12:22:57 fileserver systemd[1]: Started Samba AD Daemon.
Jan 13 12:22:57 fileserver samba[1037]: [2019/01/13 12:22:57.633624,  0] 
../lib/util/become_daemon.c:124(daemon_ready)
Jan 13 12:22:57 fileserver samba[1037]:   STATUS=daemon 'samba' finished
starting up and ready to serveconnections
Jan 13 12:22:57 fileserver winbindd[1051]: [2019/01/13 12:22:57.750434,  
0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
Jan 13 12:22:57 fileserver winbindd[1051]: initialize_winbindd_cache: 
clearing cache and re-creating with version number 2
Jan 13 12:23:11 fileserver samba[1042]: [2019/01/13 12:23:11.240203,  0] 
../source4/lib/tls/tlscert.c:167(tls_cert_generate)
Jan 13 12:23:11 fileserver samba[1042]:   TLS self-signed keys generated OK
Jan 13 12:23:17 fileserver samba[1049]: [2019/01/13 12:23:17.940007,  0] 
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
Jan 13 12:23:17 fileserver samba[1049]: 
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error 
code 110
Jan 13 12:23:19 fileserver samba[1049]: [2019/01/13 12:23:19.332778,  0] 
../source4/dsdb/dns/dns_update.c:313(dnsupdate_spnupdate_done)
Jan 13 12:23:19 fileserver samba[1049]: 
../source4/dsdb/dns/dns_update.c:313: Failed SPN update - with error 
code 110
Jan 13 12:23:21 fileserver samba[1037]: [2019/01/13 12:23:21.061943,  0] 
../source4/smbd/process_standard.c:127(standard_child_pipe_handler)
Jan 13 12:23:21 fileserver samba[1037]:   Child 1044 (kdc) terminated 
with signal 9

On Sun, 13 Jan 2019 14:01:36 +0100
Anton Blau via samba <samba at lists.samba.org> wrote:

> >
> > Can you post the contents of the following files:
> >
> > /etc/hostname
> > /etc/hosts
> > /etc/resolv.conf
> 
> Sorry, this is my
> 
> -> smb.conf
> 
> # Global parameters
> [global]
>          netbios name = FILESERVER
>          realm = SMBDOMAIN.DUCK.LOCALLAN
>          workgroup = SMBDOMAIN
>          dns forwarder = 192.168.1.254
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/smbdomain.duck.locallan/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> 
> -> /etc/hostname
> 
> fileserver
> 
> -> /etc/hosts
> 
> 127.0.0.1       localhost
> ::1             localhost ip6-localhost ip6-loopback
> ff02::1         ip6-allnodesff02::2         ip6-allrouters
> # --- BEGIN PVE ---
> 192.168.1.220 fileserver.duck fileserver
> # --- END PVE ---
Your realm (which is usually in uppercase) MUST be the same as your DNS
domain.
Your realm is 'SMBDOMAIN.DUCK.LOCALLAN'
Your dns domain is 'duck'

They do not match!
> 
> -> /etc/resolv.conf
> 
> # --- BEGIN PVE ---
> search duck
> nameserver 192.168.1.254
> # --- END PVE ---
This is a DC, it MUST use its own ipaddress as the nameserver, so it
should be:

search duck
nameserver 192.168.1.220

I forgot to ask for the contents of /etc/krb5.conf
It should be this:

[libdefaults]
	default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

Where 'SAMDOM.EXAMPLE.COM' is replaced with your realm.

Rowland

Am 13.01.2019 um 14:18 schrieb Rowland Penny via samba:
> On Sun, 13 Jan 2019 14:01:36 +0100
> Anton Blau via samba <samba at lists.samba.org> wrote:
>
>
>>>
>>>
>>> Rowland
>>>
I made a new installation of the lxc samba. No it runs.


Thank you for your help.


Tony