samba - Nov 2019 - security=domain fails after upgr. to 4.9, winbind doesn't help

Hi,

we've problems getting samba shares to work after upgrading from 4.7 to 4.9.
We have one samba PDC server providing some shares and the users via local
passdb.tdb file. Its smb.conf (names/ips changed):

[global]
         security = user
         encrypt passwords = yes
         passdb backend = tdbsam:/etc/samba/passdb.tdb
         workgroup = OURWORKGROUP
         netbios name = SERVER1
         server string = main server
         map untrusted to domain = Yes

         local master = yes
         preferred master = yes
         domain master = yes
         os level = 255
         wins support = yes

         dns proxy = yes
         name resolve order = host wins bcast

         hosts allow = <our networks>

[... the shares ...]


And one server that is providing some shares and does user authentification via
the PDC. It's smb.conf:
[global]
         security = domain
         password server = SERVER1
         encrypt passwords = yes
         guest ok = no

         workgroup = OURWORKGROUP
         netbios name = SERVER2
         server string = secondary server

         local master = yes
         preferred master = no
         domain master = no
         os level = 40
         wins server = SERVER1

         dns proxy = yes
         name resolve order = host wins bcast

         hosts allow = <our networks>

[ ... the shares ... ]


We have windows terminal server using these shares, some win 10 clients and some
linux clients.

This all worked fine when both servers ran samba 4.7. Now SERVER2 was upgraded
to samba 4.9 (because SuSE Linux Enterprise 15 was updated to 15 SP1, SERVER1 is
still running 15 without SP1) and I learned that "security = domain"
no longer works without winbind. I thought I could just start winbind to use the
"netlogon proxy only mode", so I did that on both servers.

So, winbindd is running on SERVER2:

server2 /root# rcwinbind status
* winbind.service - Samba Winbind Daemon
    Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor
preset: disabled)
    Active: active (running) since Thu 2019-11-28 15:47:13 CET; 1h 21min ago
  Main PID: 20444 (winbindd)
    Status: "winbindd: ready to serve connections..."
     Tasks: 2 (limit: 4915)
    CGroup: /system.slice/winbind.service
            |-20444 /usr/sbin/winbindd --foreground --no-process-group
            `-20446 /usr/sbin/winbindd --foreground --no-process-group

Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.100030,  0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Nov 28 15:47:13 server2 winbindd[20444]:   initialize_winbindd_cache: clearing
cache and re-creating with version number 2
Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.101272,  0]
../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 15:47:13 server2 winbindd[20444]:   daemon_ready: STATUS=daemon
'winbindd' finished starting up and ready to serve connections


But even after restaring smbd, it doesn't find winbindd:
server2 /root# rcsmb status
* smb.service - Samba SMB Daemon
    Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset:
disabled)
    Active: active (running) since Thu 2019-11-28 16:47:35 CET; 22min ago
  Main PID: 26379 (smbd)
    Status: "smbd: ready to serve connections..."
     Tasks: 4 (limit: 4915)
    CGroup: /system.slice/smb.service
            |-26379 /usr/sbin/smbd --foreground --no-process-group
            |-26381 /usr/sbin/smbd --foreground --no-process-group
            |-26382 /usr/sbin/smbd --foreground --no-process-group
            `-26383 /usr/sbin/smbd --foreground --no-process-group

Nov 28 16:47:35 server2 smbd[26379]: [2019/11/28 16:47:35.114442,  0]
../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 16:47:35 server2 smbd[26379]:   daemon_ready: STATUS=daemon
'smbd' finished starting up and ready to serve connections
Nov 28 17:10:16 server2 smbd[29446]: [2019/11/28 17:10:16.947758,  0]
../source3/auth/auth_winbind.c:122(check_winbind_security)
Nov 28 17:10:16 server2 smbd[29446]:   check_winbind_security: winbindd not
running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS

The last two lines appear in the log after doing a "smbclient -D
OURWORKGROUP -U someuser -L //SERVER2/" which returns
Enter WORKGROUP\somuser's password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

Do I need to setup some winbind options for just using the "netlogon proxy
only mode"? All documentation I find is only about using winbind with nss
or kerberos or windows ad controllers etc., nothing is explained about the proxy
only mode. Just this mail:
https://lists.samba.org/archive/samba/2014-January/178375.html which indicates
that I must do nothing but only start winbind...

What do I do wrong? For the moment I had to downgrade to 4.7 again to make the
shares work.

cu,
Frank
-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

On 28/11/2019 16:46, Frank Steiner via samba wrote:
>
> Hi,
>
> we've problems getting samba shares to work after upgrading from 4.7 
> to 4.9. We have one samba PDC server providing some shares and the 
> users via local passdb.tdb file. Its smb.conf (names/ips changed):
>
> [global]
> ??????? security = user
> ??????? encrypt passwords = yes
> ??????? passdb backend = tdbsam:/etc/samba/passdb.tdb
> ??????? workgroup = OURWORKGROUP
> ??????? netbios name = SERVER1
> ??????? server string = main server
> ??????? map untrusted to domain = Yes
>
> ??????? local master = yes
> ??????? preferred master = yes
> ??????? domain master = yes
> ??????? os level = 255
> ??????? wins support = yes
>
> ??????? dns proxy = yes
> ??????? name resolve order = host wins bcast
>
> ??????? hosts allow = <our networks>
OK, 'testparm' thinks the above is a standalone server:

testparm testsmb.conf
Load smb config files from testsmb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

Remove 'map untrusted to domain = Yes', it has been removed.

Add 'domain logons = Yes'

This gets it back to being a PDC:

testparm testsmb.conf
Load smb config files from testsmb.conf
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_PDC

Yes, I know there is a different error, but this can be fixed if necessary.

Rowland

Hi Rowland,
> Remove 'map untrusted to domain = Yes', it has been removed.
> 
> Add 'domain logons = Yes'
> 
> This gets it back to being a PDC:
thanks for the hints! I did that, but it doesn't help. I guess the
problem is not on the PDC server but on SERVER2. That's the one
that got upgraded and stopped working (even with the non-pdc config
of SERVER1).

I think the problem is missing connection between smbd and winbindd
on SERVER2, i.e. this error message:
> check_winbind_security: winbindd not running - but required as domain
member: NT_STATUS_NO_LOGON_SERVERS
Obviously I have to change sth. on SERVER2 as "security=domain" should
no longer work without winbindd in samba 4.8 and later. But as just starting
windbindd doesn't make smbd see it, I don't know what to do else.

I sent the SERVER2 smb.conf through testparm (thanks for reminding me of
this tool) and removed "passwd server" option due to

   WARNING: The setting 'security=domain' should NOT be combined with
the 'password server' parameter.
   (by default Samba will discover the correct DC to contact automatically).

but still winbindd is not detected. The process spawned by the systemctl
service is

   25130 /usr/sbin/winbindd --foreground --no-process-group

cu,
Frank

-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *