samba - Nov 2019 - security=domain fails after upgr. to 4.9, winbind doesn't help

Hi Rowland,
> Remove 'map untrusted to domain = Yes', it has been removed.
> 
> Add 'domain logons = Yes'
> 
> This gets it back to being a PDC:
thanks for the hints! I did that, but it doesn't help. I guess the
problem is not on the PDC server but on SERVER2. That's the one
that got upgraded and stopped working (even with the non-pdc config
of SERVER1).

I think the problem is missing connection between smbd and winbindd
on SERVER2, i.e. this error message:
> check_winbind_security: winbindd not running - but required as domain
member: NT_STATUS_NO_LOGON_SERVERS
Obviously I have to change sth. on SERVER2 as "security=domain" should
no longer work without winbindd in samba 4.8 and later. But as just starting
windbindd doesn't make smbd see it, I don't know what to do else.

I sent the SERVER2 smb.conf through testparm (thanks for reminding me of
this tool) and removed "passwd server" option due to

   WARNING: The setting 'security=domain' should NOT be combined with
the 'password server' parameter.
   (by default Samba will discover the correct DC to contact automatically).

but still winbindd is not detected. The process spawned by the systemctl
service is

   25130 /usr/sbin/winbindd --foreground --no-process-group

cu,
Frank

-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

On 28/11/2019 19:39, Frank Steiner wrote:
> Hi Rowland,
>
> I think the problem is missing connection between smbd and winbindd
> on SERVER2, i.e. this error message:
>
>> check_winbind_security: winbindd not running - but required as domain 
>> member: NT_STATUS_NO_LOGON_SERVERS
>
> Obviously I have to change sth. on SERVER2 as "security=domain"
should
> no longer work without winbindd in samba 4.8 and later. But as just 
> starting
> windbindd doesn't make smbd see it, I don't know what to do else.
>
> I sent the SERVER2 smb.conf through testparm (thanks for reminding me of
> this tool) and removed "passwd server" option due to
>
> ? WARNING: The setting 'security=domain' should NOT be combined
with
> the 'password server' parameter.
> ? (by default Samba will discover the correct DC to contact 
> automatically).
>
> but still winbindd is not detected. The process spawned by the systemctl
> service is
>
> ? 25130 /usr/sbin/winbindd --foreground --no-process-group
The error message is coming from here:

 ??? if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
 ??? ??? struct pdb_trusted_domain **domains = NULL;
 ??? ??? uint32_t num_domains = 0;
 ??? ??? NTSTATUS status;

 ??? ??? if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
 ??? ??? ??? status = NT_STATUS_NO_LOGON_SERVERS;
 ??? ??? ??? DBG_ERR("winbindd not running - "
 ??? ??? ??? ??? "but required as domain member: %s\n",
 ??? ??? ??? ??? nt_errstr(status));
 ??? ??? ??? return status;
 ??? ??? }

So your server doesn't seem to be able to find winbindd, are you sure it 
is running ?

What does this show:

ps ax | grep '[w]inbind'

What OS is this ?

Rowland

Rowland penny via samba wrote:
> So your server doesn't seem to be able to find winbindd, are you sure
it
> is running ?
> 
> What does this show:
> 
> ps ax | grep '[w]inbind'
> 
> What OS is this ?
It's SuSE Linux Enterprise 15sp1. winbindd is definitely running, I showed
that in the first mail in the output of "rcwinbind status", there you
can see
the processes in the cgroup.

Just checked it again: restarted winbindd, then smbd, then tried the
connection. Afterwards you can see in the systemd journal that winbindd
was running when smbd failed to find it:

server2 /root# journalctl | grep winbind
Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.041238,  0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Nov 28 23:25:20 server2 winbindd[30973]:   initialize_winbindd_cache: clearing
cache and re-creating with version number 2
Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.050649,  0]
../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 23:25:20 server2 winbindd[30973]:   daemon_ready: STATUS=daemon
'winbindd' finished starting up and ready to serve connections
Nov 28 23:25:20 server2 winbindd[30975]: [2019/11/28 23:25:20.118423,  0]
../source3/libsmb/namequery.c:78(saf_store)
Nov 28 23:25:20 server2 winbindd[30975]:   saf_store: refusing to store 0 length
domain or servername!
Nov 28 23:25:36 server2 smbd[31001]: [2019/11/28 23:25:36.075480,  0]
../source3/auth/auth_winbind.c:122(check_winbind_security)
Nov 28 23:25:36 server2 smbd[31001]:   check_winbind_security: winbindd not
running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS



Processes are indeed still there:

server2 /root# pgrep -f -a winbindd
30973 /usr/sbin/winbindd --foreground --no-process-group
30975 /usr/sbin/winbindd --foreground --no-process-group



And winbind service looks healthy:

server2 /root# rcwinbind status
* winbind.service - Samba Winbind Daemon
     Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor
preset: disabled)
     Active: active (running) since Thu 2019-11-28 23:25:20 CET; 2min 49s ago
   Main PID: 30973 (winbindd)
     Status: "winbindd: ready to serve connections..."
      Tasks: 2 (limit: 4915)
     CGroup: /system.slice/winbind.service
             |-30973 /usr/sbin/winbindd --foreground --no-process-group
             `-30975 /usr/sbin/winbindd --foreground --no-process-group

Nov 28 23:25:19 server2 systemd[1]: Starting Samba Winbind Daemon...
Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.041238,  0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Nov 28 23:25:20 server2 winbindd[30973]:   initialize_winbindd_cache: clearing
cache and re-creating with version number 2
Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.050649,  0]
../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 23:25:20 server2 winbindd[30973]:   daemon_ready: STATUS=daemon
'winbindd' finished starting up and ready to serve connections
Nov 28 23:25:20 server2 systemd[1]: Started Samba Winbind Daemon.
Nov 28 23:25:20 server2 winbindd[30975]: [2019/11/28 23:25:20.118423,  0]
../source3/libsmb/namequery.c:78(saf_store)
Nov 28 23:25:20 server2 winbindd[30975]:   saf_store: refusing to store 0 length
domain or servername!



I've no idea why smbd doesn't see it :-(

cu,
Frank


-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *