Frank Steiner
2019-Nov-28 19:39 UTC
[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help
Hi Rowland,> Remove 'map untrusted to domain = Yes', it has been removed. > > Add 'domain logons = Yes' > > This gets it back to being a PDC:thanks for the hints! I did that, but it doesn't help. I guess the problem is not on the PDC server but on SERVER2. That's the one that got upgraded and stopped working (even with the non-pdc config of SERVER1). I think the problem is missing connection between smbd and winbindd on SERVER2, i.e. this error message:> check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERSObviously I have to change sth. on SERVER2 as "security=domain" should no longer work without winbindd in samba 4.8 and later. But as just starting windbindd doesn't make smbd see it, I don't know what to do else. I sent the SERVER2 smb.conf through testparm (thanks for reminding me of this tool) and removed "passwd server" option due to WARNING: The setting 'security=domain' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). but still winbindd is not detected. The process spawned by the systemctl service is 25130 /usr/sbin/winbindd --foreground --no-process-group cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
Rowland penny
2019-Nov-28 21:11 UTC
[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help
On 28/11/2019 19:39, Frank Steiner wrote:> Hi Rowland, > > I think the problem is missing connection between smbd and winbindd > on SERVER2, i.e. this error message: > >> check_winbind_security: winbindd not running - but required as domain >> member: NT_STATUS_NO_LOGON_SERVERS > > Obviously I have to change sth. on SERVER2 as "security=domain" should > no longer work without winbindd in samba 4.8 and later. But as just > starting > windbindd doesn't make smbd see it, I don't know what to do else. > > I sent the SERVER2 smb.conf through testparm (thanks for reminding me of > this tool) and removed "passwd server" option due to > > ? WARNING: The setting 'security=domain' should NOT be combined with > the 'password server' parameter. > ? (by default Samba will discover the correct DC to contact > automatically). > > but still winbindd is not detected. The process spawned by the systemctl > service is > > ? 25130 /usr/sbin/winbindd --foreground --no-process-groupThe error message is coming from here: ??? if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { ??? ??? struct pdb_trusted_domain **domains = NULL; ??? ??? uint32_t num_domains = 0; ??? ??? NTSTATUS status; ??? ??? if (lp_server_role() == ROLE_DOMAIN_MEMBER) { ??? ??? ??? status = NT_STATUS_NO_LOGON_SERVERS; ??? ??? ??? DBG_ERR("winbindd not running - " ??? ??? ??? ??? "but required as domain member: %s\n", ??? ??? ??? ??? nt_errstr(status)); ??? ??? ??? return status; ??? ??? } So your server doesn't seem to be able to find winbindd, are you sure it is running ? What does this show: ps ax | grep '[w]inbind' What OS is this ? Rowland
Frank Steiner
2019-Nov-28 22:32 UTC
[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help
Rowland penny via samba wrote:> So your server doesn't seem to be able to find winbindd, are you sure it > is running ? > > What does this show: > > ps ax | grep '[w]inbind' > > What OS is this ?It's SuSE Linux Enterprise 15sp1. winbindd is definitely running, I showed that in the first mail in the output of "rcwinbind status", there you can see the processes in the cgroup. Just checked it again: restarted winbindd, then smbd, then tried the connection. Afterwards you can see in the systemd journal that winbindd was running when smbd failed to find it: server2 /root# journalctl | grep winbind Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.041238, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) Nov 28 23:25:20 server2 winbindd[30973]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.050649, 0] ../lib/util/become_daemon.c:138(daemon_ready) Nov 28 23:25:20 server2 winbindd[30973]: daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Nov 28 23:25:20 server2 winbindd[30975]: [2019/11/28 23:25:20.118423, 0] ../source3/libsmb/namequery.c:78(saf_store) Nov 28 23:25:20 server2 winbindd[30975]: saf_store: refusing to store 0 length domain or servername! Nov 28 23:25:36 server2 smbd[31001]: [2019/11/28 23:25:36.075480, 0] ../source3/auth/auth_winbind.c:122(check_winbind_security) Nov 28 23:25:36 server2 smbd[31001]: check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS Processes are indeed still there: server2 /root# pgrep -f -a winbindd 30973 /usr/sbin/winbindd --foreground --no-process-group 30975 /usr/sbin/winbindd --foreground --no-process-group And winbind service looks healthy: server2 /root# rcwinbind status * winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2019-11-28 23:25:20 CET; 2min 49s ago Main PID: 30973 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 2 (limit: 4915) CGroup: /system.slice/winbind.service |-30973 /usr/sbin/winbindd --foreground --no-process-group `-30975 /usr/sbin/winbindd --foreground --no-process-group Nov 28 23:25:19 server2 systemd[1]: Starting Samba Winbind Daemon... Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.041238, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) Nov 28 23:25:20 server2 winbindd[30973]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Nov 28 23:25:20 server2 winbindd[30973]: [2019/11/28 23:25:20.050649, 0] ../lib/util/become_daemon.c:138(daemon_ready) Nov 28 23:25:20 server2 winbindd[30973]: daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Nov 28 23:25:20 server2 systemd[1]: Started Samba Winbind Daemon. Nov 28 23:25:20 server2 winbindd[30975]: [2019/11/28 23:25:20.118423, 0] ../source3/libsmb/namequery.c:78(saf_store) Nov 28 23:25:20 server2 winbindd[30975]: saf_store: refusing to store 0 length domain or servername! I've no idea why smbd doesn't see it :-( cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. * -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
Reasonably Related Threads
- security=domain fails after upgr. to 4.9, winbind doesn't help
- security=domain fails after upgr. to 4.9, winbind doesn't help
- security=domain fails after upgr. to 4.9, winbind doesn't help
- Issue with acl_xattr:ignore system acls in 4.5rc2
- Issue with acl_xattr:ignore system acls in 4.5rc2