samba - Nov 2022 - accidentally upgraded DC to 4.17.3 ... didn't work

24.11.2022 11:12, Stefan G. Weichinger wrote:
..
> # wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
So your wbinfo can't contact you winbindd running on the same host.
I just checked the strace of wbinfo, knowing nothing about how it
works internally.  It only makes connections to /run/samba/winbindd/pipe,
a local unix-domain socket which is created by winbindd.

So winbindd is not running on this host.  And this is consistent with what
you've seen before, when one winbindd process hasn't been starting,
logging an error of some sort.  Is it the same error message now?
It's been in your message with Date: Tue, 22 Nov 2022 14:07:23 +0100.

And at Tue, 22 Nov 2022 13:23:06 +0100:
[2022/11/22 13:19:27.912603,  5]
../../source3/winbindd/winbindd_dual_srv.c:72(_wbint_InitConnection)
   _wbint_InitConnection: ARBEITSGRUPPE returning without initialization online
= 1

this seem to be about ARBEITSGRUPPE, not about idmap part, but let's
see..

It's better to see *current* situation and *current* error messages
instead of assuming it's the same as on another machine.

Is there anything interesting in /var/log/samba/log.winbindd-idmap?
You had idmap process failing, that's the log of it.

You can also try stopping samba-ad-dc and run winbindd manually:

  /usr/sbin/winbindd -D --option="server role check:inhibit=yes"
--foreground --debug=10

and take a look at the log files. There should be some errors in there
hopefully.

If not, here's a hammer debugging tool:

systemctl stop samba-ad-dc
apt install strace   # if not installed already)
strace -ff -o /tmp/trc /usr/sbin/winbindd -D --option="server role
check:inhibit=yes" --foreground
(and hit Ctrl+C to stop it).

and maybe take a look at /tmp/trc.* or make them available for download
somewhere?

it will show what exactly your winbindd is doing, how it is failing.
It *MIGHT* show sensitive data, but should actually not, provided
there's no other activity on this host (samba is not running) which
is asking for sensitive winbindd data.  The important info should
be at the

This is one thing to fix first: why winbindd refuses to start.

idmap child does not open any inet conenctions, it does not use DNS,
it just manages idmap caches and queries. It is one of the simpler
daemons, to mean, it should not depend on any network-related stuff.

The other thing - errors on another DC - is next.

Thanks,

/mjt

Am 24.11.22 um 09:33 schrieb Michael Tokarev:
> 24.11.2022 11:12, Stefan G. Weichinger wrote:
> ..
> 
>> # wbinfo -t
>> could not obtain winbind interface details:
WBC_ERR_WINBIND_NOT_AVAILABLE
> 
> So your wbinfo can't contact you winbindd running on the same host.
> I just checked the strace of wbinfo, knowing nothing about how it
> works internally.? It only makes connections to /run/samba/winbindd/pipe,
> a local unix-domain socket which is created by winbindd.
> 
> So winbindd is not running on this host.
Hm, I see it in ps:

# ps axf | egrep "winbindd"
    5281 pts/0    S+     0:00          \_ grep -E winbindd
    5153 ?        S      0:00  |   \_ samba: task[winbindd] pre-fork master
    5159 ?        Ss     0:00  |           \_ /usr/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
    5186 ?        S      0:00  |               \_ winbindd: domain child 
[ARBEITSGRUPPE]


 ? And this is consistent with what
> you've seen before, when one winbindd process hasn't been starting,
> logging an error of some sort.? Is it the same error message now?
> It's been in your message with Date: Tue, 22 Nov 2022 14:07:23 +0100.
> 
> And at Tue, 22 Nov 2022 13:23:06 +0100:
> [2022/11/22 13:19:27.912603,? 5] 
> ../../source3/winbindd/winbindd_dual_srv.c:72(_wbint_InitConnection)
>  ? _wbint_InitConnection: ARBEITSGRUPPE returning without initialization 
> online = 1
> 
> this seem to be about ARBEITSGRUPPE, not about idmap part, but let's
> see..
increased loglevel to 5 for winbind, yes, that gives me


[2022/11/24 09:38:06.993207,  5] 
../../source3/winbindd/winbindd_dual_srv.c:72(_wbint_InitConnection)
   _wbint_InitConnection: ARBEITSGRUPPE returning without initialization 
online = 1


in log.wb-ARBEITSGRUPPE

> It's better to see *current* situation and *current* error messages
> instead of assuming it's the same as on another machine.
> 
> Is there anything interesting in /var/log/samba/log.winbindd-idmap?
> You had idmap process failing, that's the log of it.
> 
> You can also try stopping samba-ad-dc and run winbindd manually:
> 
>  ?/usr/sbin/winbindd -D --option="server role check:inhibit=yes" 
> --foreground --debug=10
(it's --debuglevel=10 ... just for someone googling this later)

did that, it terminates with

[2022/11/24 09:44:14.866713,  0, pid=5290, effective(0, 0), real(0, 0)] 
../../lib/util/become_daemon.c:119(exit_daemon)
   exit_daemon: daemon failed to start: Failed to create session, error 
code 1

above that nothing special, just reading config and binding to eno1 and lo
> If not, here's a hammer debugging tool:
> 
> systemctl stop samba-ad-dc
> apt install strace?? # if not installed already)
> strace -ff -o /tmp/trc /usr/sbin/winbindd -D --option="server role 
> check:inhibit=yes" --foreground
> (and hit Ctrl+C to stop it).
> 
> and maybe take a look at /tmp/trc.* or make them available for download
> somewhere?
> 
> it will show what exactly your winbindd is doing, how it is failing.
> It *MIGHT* show sensitive data, but should actually not, provided
> there's no other activity on this host (samba is not running) which
> is asking for sensitive winbindd data.? The important info should
> be at the
I will try that hammer in a moment, after sending this.
> This is one thing to fix first: why winbindd refuses to start.
> 
> idmap child does not open any inet conenctions, it does not use DNS,
> it just manages idmap caches and queries. It is one of the simpler
> daemons, to mean, it should not depend on any network-related stuff.
> 
> The other thing - errors on another DC - is next.
> 
> Thanks,
> 
> /mjt

Am 24.11.22 um 09:33 schrieb Michael Tokarev:
> Is there anything interesting in /var/log/samba/log.winbindd-idmap?
> You had idmap process failing, that's the log of it.
That file doesn't get touched since ~2 hours.

increased loglevel for winbind to 10 in smb.conf and restarted.

No updates in that file.


# tail log.wb-ARBEITSGRUPPE
[2022/11/24 09:57:54.353522,  3] 
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
   sam_name_to_sid: ARBEITSGRUPPE\POSTFIX
[2022/11/24 09:57:54.353939,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 09:57:54.355482,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 09:57:54.355522,  3] 
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
   sam_name_to_sid: ARBEITSGRUPPE\MONIT
[2022/11/24 09:57:54.355786,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55


root at adc1:/var/log/samba# tail log.winbindd
[2022/11/24 09:58:25.723962,  3] 
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
   [nss_winbind (3886)] Winbind external command GETPWNAM start.
   Query username '*'.
[2022/11/24 09:58:25.723980,  5] 
../../source3/winbindd/wb_lookupname.c:52(wb_lookupname_send)
   WB command lookupname start.
   Search namespace 'ARBEITSGRUPPE' and domain 'ARBEITSGRUPPE'
for name '*'.
[2022/11/24 09:58:25.733847,  1] 
../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2022/11/24 09:58:25.733881,  3] 
../../source3/winbindd/winbindd.c:563(process_request_done)
   process_request_done: [nss_winbind(3886):GETPWNAM]: NT_STATUS_NONE_MAPPED


-

the strace: I am working on it.

thank you