samba - Nov 2022 - accidentally upgraded DC to 4.17.3 ... didn't work

Am 24.11.22 um 09:33 schrieb Michael Tokarev:
> 24.11.2022 11:12, Stefan G. Weichinger wrote:
> ..
> 
>> # wbinfo -t
>> could not obtain winbind interface details:
WBC_ERR_WINBIND_NOT_AVAILABLE
> 
> So your wbinfo can't contact you winbindd running on the same host.
> I just checked the strace of wbinfo, knowing nothing about how it
> works internally.? It only makes connections to /run/samba/winbindd/pipe,
> a local unix-domain socket which is created by winbindd.
> 
> So winbindd is not running on this host.
Hm, I see it in ps:

# ps axf | egrep "winbindd"
    5281 pts/0    S+     0:00          \_ grep -E winbindd
    5153 ?        S      0:00  |   \_ samba: task[winbindd] pre-fork master
    5159 ?        Ss     0:00  |           \_ /usr/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
    5186 ?        S      0:00  |               \_ winbindd: domain child 
[ARBEITSGRUPPE]


 ? And this is consistent with what
> you've seen before, when one winbindd process hasn't been starting,
> logging an error of some sort.? Is it the same error message now?
> It's been in your message with Date: Tue, 22 Nov 2022 14:07:23 +0100.
> 
> And at Tue, 22 Nov 2022 13:23:06 +0100:
> [2022/11/22 13:19:27.912603,? 5] 
> ../../source3/winbindd/winbindd_dual_srv.c:72(_wbint_InitConnection)
>  ? _wbint_InitConnection: ARBEITSGRUPPE returning without initialization 
> online = 1
> 
> this seem to be about ARBEITSGRUPPE, not about idmap part, but let's
> see..
increased loglevel to 5 for winbind, yes, that gives me


[2022/11/24 09:38:06.993207,  5] 
../../source3/winbindd/winbindd_dual_srv.c:72(_wbint_InitConnection)
   _wbint_InitConnection: ARBEITSGRUPPE returning without initialization 
online = 1


in log.wb-ARBEITSGRUPPE

> It's better to see *current* situation and *current* error messages
> instead of assuming it's the same as on another machine.
> 
> Is there anything interesting in /var/log/samba/log.winbindd-idmap?
> You had idmap process failing, that's the log of it.
> 
> You can also try stopping samba-ad-dc and run winbindd manually:
> 
>  ?/usr/sbin/winbindd -D --option="server role check:inhibit=yes" 
> --foreground --debug=10
(it's --debuglevel=10 ... just for someone googling this later)

did that, it terminates with

[2022/11/24 09:44:14.866713,  0, pid=5290, effective(0, 0), real(0, 0)] 
../../lib/util/become_daemon.c:119(exit_daemon)
   exit_daemon: daemon failed to start: Failed to create session, error 
code 1

above that nothing special, just reading config and binding to eno1 and lo
> If not, here's a hammer debugging tool:
> 
> systemctl stop samba-ad-dc
> apt install strace?? # if not installed already)
> strace -ff -o /tmp/trc /usr/sbin/winbindd -D --option="server role 
> check:inhibit=yes" --foreground
> (and hit Ctrl+C to stop it).
> 
> and maybe take a look at /tmp/trc.* or make them available for download
> somewhere?
> 
> it will show what exactly your winbindd is doing, how it is failing.
> It *MIGHT* show sensitive data, but should actually not, provided
> there's no other activity on this host (samba is not running) which
> is asking for sensitive winbindd data.? The important info should
> be at the
I will try that hammer in a moment, after sending this.
> This is one thing to fix first: why winbindd refuses to start.
> 
> idmap child does not open any inet conenctions, it does not use DNS,
> it just manages idmap caches and queries. It is one of the simpler
> daemons, to mean, it should not depend on any network-related stuff.
> 
> The other thing - errors on another DC - is next.
> 
> Thanks,
> 
> /mjt

24.11.2022 11:46, Stefan G. Weichinger via samba wrote:
> Hm, I see it in ps:
> 
> # ps axf | egrep "winbindd"
>  ?? 5281 pts/0??? S+???? 0:00????????? \_ grep -E winbindd
>  ?? 5153 ???????? S????? 0:00? |?? \_ samba: task[winbindd] pre-fork master
>  ?? 5159 ???????? Ss???? 0:00? |?????????? \_ /usr/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
>  ?? 5186 ???????? S????? 0:00? |?????????????? \_ winbindd: domain child
[ARBEITSGRUPPE]
There's no idmap child in there. There should be 3 of them
(also domain child {builtin]);

..
>> You can also try stopping samba-ad-dc and run winbindd manually:
>>
>> ??/usr/sbin/winbindd -D --option="server role
check:inhibit=yes" --foreground --debug=10
> 
> (it's --debuglevel=10 ... just for someone googling this later)
> 
> did that, it terminates with
> 
> [2022/11/24 09:44:14.866713,? 0, pid=5290, effective(0, 0), real(0, 0)]
../../lib/util/become_daemon.c:119(exit_daemon)
>  ? exit_daemon: daemon failed to start: Failed to create session, error
code 1
> 
> above that nothing special, just reading config and binding to eno1 and lo
Nope, That wont work, unfortunately.  It dies on me for an ad dc configuration
because OTHER parts of samba is not running. It can't be debugged like this.
My suggestion was completely wrong - including the hammer one.

Does anyone know how to debug this beast?

It doesn't log anything interesting when it fails, and it can't be
started
manually without all the other parts of samba either.

Replacing /usr/sbin/winbindd with a wrapper script which runs winbindd under
strace? Is there other way?

..
> I will try that hammer in a moment, after sending this.
Nope. Please excuse me for this wrong suggestion. It wont work.

/mjt