samba - Nov 2022 - accidentally upgraded DC to 4.17.3 ... didn't work

24.11.2022 11:46, Stefan G. Weichinger via samba wrote:
> Hm, I see it in ps:
> 
> # ps axf | egrep "winbindd"
>  ?? 5281 pts/0??? S+???? 0:00????????? \_ grep -E winbindd
>  ?? 5153 ???????? S????? 0:00? |?? \_ samba: task[winbindd] pre-fork master
>  ?? 5159 ???????? Ss???? 0:00? |?????????? \_ /usr/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
>  ?? 5186 ???????? S????? 0:00? |?????????????? \_ winbindd: domain child
[ARBEITSGRUPPE]
There's no idmap child in there. There should be 3 of them
(also domain child {builtin]);

..
>> You can also try stopping samba-ad-dc and run winbindd manually:
>>
>> ??/usr/sbin/winbindd -D --option="server role
check:inhibit=yes" --foreground --debug=10
> 
> (it's --debuglevel=10 ... just for someone googling this later)
> 
> did that, it terminates with
> 
> [2022/11/24 09:44:14.866713,? 0, pid=5290, effective(0, 0), real(0, 0)]
../../lib/util/become_daemon.c:119(exit_daemon)
>  ? exit_daemon: daemon failed to start: Failed to create session, error
code 1
> 
> above that nothing special, just reading config and binding to eno1 and lo
Nope, That wont work, unfortunately.  It dies on me for an ad dc configuration
because OTHER parts of samba is not running. It can't be debugged like this.
My suggestion was completely wrong - including the hammer one.

Does anyone know how to debug this beast?

It doesn't log anything interesting when it fails, and it can't be
started
manually without all the other parts of samba either.

Replacing /usr/sbin/winbindd with a wrapper script which runs winbindd under
strace? Is there other way?

..
> I will try that hammer in a moment, after sending this.
Nope. Please excuse me for this wrong suggestion. It wont work.

/mjt

Am 24.11.22 um 10:01 schrieb Michael Tokarev:
> 24.11.2022 11:46, Stefan G. Weichinger via samba wrote:
> 
>> Hm, I see it in ps:
>>
>> # ps axf | egrep "winbindd"
>> ??? 5281 pts/0??? S+???? 0:00????????? \_ grep -E winbindd
>> ??? 5153 ???????? S????? 0:00? |?? \_ samba: task[winbindd] pre-fork 
>> master
>> ??? 5159 ???????? Ss???? 0:00? |?????????? \_ /usr/sbin/winbindd -D 
>> --option=server role check:inhibit=yes --foreground
>> ??? 5186 ???????? S????? 0:00? |?????????????? \_ winbindd: domain 
>> child [ARBEITSGRUPPE]
> 
> There's no idmap child in there. There should be 3 of them
> (also domain child {builtin]);
ok, I see
>> above that nothing special, just reading config and binding to eno1 
>> and lo
> 
> Nope, That wont work, unfortunately.? It dies on me for an ad dc 
> configuration
> because OTHER parts of samba is not running. It can't be debugged like 
> this.
> My suggestion was completely wrong - including the hammer one.
ah ...
> Does anyone know how to debug this beast?
> 
> It doesn't log anything interesting when it fails, and it can't be
started
> manually without all the other parts of samba either.
> 
> Replacing /usr/sbin/winbindd with a wrapper script which runs winbindd 
> under
> strace? Is there other way?
> 
> ..
>> I will try that hammer in a moment, after sending this.
> 
> Nope. Please excuse me for this wrong suggestion. It wont work.
No problem, I appreciate your help.

I'd be happy to help spotting the issue .. but maybe I should start over 
by manually demoting the dc again?

For now the domain seems to work fine with adc2 active ... but I should 
maybe get adc1 up and synced again in the next hours.

there seem to be more issues on adc1, very likely related to my flaky 
demoting/rejoining:

# tail log.samba
[2022/11/24 10:02:49.258482,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:02:49.345700,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:02:49.710229,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:02:56.893658,  1] 
../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth)
   dns_server_process_query_got_auth: Failed to add SOA record: 
WERR_DNS_ERROR_RCODE_FORMAT_ERROR
[2022/11/24 10:02:57.742230,  1] 
../../source4/dns_server/dns_query.c:1140(dns_server_process_query_got_auth)
   dns_server_process_query_got_auth: Failed to add SOA record: 
WERR_DNS_ERROR_RCODE_FORMAT_ERROR

Am 24.11.22 um 10:01 schrieb Michael Tokarev:
> 24.11.2022 11:46, Stefan G. Weichinger via samba wrote:
> 
>> Hm, I see it in ps:
>>
>> # ps axf | egrep "winbindd"
>> ??? 5281 pts/0??? S+???? 0:00????????? \_ grep -E winbindd
>> ??? 5153 ???????? S????? 0:00? |?? \_ samba: task[winbindd] pre-fork 
>> master
>> ??? 5159 ???????? Ss???? 0:00? |?????????? \_ /usr/sbin/winbindd -D 
>> --option=server role check:inhibit=yes --foreground
>> ??? 5186 ???????? S????? 0:00? |?????????????? \_ winbindd: domain 
>> child [ARBEITSGRUPPE]
> 
> There's no idmap child in there. There should be 3 of them
> (also domain child {builtin]);
It gets even stranger:

now the processes are there:

# ps axf | egrep "winbindd"
    6516 pts/0    S+     0:00      |   \_ grep -E winbindd
    5960 ?        S      0:00  |   \_ samba: task[winbindd] pre-fork master
    5967 ?        Ss     0:03  |           \_ /usr/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
    5986 ?        S      0:00  |               \_ winbindd: domain child 
[ARBEITSGRUPPE]
    6311 ?        S      0:00  |               \_ winbindd: domain child 
[BUILTIN]
    6312 ?        S      0:00  |               \_ winbindd: idmap child


# tail log.samba
[2022/11/24 10:30:01.604138,  2] 
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
   Got a dns update request.
[2022/11/24 10:30:01.604970,  2] 
../../source4/dns_server/dns_update.c:781(dns_update_allowed)
   Update not allowed for unsigned packet.
[2022/11/24 10:30:01.629463,  1] 
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2022/11/24 10:30:01.629577,  1] 
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
   gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing 
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2022/11/24 10:30:01.629641,  1] 
../../source4/dns_server/dns_query.c:888(handle_tkey)
   GSS key negotiation returned NT_STATUS_LOGON_FAILURE

# log.winbindd-idmap

[2022/11/24 10:17:33.421300,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:17:33.423146,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:17:33.423173,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:17:33.424572,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:17:33.424593,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:17:33.426483,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:17:33.426511,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55


# tail log.wb-ARBEITSGRUPPE
[2022/11/24 10:29:55.915181,  3] 
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
   sam_name_to_sid: ARBEITSGRUPPE\POSTFIX
[2022/11/24 10:29:55.915625,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55
[2022/11/24 10:29:55.917674,  4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
   child daemon request 55
[2022/11/24 10:29:55.917737,  3] 
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
   sam_name_to_sid: ARBEITSGRUPPE\MONIT
[2022/11/24 10:29:55.918105,  4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
   Finished processing child request 55

# tail log.winbindd
[2022/11/24 10:31:40.400440,  3] 
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
   [nss_winbind (3886)] Winbind external command GETPWNAM start.
   Query username '*'.
[2022/11/24 10:31:40.400457,  5] 
../../source3/winbindd/wb_lookupname.c:52(wb_lookupname_send)
   WB command lookupname start.
   Search namespace 'ARBEITSGRUPPE' and domain 'ARBEITSGRUPPE'
for name '*'.
[2022/11/24 10:31:40.409343,  1] 
../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2022/11/24 10:31:40.409373,  3] 
../../source3/winbindd/winbindd.c:563(process_request_done)
   process_request_done: [nss_winbind(3886):GETPWNAM]: NT_STATUS_NONE_MAPPED

# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret


I might have to restart samba-ad-dc.service, but wait for feedback ...