samba - Jan 2025 - Problems with rpcd helpers not restarting after config changes and updates

Hello lovely samba-people,

in the last year we had some problems with the rpcd helpers: they dont 
restart after a config change or an upgrade. We think 
https://lists.samba.org/archive/samba/2024-July/249470.html is a symptom 
of it. Other errors included that samba-ad-dc did not work properly 
until restarting the whole server. The upgrade to 4.21.3 took down our 
whole ERP software, because the ad-dc somehow broke.

Well we think that running newer samba-ad-dc with the old rpc helpers is 
the culprit here (this may be wrong though).

In Samba 4.16 a new helper was added: samba-dcerpcd. This binary starts 
the rpcd helpers as needed. Normally (rpc start on demand helpers = yes 
(the default)) it is started by smbd, winbind or samba-ad-dc on demand 
and detaches after. So restarting the aforementioned processes does not 
restart dcerpcd or the rpcd helpers. Thanks to Ralph B?hme of SerNet for 
explaining all of this!

The solution is to set "rpc start on demand helpers = no" in your 
smb.conf and add a new systemd service:

[Unit]
Description=Samba DCERPCD Server process

Before=smbd.service winbind.service samba-ad-dc.service
PartOf=smbd.service winbind.service samba-ad-dc.service

[Service]
ExecStart=/usr/libexec/samba/samba-dcerpcd --foreground --libexec-rpcds 
--debuglevel=0

[Install]
WantedBy=multi-user.target


Additionally you need this systemd overrides for smbd, winbind, 
samba-ad-dc and possibily nmbd, put this file into 
/etc/systemd/system/{smbd,winbind,nmbd,samba-ad-dc}.service.d/override.conf

[Unit]
Requires=samba-dcerpcd.service

After that: systemctl daemon-reload && systemctl stop smbd nmbd winbind 
samba-ad-dc && systemctl enable samba-dcerpcd && systemctl start
samba-dcerpcd

And now start your needed services:

fileserver: systemctl start smbd nmbd winbind samba-dcerpcd

dc: fileserver: systemctl start samba-ad-dc samba-dcerpcd

Verify everything is working.

The goal is that samba-dcerpcd restarts when on of the other services 
restarts. So that systemctl restart smbd also restarts samba-dcerpcd !

Im hoping that with this change, our upgrade-problems are gone. And I 
hope I can help some of you out there.

@mjt: Can you somehow bring this change to the debian packages please? 
The change in the smb.conf is tricky though, so idk how you can package 
that. But providing a samba-dcerpcd.service file thats disabled and 
restarting it in postinstall would be great!

-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

16.01.2025 15:50, Matthias K?hne | Ellerhold Aktiengesellschaft via samba wrote:
..
> @mjt: Can you somehow bring this change to the debian packages please?
> The change in the smb.conf is tricky though, so idk how you can package
> that. But providing a samba-dcerpcd.service file thats disabled and
> restarting it in postinstall would be great!
This is not difficult to do, but this needs to be agreed upon with the upstream.
Exactly because it's tricky wrt smb.conf.

If there's a bug in samba about this, it's better to fix it instead, I
think.

It's interesting I never noticed this before.

/mjt