[Pkg-samba-maint] Bug#863285: [winbind] Install/Updates Fail When Samba Running as samba 4 Domain

Roberto C. Sánchez roberto at connexer.com
Mon Jul 31 14:57:08 UTC 2017 

Hi Louis,

On Mon, Jul 31, 2017 at 02:02:52PM +0200, L.P.H. van Belle wrote:
> Hai Roberto,
> 
> Thank you for your insight also.
> Can you post you complete (anonimized where needed) smb.conf. 
> And the running version you have and the version your upgrading to.
> This way we have most of the needed info. 
> 
Here is the smb.conf:

# Global parameters
[global]
        workgroup = EXAMPLE
        realm = EXAMPLE.COM
        netbios name = SAMBA-ADDC1
        server role = active directory domain controller
        server services = -dns
        idmap_ldb:use rfc2307 = yes
        printing = CUPS
        printcap name = /dev/null
        kerberos method = secrets and keytab
        #ldap server require strong auth = allow_sasl_over_tls
        ldap server require strong auth = no

        map to guest = bad user

        tls enabled = yes
        tls keyfile = /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.key
        tls certfile = /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.pem
        tls cafile = /etc/ssl/cacert.pem

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000
        idmap config EXAMPLE:backend = ad
        idmap config EXAMPLE:schema_mode = rfc2307
        idmap config EXAMPLE:range = 10000-20000

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes

        log level = 2
        syslog = 3

[netlogon]
        path = /var/lib/samba/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

The server was initially installed with wheezy, using the Samba 4
backport packages (this was around the end of 2014), then upgraded to
jessie when it became the stable release.

The currently installed version of Samba is: 2:4.2.14+dfsg-0+deb8u7+b1

The version I am trying to install (as part of the dist-upgrade to
stretch) is: 2:4.5.8+dfsg-2+deb9u1+b1

I have read through all of the upstream release notes and changelogs, as
well as the NEWS file in the Debian package to make sure that I don't
have anything in the configuration that will cause problems.  After
reviewing, there is nothing in my configuration that makes me think I
need to change it prior to upgrading.

> In general.
> For samba ( standalone/members ) systemd uses one or more : smbd nmbd winbind
> For samba ( AD DC ) systemd uses samba-ad-dc
> 
Yes, and that is how it appears to be with the systems on my network.

> The change to samba AD DC with systemd is: 
> 
> systemctl disable smbd nmbd winbind
> systemctl mask smbd nmbd winbind
> systemctl stop smbd nmbd winbind
> 
> systemctl enable samba-ad-dc
> systemctl unmask samba-ad-dc
> systemctl start samba-ad-dc
> 

Interestingly, I never had to do anything with systemctl when upgrading
from wheezy to jessie.  On the jessie system (prior to upgrade) here is
what the systemd setup looks like:

systemctl list-units |egrep 'samba|nmbd|smbd|winbind'
nmbd.service                                                              loaded active exited    LSB: start Samba NetBIOS nameserver (nmbd)
samba-ad-dc.service                                                       loaded active running   LSB: start Samba daemons for the AD DC
smbd.service                                                              loaded active exited    LSB: start Samba SMB/CIFS daemon (smbd)
winbind.service                                                           loaded active exited    LSB: start Winbind daemon

After the first upgrade attempt failed I reset the VM snapshot and
issued the 'systemctl mask' command you list above (I figured out on my
own that it might be needed) and then the upgrade worked.  Now the
systemd setup looks like this (after manually masking smbd, nmbd, and
winbind and after the upgrade):

systemctl list-units |egrep 'samba|nmbd|smbd|winbind'
samba-ad-dc.service                                                       loaded active running   LSB: start Samba daemons for the AD DC

That seems to work.  I tried unmasking the masked units again to restore
the configuration to the same way it was previously, but then that
caused problems with things not starting correctly.  I believe that if I
leave the units unmasked the next upgrade (e.g., even a minor security
upgrade) will execute the postinst in such a way as to cause the problem
to recur.

> 
> But, this wont help on the upgrade. 
> /var/lib/dpkg/info/winbind.postinst should detect the "AD DC" server.
> The same way /var/lib/dpkg/info/samba.postinst is doing. 
> 
> 

I am not sure if it is related, but I think that there is a bug near
line 79 of the samba.postinst:

samba-addc1:~# samba-tool testparm --parameter-name="server role"
active directory domain controller
samba-addc1:~# echo $SERVER_ROLE
active directory domain controller
samba-addc1:~# samba-tool testparm --parameter-name="server services"
s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba-addc1:~# echo $SERVER_SERVICES 
s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba-addc1:~# samba-tool testparm --parameter-name="dcerpc endpoint servers"
epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
samba-addc1:~# echo $DCERPC_ENDPOINT_SERVERS 
epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
samba-addc1:~# if [ "$SERVER_ROLE" != "active directory domain controller" ] \
> && ( echo "$SERVER_SERVICES" | grep -qv '\(^\|, \)smb\(,\|$\)' ) \
> && ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)remote\(,\|$\)' ) \
> && ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)mapiproxy\(,\|$\)' ) \
> ; then
> echo "Ohai, I am an AD domain controller"
> fi

I believe that looking for "smb" in "server services" is perhaps too
restrictive, though I am not sure.  I would expect the configuration of
my server pass the check and print the text of the echo I substituted.

In any event, I don't think I fully understand what the postinst is
trying to do, since on my system samba-ad-dc.service appears in several
places, but never in /etc/systemd/system and I cannot tell if the fact
the if condition evaluates to false on my system is related to the
upgrade failure or if is solely the result of a misconfiguration.  That
is, perhaps it is my fault for not masking the smbd, nmbd, and winbind
units when I configured for AD DC.

If it helps, here are the locations of samba-ad-dc.service on the system
in question.

Prior to upgrade:

find / -name samba-ad-dc.service -exec ls -Fd {} \;
/run/systemd/generator.late/samba-ad-dc.service
/run/systemd/generator.late/runlevel5.target.wants/samba-ad-dc.service@
/run/systemd/generator.late/runlevel4.target.wants/samba-ad-dc.service@
/run/systemd/generator.late/runlevel3.target.wants/samba-ad-dc.service@
/run/systemd/generator.late/runlevel2.target.wants/samba-ad-dc.service@
/sys/fs/cgroup/systemd/system.slice/samba-ad-dc.service/

After upgrade:

find / -name samba-ad-dc.service -exec ls -Fd {} \;
/etc/systemd/system/multi-user.target.wants/samba-ad-dc.service@
/lib/systemd/system/samba-ad-dc.service
/var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/samba-ad-dc.service
/sys/fs/cgroup/devices/system.slice/samba-ad-dc.service/
/sys/fs/cgroup/pids/system.slice/samba-ad-dc.service/
/sys/fs/cgroup/systemd/system.slice/samba-ad-dc.service/

Let me know if I can provide any additional information or if I can help
with anything else.

-- 
Roberto C. Sánchez

More information about the Pkg-samba-maint mailing list