[Pkg-samba-maint] Bug#909465: Similiar issue when upgrading samba - fixed by mapping BUILTIN\Guests to nobody group
Javier Fernandez-Sanguino
jfs at debian.org
Sun Nov 11 08:48:51 GMT 2018
Dear colleagues,
Yesterday I upgraded to samba (from 2:4.8.5+dfsg-1 to 2:4.9.1+dfsg-2)
and had a similar issue, after the upgrade samba would not start,
breaking the 'apt-get dist-upgrade' at the end. To fix it I had to run
'net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody
type=builtin' and restart the smbd service.
Note that:
- The issue was not detected by testparm
- Smbd would not start, nmbd and winbind would restart properly
- My smb.conf is very similar to the standard default one provided
in the package already (if you want a copy let me know)
Reviewing the upgrade information here is some relevant output:
______________________________________________
$ apt-get dist-upgrade
(....)
Preparing to unpackage .../0256-samba-common_2%3a4.9.1+dfsg-2_all.deb ...
Unpackaging samba-common (2:4.9.1+dfsg-2) over (2:4.8.5+dfsg-1) ...
(...)
Configuring samba-common-bin (2:4.9.1+dfsg-2) ...
Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "syslog" option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Done
(...)
Configuring samba (2:4.9.1+dfsg-2) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding
those services.
(samba-ad-dc.service already masked)
Job for smbd.service failed because the control process exited with error code.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "restart" failed.
(...)
______________________________________________
This is from /var/log/samba/smbd.log:
______________________________________________
2018/11/11 02:36:13.835610, 0]
../source3/auth/auth_util.c:1382(make_new_session_info_guest)
create_local_token failed: NT_STATUS_ACCESS_DENIED
[2018/11/11 02:36:13.836169, 0] ../source3/smbd/server.c:2000(main)
ERROR: failed to setup guest info.
_____________________________________________
After looking for similar problems I found RedHat Bug #1648399
(https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1648399)
which points to the folowing thread in the Samba mailing list:
https://lists.samba.org/archive/samba-technical/2018-September/130377.html
And apparently boils down to the following change in Samba and the
fact that the BUILTIN\Guests group is not mapped to a proper Unix user
:
______________________________________________
With 4.9.0 we expanded guest handling to differentiate between
anonymous and guest sessions. This required a proper handling of
BUILTIN\Guests and thus is now forces to be able to have either
writable backend or aliases configured properly.
______________________________________________
The action proposed in the bug reported, worked for me, and is the following:
______________________________________________
# net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
Successfully added group nobody to the mapping db as a wellknown group
______________________________________________
Maybe this action should be added into the postinst? (after checking
if the group is not mapped properly?)
Regards
Javier
More information about the Pkg-samba-maint
mailing list