[Pkg-samba-maint] Bug#909465: Similiar issue when upgrading samba - fixed by mapping BUILTIN\Guests to nobody group

Javier Fernandez-Sanguino jfs at debian.org
Sun Nov 11 08:48:51 GMT 2018


Dear colleagues,

Yesterday I upgraded to samba (from 2:4.8.5+dfsg-1 to 2:4.9.1+dfsg-2)
and had a similar issue, after the upgrade samba would not start,
breaking the 'apt-get dist-upgrade' at the end. To fix it I had to run
'net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody
type=builtin' and restart the smbd service.

Note that:
- The issue was not detected by testparm
- Smbd would not start, nmbd and winbind would restart properly
- My  smb.conf is very  similar to the standard default one provided
in the package already (if you want a copy let me know)

Reviewing the upgrade information here is some relevant output:

______________________________________________
$ apt-get dist-upgrade
(....)
Preparing to unpackage .../0256-samba-common_2%3a4.9.1+dfsg-2_all.deb ...
Unpackaging samba-common (2:4.9.1+dfsg-2) over  (2:4.8.5+dfsg-1) ...
(...)
Configuring samba-common-bin (2:4.9.1+dfsg-2) ...
Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "syslog" option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Done
(...)
Configuring samba (2:4.9.1+dfsg-2) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding
those services.
(samba-ad-dc.service already masked)
Job for smbd.service failed because the control process exited with error code.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "restart" failed.
(...)
______________________________________________

This is from /var/log/samba/smbd.log:

______________________________________________
2018/11/11 02:36:13.835610,  0]
../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2018/11/11 02:36:13.836169,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.
_____________________________________________

After looking for similar problems I found RedHat Bug #1648399
(https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1648399)
which points to the folowing thread in the Samba mailing list:
https://lists.samba.org/archive/samba-technical/2018-September/130377.html

And apparently boils down to the following change in Samba and the
fact that the BUILTIN\Guests group is not mapped to a proper Unix user
:

______________________________________________
With 4.9.0 we expanded guest handling to differentiate between
anonymous  and guest sessions. This required a proper handling of
BUILTIN\Guests and thus is now forces to be able to have either
writable backend or aliases configured properly.
______________________________________________

The action proposed in the bug reported, worked for me, and is the following:

______________________________________________
# net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
Successfully added group nobody to the mapping db as a wellknown group
______________________________________________

Maybe this action should be added into the postinst? (after checking
if the group is not mapped properly?)

Regards

Javier



More information about the Pkg-samba-maint mailing list