[Pkg-samba-maint] Bug#909465: Similiar issue when upgrading samba - fixed by mapping BUILTIN\Guests to nobody group

Javier Fernandez-Sanguino jfs at debian.org
Sun Nov 11 08:48:51 GMT 2018

Dear colleagues,

Yesterday I upgraded to samba (from 2:4.8.5+dfsg-1 to 2:4.9.1+dfsg-2)
and had a similar issue, after the upgrade samba would not start,
breaking the 'apt-get dist-upgrade' at the end. To fix it I had to run
'net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody
type=builtin' and restart the smbd service.

Note that:
- The issue was not detected by testparm
- Smbd would not start, nmbd and winbind would restart properly
- My  smb.conf is very  similar to the standard default one provided
in the package already (if you want a copy let me know)

Reviewing the upgrade information here is some relevant output:

$ apt-get dist-upgrade
Preparing to unpackage .../0256-samba-common_2%3a4.9.1+dfsg-2_all.deb ...
Unpackaging samba-common (2:4.9.1+dfsg-2) over  (2:4.8.5+dfsg-1) ...
Configuring samba-common-bin (2:4.9.1+dfsg-2) ...
Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "syslog" option is deprecated
Loaded services file OK.
Configuring samba (2:4.9.1+dfsg-2) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding
those services.
(samba-ad-dc.service already masked)
Job for smbd.service failed because the control process exited with error code.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "restart" failed.

This is from /var/log/samba/smbd.log:

2018/11/11 02:36:13.835610,  0]
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2018/11/11 02:36:13.836169,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.

After looking for similar problems I found RedHat Bug #1648399
which points to the folowing thread in the Samba mailing list:

And apparently boils down to the following change in Samba and the
fact that the BUILTIN\Guests group is not mapped to a proper Unix user

With 4.9.0 we expanded guest handling to differentiate between
anonymous  and guest sessions. This required a proper handling of
BUILTIN\Guests and thus is now forces to be able to have either
writable backend or aliases configured properly.

The action proposed in the bug reported, worked for me, and is the following:

# net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
Successfully added group nobody to the mapping db as a wellknown group

Maybe this action should be added into the postinst? (after checking
if the group is not mapped properly?)



More information about the Pkg-samba-maint mailing list