Discussion:
Bug#863285: [winbind] Install/Updates Fail When Samba Running as samba 4 Domain
Michael Papet
2017-05-24 21:27:39 UTC
Permalink
Package: winbindVersion: 2:4.5.8+dfsg-2Severity: normal
--- Please enter the report below this line. ---If you configure /etc/samba/smb.conf as a Samba 4 domain controller, then winbind updates/installs break.  
winbind.postinst unconditionally attempts to restart the winbind service.  Any attempts to start winbind while samba is running in DC mode fail.  My understanding is when running as a domain controller, samba controls winbind as a child process.  Maybe I'm wrong about that.
It seems like line 32 in /var/lib/dpkg/info/winbind.postinst needs some kind of check to see if samba is running as a DC.  An ugly workaround is to comment out line 32.

For complete testing, here's a partial smb.conf that seems to turn on a Samba 4 domain controller.
[global]        netbios name = DC1        realm = MYDOMAIN.COM        workgroup = MYDOMAIN        dns forwarder = 192.168.1.1    server role = active directory domain controller
[netlogon]        path = /var/lib/samba/netlogon        read only = No
[sysvol]        path = /var/lib/samba/sysvol        read only = No

--- System information. ---Architecture: Kernel:       Linux 4.9.0-3-amd64
Debian Release: 9.0  500 unstable        ftp.us.debian.org   500 testing         security.debian.org   500 testing         ftp.us.debian.org   500 jessie          apt.puppetlabs.com 
--- Package information. ---Depends                              (Version) | Installed==============================================-+-=======================lsb-base                            (>= 3.0-6) | 9.20161125samba-common                (= 2:4.5.8+dfsg-2) | 2:4.5.8+dfsg-2samba-common-bin            (= 2:4.5.8+dfsg-2) | 2:4.5.8+dfsg-2init-system-helpers                 (>= 1.18~) | 1.48libbsd0                             (>= 0.3.0) | 0.8.3-1libc6                                (>= 2.14) | 2.24-10libldap-2.4-2                       (>= 2.4.7) | 2.4.44+dfsg-4+b1libpopt0                             (>= 1.14) | 1.16-10+b2libtalloc2              (>= 2.0.4~git20101213) | 2.1.8-1libtdb1                 (>= 1.2.7+git20101214) | 1.3.11-2libtevent0                         (>= 0.9.25) | 0.9.31-1libwbclient0                (= 2:4.5.8+dfsg-2) | 2:4.5.8+dfsg-2samba-libs                  (= 2:4.5.8+dfsg-2) | 2:4.5.8+dfsg-2

Package's Recommends field is empty.
Suggests            (Version) | Installed=============================-+-===========libnss-winbind                | 2:4.5.8+dfsg-2libpam-winbind                | 
Roberto C. Sánchez
2017-07-28 19:08:49 UTC
Permalink
Post by Michael Papet
Package: winbind
Version: 2:4.5.8+dfsg-2
Severity: normal
--- Please enter the report below this line. ---
If you configure /etc/samba/smb.conf as a Samba 4 domain controller, then
winbind updates/installs break.  
winbind.postinst unconditionally attempts to restart the winbind service.
 Any attempts to start winbind while samba is running in DC mode fail.
I was shocked to encounter this problem when testing out a jessie ->
stretch upgrade. Thankfully I did not do the upgrade in production. I
took an image of one of the VMs that runs as a Samba AD DC and tried the
upgrade on the VM. The dist-upgrade step failed because of the bad
samba/winbind interaction. Has this issue really not been encountered
by more people?

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Roberto C. Sánchez
2017-07-31 14:57:08 UTC
Permalink
Hi Louis,
Hai Roberto,
Thank you for your insight also.
Can you post you complete (anonimized where needed) smb.conf.
And the running version you have and the version your upgrading to.
This way we have most of the needed info.
Here is the smb.conf:

# Global parameters
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
netbios name = SAMBA-ADDC1
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
printing = CUPS
printcap name = /dev/null
kerberos method = secrets and keytab
#ldap server require strong auth = allow_sasl_over_tls
ldap server require strong auth = no

map to guest = bad user

tls enabled = yes
tls keyfile = /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.key
tls certfile = /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.pem
tls cafile = /etc/ssl/cacert.pem

idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 10000-20000

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

log level = 2
syslog = 3

[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

The server was initially installed with wheezy, using the Samba 4
backport packages (this was around the end of 2014), then upgraded to
jessie when it became the stable release.

The currently installed version of Samba is: 2:4.2.14+dfsg-0+deb8u7+b1

The version I am trying to install (as part of the dist-upgrade to
stretch) is: 2:4.5.8+dfsg-2+deb9u1+b1

I have read through all of the upstream release notes and changelogs, as
well as the NEWS file in the Debian package to make sure that I don't
have anything in the configuration that will cause problems. After
reviewing, there is nothing in my configuration that makes me think I
need to change it prior to upgrading.
In general.
For samba ( standalone/members ) systemd uses one or more : smbd nmbd winbind
For samba ( AD DC ) systemd uses samba-ad-dc
Yes, and that is how it appears to be with the systems on my network.
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl stop smbd nmbd winbind
systemctl enable samba-ad-dc
systemctl unmask samba-ad-dc
systemctl start samba-ad-dc
Interestingly, I never had to do anything with systemctl when upgrading
from wheezy to jessie. On the jessie system (prior to upgrade) here is
what the systemd setup looks like:

systemctl list-units |egrep 'samba|nmbd|smbd|winbind'
nmbd.service loaded active exited LSB: start Samba NetBIOS nameserver (nmbd)
samba-ad-dc.service loaded active running LSB: start Samba daemons for the AD DC
smbd.service loaded active exited LSB: start Samba SMB/CIFS daemon (smbd)
winbind.service loaded active exited LSB: start Winbind daemon

After the first upgrade attempt failed I reset the VM snapshot and
issued the 'systemctl mask' command you list above (I figured out on my
own that it might be needed) and then the upgrade worked. Now the
systemd setup looks like this (after manually masking smbd, nmbd, and
winbind and after the upgrade):

systemctl list-units |egrep 'samba|nmbd|smbd|winbind'
samba-ad-dc.service loaded active running LSB: start Samba daemons for the AD DC

That seems to work. I tried unmasking the masked units again to restore
the configuration to the same way it was previously, but then that
caused problems with things not starting correctly. I believe that if I
leave the units unmasked the next upgrade (e.g., even a minor security
upgrade) will execute the postinst in such a way as to cause the problem
to recur.
But, this wont help on the upgrade.
/var/lib/dpkg/info/winbind.postinst should detect the "AD DC" server.
The same way /var/lib/dpkg/info/samba.postinst is doing.
I am not sure if it is related, but I think that there is a bug near
line 79 of the samba.postinst:

samba-addc1:~# samba-tool testparm --parameter-name="server role"
active directory domain controller
samba-addc1:~# echo $SERVER_ROLE
active directory domain controller
samba-addc1:~# samba-tool testparm --parameter-name="server services"
s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba-addc1:~# echo $SERVER_SERVICES
s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
samba-addc1:~# samba-tool testparm --parameter-name="dcerpc endpoint servers"
epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
samba-addc1:~# echo $DCERPC_ENDPOINT_SERVERS
epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
samba-addc1:~# if [ "$SERVER_ROLE" != "active directory domain controller" ] \
&& ( echo "$SERVER_SERVICES" | grep -qv '\(^\|, \)smb\(,\|$\)' ) \
&& ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)remote\(,\|$\)' ) \
&& ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)mapiproxy\(,\|$\)' ) \
; then
echo "Ohai, I am an AD domain controller"
fi
I believe that looking for "smb" in "server services" is perhaps too
restrictive, though I am not sure. I would expect the configuration of
my server pass the check and print the text of the echo I substituted.

In any event, I don't think I fully understand what the postinst is
trying to do, since on my system samba-ad-dc.service appears in several
places, but never in /etc/systemd/system and I cannot tell if the fact
the if condition evaluates to false on my system is related to the
upgrade failure or if is solely the result of a misconfiguration. That
is, perhaps it is my fault for not masking the smbd, nmbd, and winbind
units when I configured for AD DC.

If it helps, here are the locations of samba-ad-dc.service on the system
in question.

Prior to upgrade:

find / -name samba-ad-dc.service -exec ls -Fd {} \;
/run/systemd/generator.late/samba-ad-dc.service
/run/systemd/generator.late/runlevel5.target.wants/samba-ad-dc.service@
/run/systemd/generator.late/runlevel4.target.wants/samba-ad-dc.service@
/run/systemd/generator.late/runlevel3.target.wants/samba-ad-dc.service@
/run/systemd/generator.late/runlevel2.target.wants/samba-ad-dc.service@
/sys/fs/cgroup/systemd/system.slice/samba-ad-dc.service/

After upgrade:

find / -name samba-ad-dc.service -exec ls -Fd {} \;
/etc/systemd/system/multi-user.target.wants/samba-ad-dc.service@
/lib/systemd/system/samba-ad-dc.service
/var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/samba-ad-dc.service
/sys/fs/cgroup/devices/system.slice/samba-ad-dc.service/
/sys/fs/cgroup/pids/system.slice/samba-ad-dc.service/
/sys/fs/cgroup/systemd/system.slice/samba-ad-dc.service/

Let me know if I can provide any additional information or if I can help
with anything else.
--
Roberto C. Sánchez
Roberto C. Sánchez
2017-07-31 11:22:50 UTC
Permalink
Hai, this is know.
 
Did you check and did you correct your smb.conf before you started
upgrading.
You posted a partial smb.conf, that did not help, can you post your
complete smb.conf ( anonimized if needed. ).
 
I know that I am not the original submitter, but I too have encountered
the problem reported in this bug.
There are 2 known things when upgrade winbind.
1) A failty smb.conf, prevents/failes upgrading.
 
The fix :  correct the smb.conf  and run dpkg --reconfigure -a
 
I have confirmed that my smb.conf is correct and not faulty and the
upgrade still fails.
2) possible problem with nsswitch.conf
if you have winbind before compat, switch them and run dpkg --reconfigure
-a
 
I have compat first in nsswitch.conf on my systems.

In my case, the solution was to mask the winbind and smbd units in
systemd. I also masked nmbd to be safe, though the documentation
indicates that nmbd does not run when Samba is configured as an AD DC.

I will be upgrading all of my systems soon, but I am retaining a
pre-upgrade snapshot of one of the VMs that runs as an AD DC. If I can
help with resolving this, please let me know.

Regards,

-Roberto
--
Roberto C. Sánchez
Loading...