Problem: Samba does not start after the update to UCS 4.4 on a school slave

Knowledge Base Community
, , , ,
#1

Environment:

UCS@school with a Master without samba4 installed. The Environment was installed with a version bevore UCS 4.0

Problem:

Samba does not start after the update to UCS 4.4 on a school slave
samba-tool processes shows just 2 processes
/etc/init.d/samba restart does not sho an error message but a verification with ps aufx |grep samba just shows the named.conf.samba4 process.
You will find the following Error message in
/var/log/samba/log.smbd

  Primary group is 0 and contains 0 supplementary groups
[2019/04/25 13:09:07.824112,  5, pid=19956] ../../lib/audit_logging/audit_logging.c:95(audit_log_human_text)
  DSDB Change [Modify] at [Do, 25 Apr 2019 13:09:07.824096 CEST] status [Entry already exists] remote host [Unknown] SID [(NULL SID)] DN [CN=Guests,CN=Builtin,DC=school,DC=schein] attributes [add: member [<GUID=372b4740-43a2-4f3d-9146-2032731b954d>;<SID=S-1-5-21-2317070996-3328192532-2750910248-501>;CN=Guest,CN=Users,DC=school,DC=schein]]
  {"timestamp": "2019-04-25T13:09:07.824157+0200", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 68, "status": "Entry already exists", "operation": "Modify", "remoteAddress": null, "performedAsSystem": false, "userSid": "S-1-5-18", "dn": "CN=Guests,CN=Builtin,DC=school,DC=schein", "transactionId": "d3b8db3d-fdef-404a-93a8-2344aeb7de29", "sessionId": "e352df55-38a6-4e06-bb33-897ea4627920", "attributes": {"member": {"actions": [{"action": "add", "values": [{"value": "<GUID=372b4740-43a2-4f3d-9146-2032731b954d>;<SID=S-1-5-21-2317070996-3328192532-2750910248-501>;CN=Guest,CN=Users,DC=school,DC=schein"}]}]}}}}
[2019/04/25 13:09:07.824203,  5, pid=19956] ../../lib/audit_logging/audit_logging.c:95(audit_log_human_text)
  DSDB Transaction [rollback] at [Do, 25 Apr 2019 13:09:07.824195 CEST] duration [1370]
  {"timestamp": "2019-04-25T13:09:07.824223+0200", "type": "dsdbTransaction", "dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action": "rollback", "transactionId": "d3b8db3d-fdef-404a-93a8-2344aeb7de29", "duration": 1370}}
[2019/04/25 13:09:07.824334,  4, pid=19956] ../../source3/passdb/pdb_util.c:63(add_sid_to_builtin)
  add_sid_to_builtin S-1-5-21-2317070996-3328192532-2750910248-501 could not be added to S-1-5-32-546: LDAP_ENTRY_ALREADY_EXISTS
[2019/04/25 13:09:07.824381,  4, pid=19956] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/04/25 13:09:07.824399,  2, pid=19956] ../../source3/auth/token_util.c:790(finalize_local_nt_token)
  Failed to create BUILTIN\Guests group LDAP_ENTRY_ALREADY_EXISTS!  Can Winbind allocate gids?
[2019/04/25 13:09:07.824415,  3, pid=19956] ../../source3/auth/token_util.c:410(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2019/04/25 13:09:07.824430,  0, pid=19956] ../../source3/auth/auth_util.c:1386(make_new_session_info_guest)
  create_local_token failed: LDAP_ENTRY_ALREADY_EXISTS
[2019/04/25 13:09:07.824449,  0, pid=19956] ../../source3/smbd/server.c:2041(main)
  ERROR: failed to setup guest info.

Investigation:

Step 1.

Check if cn=guests is located underneath cn=Buildin
dn: CN=Guests,CN=Builtin,DC=school,DC=schein

Step 2.

Check if the group Domain Guests and the user Guest are members of the guests group

Step 3.

Check groupType and sAMAccountType of the guests group
They have to be:

groupType: -2147483643
sAMAccountType: 536870912

Solution:

The 3 steps from above must be okay. If not you have to fix them on the Master, so the changes will be replicated to the slaves.

  1. Move the guests group into the buildin group. The easiest way is using the UMC ldap-directory.
  2. Use theUMC group module to add the members to the group.
  3. Change the group type:
udm groups/group modify --dn cn=Guests,cn=Builtin,$(ucr get ldap/base) --set sambaGroupType=2

ldapmodify -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<-%EOR
dn: cn=Guests,cn=Builtin,dc=school,dc=schein
changetype: modify
replace: univentionGroupType
univentionGroupType: -2147483643
%EOR

After that there is just one problem left. The replication is not working on the slave, so samba have to start one time at least to sync the changes:
You can remove the members of the group, save the changes and then restart samba.

ldbedit -H /var/lib/samba/private/sam.ldb cn=guests
→
# editing 1 records
# record 1
dn: CN=Guests,CN=Builtin,DC=school,DC=schein
objectClass: top
objectClass: group
cn: Guests
description: Guests have the same access as members of the Users group by defa
 ult, except for the Guest account which is further restricted

member: CN=Guest,CN=Users,DC=school,DC=schein ← REMOVE
member: CN=Domain Guests,CN=Groups,DC=school,DC=schein ← REMOVE

instanceType: 4
whenCreated: 20190314202224.0Z
whenChanged: 20190314202224.0Z
uSNCreated: 3647
uSNChanged: 3647
name: Guests
objectGUID: 3d2580b0-1b05-4282-a58d-4c113930c61f
objectSid: S-1-5-32-546
sAMAccountName: Guests
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=schein,DC=ig
isCriticalSystemObject: TRUE
distinguishedName: CN=Guests,CN=Builtin,DC=school,DC=schein

/etc/init.d/samba restart

Samba 4 fail to start after installation of Active Directory-compatible Domain Controller
#2
Mastodon