Samba 4 fail to start after installation of Active Directory-compatible Domain Controller

pchott · October 10, 2019, 6:14am

Environment:

UCS Corporate Server release version is 4.4-2 errata301.
1x Master
1x Backup

univention-samba4 8.0.0-27A~4.4.0.201908051359
python-univention-connector-s4 13.0.2-48A~4.4.0.201910011641

Error log.smbd:

[2019/10/09 14:29:22.488713, 0, pid=29822] …/…/source3/auth/auth_util.c:1386(make_new_session_info_guest)
create_local_token failed: LDAP_ENTRY_ALREADY_EXISTS
[2019/10/09 14:29:22.488771, 0, pid=29822] …/…/source3/smbd/server.c:2041(main)
ERROR: failed to setup guest info.

What I have tried

Since error looks similar to:

Problem: Samba does not start after the update to UCS 4.4 on a school slave
I have already try to solve that like written in that post.
–> If I remove " member:" the samba starts but after restart try does not start.

Samba debug mode does not give any hints

Can somebody give me some hints what else should i try?

Thank you in advance

smguenther · October 10, 2019, 7:56am

Hi,

maybe you did not remove all entries:

https://lists.samba.org/archive/samba/2014-August/183657.html
http://lists-archives.com/samba/95373-unable-to-join-dc-to-domain.html

Or maybe you run into a bug, that should have already been fixed:

https://forge.univention.org/bugzilla/show_bug.cgi?id=32893
https://forge.univention.org/bugzilla/show_bug.cgi?id=23360

Regards,

Stefan

pchott · October 10, 2019, 9:25am

Hi Stefen,

does not look like that. Just in case I removed Backup AD to remove one variable but on Master there is still same problem.

Looks like there is connection with my second problem SID: Check well known SIDs

Debug LOG:

[2019/10/10 11:09:29.187186, 5, pid=19698] …/…/lib/audit_logging/audit_logging.c:95(audit_log_human_text)
DSDB Change [Modify] at [Thu, 10 Oct 2019 11:09:29.187168 CEST] status [Entry already exists] remote host [Unknown] SID [(NULL SID)] DN [CN=Users,CN=Builtin,DC=example] attributes [add: member [<GUID=ef4f9b5a-9543-4670-8777-514f92cdf640>;<SID=S-1-5-21-1694607643-412015992-1075375335-513>;CN=Domain Users,CN=Groups,DC=example]]
{“timestamp”: “2019-10-10T11:09:29.187234+0200”, “type”: “dsdbChange”, “dsdbChange”: {“version”: {“major”: 1, “minor”: 0}, “statusCode”: 68, “status”: “Entry already exists”, “operation”: “Modify”, “remoteAddress”: null, “performedAsSystem”: false, “userSid”: “S-1-5-18”, “dn”: “CN=Users,CN=Builtin,DC=example”, “transactionId”: “0d50fb8d-69c2-457d-b4f6-f6ce31aa2e4c”, “sessionId”: “c223ddc3-07ad-4aca-9894-4bb4bd2361a9”, “attributes”: {“member”: {“actions”: [{“action”: “add”, “values”: [{“value”: “<GUID=ef4f9b5a-9543-4670-8777-514f92cdf640>;<SID=S-1-5-21-1694607643-412015992-1075375335-513>;CN=Domain Users,CN=Groups,DC=example”}]}]}}}}
[2019/10/10 11:09:29.187291, 5, pid=19698] …/…/lib/audit_logging/audit_logging.c:95(audit_log_human_text)
DSDB Transaction [rollback] at [Thu, 10 Oct 2019 11:09:29.187284 CEST] duration [1789]
{“timestamp”: “2019-10-10T11:09:29.187312+0200”, “type”: “dsdbTransaction”, “dsdbTransaction”: {“version”: {“major”: 1, “minor”: 0}, “action”: “rollback”, “transactionId”: “0d50fb8d-69c2-457d-b4f6-f6ce31aa2e4c”, “duration”: 1789}}
[2019/10/10 11:09:29.187450, 4, pid=19698] …/…/source3/passdb/pdb_util.c:63(add_sid_to_builtin)
add_sid_to_builtin S-1-5-21-1694607643-412015992-1075375335-513 could not be added to S-1-5-32-545: LDAP_ENTRY_ALREADY_EXISTS
[2019/10/10 11:09:29.187494, 4, pid=19698] …/…/source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/10/10 11:09:29.187512, 2, pid=19698] …/…/source3/auth/token_util.c:732(finalize_local_nt_token)
WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2019/10/10 11:09:29.187835, 2, pid=19698] …/…/source3/groupdb/mapping.c:612(pdb_default_get_aliasinfo)
S-1-5-32-546 is a Domain Group, expected an alias
[2019/10/10 11:09:29.187860, 4, pid=19698] …/…/source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2019/10/10 11:09:29.187878, 4, pid=19698] …/…/source3/smbd/uid.c:576(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/10/10 11:09:29.187894, 4, pid=19698] …/…/source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2019/10/10 11:09:29.187910, 5, pid=19698] …/…/libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2019/10/10 11:09:29.187925, 5, pid=19698] …/…/source3/auth/token_util.c:866(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2019/10/10 11:09:29.189749, 5, pid=19698] …/…/lib/audit_logging/audit_logging.c:95(audit_log_human_text)
DSDB Change [Modify] at [Thu, 10 Oct 2019 11:09:29.189731 CEST] status [Entry already exists] remote host [Unknown] SID [(NULL SID)] DN [CN=Guests,CN=Builtin,DC=example] attributes [add: member [<GUID=f3320999-caa5-4dc4-ac12-ab2953660959>;<SID=S-1-5-21-1694607643-412015992-1075375335-501>;CN=Guest,CN=Users,DC=example]]
{“timestamp”: “2019-10-10T11:09:29.189810+0200”, “type”: “dsdbChange”, “dsdbChange”: {“version”: {“major”: 1, “minor”: 0}, “statusCode”: 68, “status”: “Entry already exists”, “operation”: “Modify”, “remoteAddress”: null, “performedAsSystem”: false, “userSid”: “S-1-5-18”, “dn”: “CN=Guests,CN=Builtin,DC=example”, “transactionId”: “ee715e25-37bd-4d66-a28c-5c27f5446db2”, “sessionId”: “c223ddc3-07ad-4aca-9894-4bb4bd2361a9”, “attributes”: {“member”: {“actions”: [{“action”: “add”, “values”: [{“value”: “<GUID=f3320999-caa5-4dc4-ac12-ab2953660959>;<SID=S-1-5-21-1694607643-412015992-1075375335-501>;CN=Guest,CN=Users,DC=example”}]}]}}}}
[2019/10/10 11:09:29.189858, 5, pid=19698] …/…/lib/audit_logging/audit_logging.c:95(audit_log_human_text)
DSDB Transaction [rollback] at [Thu, 10 Oct 2019 11:09:29.189851 CEST] duration [1791]
{“timestamp”: “2019-10-10T11:09:29.189879+0200”, “type”: “dsdbTransaction”, “dsdbTransaction”: {“version”: {“major”: 1, “minor”: 0}, “action”: “rollback”, “transactionId”: “ee715e25-37bd-4d66-a28c-5c27f5446db2”, “duration”: 1791}}
[2019/10/10 11:09:29.190006, 4, pid=19698] …/…/source3/passdb/pdb_util.c:63(add_sid_to_builtin)
add_sid_to_builtin S-1-5-21-1694607643-412015992-1075375335-501 could not be added to S-1-5-32-546: LDAP_ENTRY_ALREADY_EXISTS
[2019/10/10 11:09:29.190051, 4, pid=19698] …/…/source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/10/10 11:09:29.190070, 2, pid=19698] …/…/source3/auth/token_util.c:790(finalize_local_nt_token)
Failed to create BUILTIN\Guests group LDAP_ENTRY_ALREADY_EXISTS! Can Winbind allocate gids?
[2019/10/10 11:09:29.190087, 3, pid=19698] …/…/source3/auth/token_util.c:410(create_local_nt_token_from_info3)
Failed to finalize nt token
[2019/10/10 11:09:29.190107, 0, pid=19698] …/…/source3/auth/auth_util.c:1386(make_new_session_info_guest)
create_local_token failed: LDAP_ENTRY_ALREADY_EXISTS
[2019/10/10 11:09:29.190129, 0, pid=19698] …/…/source3/smbd/server.c:2041(main)
ERROR: failed to setup guest info.

pchott · October 10, 2019, 9:39am

I manage to rid of first two WARNINGs with:

samba/winbind/nested/groups