Bug 1648399

Summary: Samba 4.9.1: smb.service fails with ERROR: failed to setup guest info
Product: [Fedora] Fedora Reporter: Al Dunsmuir <al.dunsmuir>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 29CC: abokovoy, al.dunsmuir, anoopcs, asn, codespunk+bugzilla.redhat, gdeschner, jarrpa, lmohanty, madam, peljasz, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-09 15:55:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Samba configuration none

Description Al Dunsmuir 2018-11-09 15:32:18 UTC 
Created attachment 1503704 [details]
Samba configuration

Description of problem:
Successfully using Samba with winbind in F28 (and earlier) to share files.

After upgrade, smb.service fails to start with "ERROR: failed to setup guest info." 

Version-Release number of selected component (if applicable):
samba-4.9.1-2.fc29.x86_64
samba-winbind-4.9.1-2.fc29.x86_64

How reproducible:
100%

Actual results:
smb.service fails start

Expected results:
smb.service successful start


Additional info:
My original smb.conf was old style (with all the text from current smb.conf.example file.  I've redone as a much smaller file (like the supplied smb.conf).  No difference.

There seem to be debian, suse and samba bug reports about possible issues with 4.9.x and winbind not playing well with systemd, but I don't see anything specific to this failure.  For example:
https://lists.samba.org/archive/samba-technical/2018-September/130375.html

[root@wallace ~]# systemctl status smb.service
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-11-09 10:05:57 EST; 2s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
  Process: 13641 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=255)
 Main PID: 13641 (code=exited, status=255)

Nov 09 10:05:57 wallace.alba.lan systemd[1]: Starting Samba SMB Daemon...
Nov 09 10:05:57 wallace.alba.lan smbd[13641]: [2018/11/09 10:05:57.400299,  0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
Nov 09 10:05:57 wallace.alba.lan smbd[13641]:   create_local_token failed: NT_STATUS_ACCESS_DENIED
Nov 09 10:05:57 wallace.alba.lan smbd[13641]: [2018/11/09 10:05:57.400463,  0] ../source3/smbd/server.c:2000(main)
Nov 09 10:05:57 wallace.alba.lan smbd[13641]:   ERROR: failed to setup guest info.
Nov 09 10:05:57 wallace.alba.lan systemd[1]: smb.service: Main process exited, code=exited, status=255/n/a
Nov 09 10:05:57 wallace.alba.lan systemd[1]: smb.service: Failed with result 'exit-code'.
Nov 09 10:05:57 wallace.alba.lan systemd[1]: Failed to start Samba SMB Daemon.

[root@wallace ~]# systemctl status nmb.service
● nmb.service - Samba NMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-11-09 08:59:41 EST; 1h 7min ago
     Docs: man:nmbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1068 (nmbd)
   Status: "nmbd: ready to serve connections..."
    Tasks: 2 (limit: 4915)
   Memory: 13.6M
   CGroup: /system.slice/nmb.service
           ├─1068 /usr/sbin/nmbd --foreground --no-process-group
           └─1152 /usr/sbin/nmbd --foreground --no-process-group

Nov 09 09:02:14 wallace.alba.lan nmbd[1068]:   *****
Nov 09 09:02:14 wallace.alba.lan nmbd[1068]: [6B blob data]
Nov 09 09:02:14 wallace.alba.lan nmbd[1068]:   Samba name server ALBA_NB is now a local master browser for workgroup ALBA on subnet 192.168.122.1
Nov 09 09:02:14 wallace.alba.lan nmbd[1068]: [6B blob data]
Nov 09 09:02:14 wallace.alba.lan nmbd[1068]:   *****
Nov 09 09:04:49 wallace.alba.lan nmbd[1068]: [2018/11/09 09:04:49.013107,  0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names)
Nov 09 09:04:49 wallace.alba.lan nmbd[1068]:   add_domain_logon_names:
Nov 09 09:04:49 wallace.alba.lan nmbd[1068]:   Attempting to become logon server for workgroup ALBA on subnet 192.168.122.1
Nov 09 09:04:53 wallace.alba.lan nmbd[1068]: [2018/11/09 09:04:53.017543,  0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
Nov 09 09:04:53 wallace.alba.lan nmbd[1068]:   become_logon_server_success: Samba is now a logon server for workgroup ALBA on subnet 192.168.122.1

[root@wallace samba]# systemctl status winbind.service
● winbind.service - Samba Winbind Daemon
   Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-11-09 08:59:50 EST; 1h 30min ago
     Docs: man:winbindd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1153 (winbindd)
   Status: "winbindd: ready to serve connections..."
    Tasks: 3 (limit: 4915)
   Memory: 10.3M
   CGroup: /system.slice/winbind.service
           ├─1153 /usr/sbin/winbindd --foreground --no-process-group
           ├─1229 /usr/sbin/winbindd --foreground --no-process-group
           └─1230 /usr/sbin/winbindd --foreground --no-process-group

Nov 09 08:59:41 wallace.alba.lan systemd[1]: Starting Samba Winbind Daemon...
Nov 09 08:59:43 wallace.alba.lan winbindd[1153]: [2018/11/09 08:59:43.389677,  0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Nov 09 08:59:43 wallace.alba.lan winbindd[1153]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Nov 09 08:59:50 wallace.alba.lan winbindd[1153]: [2018/11/09 08:59:50.114323,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Nov 09 08:59:50 wallace.alba.lan winbindd[1153]:   daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Nov 09 08:59:50 wallace.alba.lan systemd[1]: Started Samba Winbind Daemon.
Comment 1 Alexander Bokovoy 2018-11-09 15:53:21 UTC 
In the thread you mention I explain why this happens and how you can fix the problem.

Run

net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin

to map BUILTIN\Guests to group 'nobody'. This should allow getting through the required step.

You should also fix your smb.conf because it doesn't have idmap configuration and it is considered incorrect by Samba.

A quote from the thread:

----------------------------------
The behavior with failing when idmap configuration is incorrect was
first introduced in 4.6.0:

https://www.samba.org/samba/history/samba-4.6.0.html
-----
ID Mapping
----------
We discovered that the majority of users have an invalid or incorrect
ID mapping configuration. We implemented checks in the 'testparm' tool to
validate the ID mapping configuration. You should run it and check if it prints
any warnings or errors after upgrading! If it does you should fix them. See the
'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
There are some ID mapping backends which are not allowed to be used for the
default backend. Winbind will no longer start if an invalid backend is
configured as the default backend.
-----

With 4.8.0 we demand working winbindd for 'security = domain|ads'
https://www.samba.org/samba/history/samba-4.8.0.html
-----
Domain member setups require winbindd
-------------------------------------

Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.
-----

With 4.9.0 we expanded guest handling to differentiate between anonymous
and guest sessions. This required a proper handling of BUILTIN\Guests and
thus is now forces to be able to have either writable backend or aliases
configured properly.

Question is mostly what defaults we should have for BUILTIN\Guests.
Perhaps, we should always do the groupmap rule I added...
----------------------------------

Since your configuration uses 'security = user', the failure only started to appear for you with 4.9.0 because you have no mapping for BUILTIN\Guests and there is no proper idmap configuration to allow automatically allocating entries for BUILTIN groups.
Comment 2 Alexander Bokovoy 2018-11-09 15:55:04 UTC 
I have also documented this in the Release Notes for Fedora 29:
https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/

Please fix your configuration.
Comment 3 Anoop C S 2018-12-14 06:47:36 UTC 
*** Bug 1657553 has been marked as a duplicate of this bug. ***
Comment 4 lejeczek 2019-10-07 15:20:46 UTC 
Hi,

How about LDAB userdb? Any way to achieve the same without directly fiddling in LDAP?

many thanks, L.
Comment 5 Nick White 2021-01-14 14:59:43 UTC 
I came across this thread from a search engine, and I'm on Debian 10.7. I'm sure this also applies to Ubuntu, but to fix this issue I had to run:

net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nogroup type=builtin