Bug 182468

Summary: Winbind fails to start via /etc/init.d/winbind script
Product: Red Hat Enterprise Linux 4 Reporter: Eugenio Jordán González <ejordan>
Component: sambaAssignee: Jay Fenlason <fenlason>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: dwalsh, jfeeney, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-23 15:04:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eugenio Jordán González 2006-02-22 19:29:55 UTC 
Description of problem:

We can't get Winbind start correctly using scripts at /etc/init.d.

Facts:

i)   Both SMB and NMB seems to start fine.
ii)  Winbind can be started in background simply typing
     # winbind
     without problems.
iii) If, instead:
     # /etc/init.d/winbind start
     ,
     # sh -x /etc/init.d/winbind start
     it starts fine!
iv) Extract from /var/log/messages:

Feb 22 17:15:22 mtvisadorh01 kernel: audit(1140624922.398:0): avc:  denied  { 
write } for  pid=24483 exe=/usr/sbin/winbindd name=secrets.tdb 
dev=cciss/c0d0p2 ino=343440 scontext=root:system_r:winbind_t 
tcontext=root:object_r:samba_etc_t tclass=file

v) Extract from /var/lob/samba/winbindd.log
[2006/02/22 18:48:03, 5] tdb/tdbutil.c:tdb_log(725)
  tdb(unnamed): tdb_open_ex: could not open file /etc/samba/secrets.tdb: 
Permiso denegado
[2006/02/22 18:48:03, 0] passdb/secrets.c:secrets_init(64)
  Failed to open /etc/samba/secrets.tdb
[2006/02/22 18:48:03, 0] nsswitch/winbindd.c:main(881)
  Could not initialize domain trust account secrets. Giving up
[2006/02/22 18:49:34, 1] nsswitch/winbindd.c:main(864)

vi) net ads join command works properly:
[2006/02/22 20:35:12, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for mtvisadorh01 already exists - 
modifying old account
Using short domain name -- COAM
Joined 'MTVISADORH01' to realm 'COAM.ORG'
vii) Samba configuration:
        workgroup = COAM
        realm = COAM.ORG
        security = ads
   
        name resolve order = lmhosts host wins bcast
        netbios name = mtvisadorh01
        wins server = NTServer
        wins support = yes
   
        encrypt passwords = yes
        passdb backend = tdbsam
        password server = NTServer
   
        idmap uid = 11000-20000
        idmap gid = 11000-20000
        winbind separator = _
        winbind enum users = yes
        winbind enum groups = yes

        ldap ssl = no
        log level = 10
        os level = 33
        short preserve case = no
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        syslog = 0
        time server = Yes
        unix extensions = Yes
        unix charset = LOCALE
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/




Version-Release number of selected component (if applicable):

[root@mtvisadorh01 samba]# rpm -qa | grep -i samba
samba-client-3.0.10-1.4E.2
system-config-samba-1.2.21-1
samba-3.0.10-1.4E.2
samba-common-3.0.10-1.4E.2

How reproducible:

At will.

Steps to Reproduce:
1. /etc/init.d/winbind start
2.
3.
  
Actual results:
It states it starts, but:

[root@mtvisadorh01 samba]# /etc/init.d/winbind start 
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 samba]# /etc/init.d/winbind status
winbindd dead but subsys locked


Expected results:
[root@mtvisadorh01 samba]# /etc/init.d/winbind start 
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 samba]# /etc/init.d/winbind status
winbindd (pid 2513 2512) is running...


Additional info:
Comment 1 Nalin Dahyabhai 2006-02-23 13:22:02 UTC 
Can you add the version of the selinux-policy-targeted package which you have
installed, and the output of 'restorecon -v /etc/samba/secrets.tdb' in case
there's a labeling problem involved?
Comment 2 Eugenio Jordán González 2006-02-23 15:04:00 UTC 
Sorry, had already checked as per other related bugs but forgot to provide:

[root@mtvisadorh01 ~]# rpm -qa | grep policy
checkpolicy-1.17.5-1
selinux-policy-targeted-1.17.30-2.110
policycoreutils-1.18.1-4.7


[root@mtvisadorh01 ~]# restorecon -v /etc/samba/secrets.tdb 
restorecon reset context /etc/samba/secrets.tdb:root:object_r:samba_etc_t-
>system_u:object_r:samba_secrets_t

After doing this, according to your instructions, problems's solved:
[root@mtvisadorh01 ~]# /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 ~]# /etc/init.d/winbind status
winbindd (pid 21433 21432) is running...
[root@mtvisadorh01 ~]# /etc/init.d/winbind stop  

Shutting down Winbind services:                            [  OK  ]
[root@mtvisadorh01 ~]# /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 ~]# /etc/init.d/winbind status
winbindd (pid 21456 21455) is running...


Thank you so much for your help, and sorry for wasting your time, as it's 
clearly not a bug.
Comment 3 Nalin Dahyabhai 2006-02-23 15:24:26 UTC 
It may still be a bug if the file was created while SELinux was in use, but
somehow didn't get the correct label applied right then, but I'll leave that for
Jay to decide.  Thanks!