Created attachment 1503704 [details] Samba configuration Description of problem: Successfully using Samba with winbind in F28 (and earlier) to share files. After upgrade, smb.service fails to start with "ERROR: failed to setup guest info." Version-Release number of selected component (if applicable): samba-4.9.1-2.fc29.x86_64 samba-winbind-4.9.1-2.fc29.x86_64 How reproducible: 100% Actual results: smb.service fails start Expected results: smb.service successful start Additional info: My original smb.conf was old style (with all the text from current smb.conf.example file. I've redone as a much smaller file (like the supplied smb.conf). No difference. There seem to be debian, suse and samba bug reports about possible issues with 4.9.x and winbind not playing well with systemd, but I don't see anything specific to this failure. For example: https://lists.samba.org/archive/samba-technical/2018-September/130375.html [root@wallace ~]# systemctl status smb.service ● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2018-11-09 10:05:57 EST; 2s ago Docs: man:smbd(8) man:samba(7) man:smb.conf(5) Process: 13641 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=255) Main PID: 13641 (code=exited, status=255) Nov 09 10:05:57 wallace.alba.lan systemd[1]: Starting Samba SMB Daemon... Nov 09 10:05:57 wallace.alba.lan smbd[13641]: [2018/11/09 10:05:57.400299, 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest) Nov 09 10:05:57 wallace.alba.lan smbd[13641]: create_local_token failed: NT_STATUS_ACCESS_DENIED Nov 09 10:05:57 wallace.alba.lan smbd[13641]: [2018/11/09 10:05:57.400463, 0] ../source3/smbd/server.c:2000(main) Nov 09 10:05:57 wallace.alba.lan smbd[13641]: ERROR: failed to setup guest info. Nov 09 10:05:57 wallace.alba.lan systemd[1]: smb.service: Main process exited, code=exited, status=255/n/a Nov 09 10:05:57 wallace.alba.lan systemd[1]: smb.service: Failed with result 'exit-code'. Nov 09 10:05:57 wallace.alba.lan systemd[1]: Failed to start Samba SMB Daemon. [root@wallace ~]# systemctl status nmb.service ● nmb.service - Samba NMB Daemon Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-11-09 08:59:41 EST; 1h 7min ago Docs: man:nmbd(8) man:samba(7) man:smb.conf(5) Main PID: 1068 (nmbd) Status: "nmbd: ready to serve connections..." Tasks: 2 (limit: 4915) Memory: 13.6M CGroup: /system.slice/nmb.service ├─1068 /usr/sbin/nmbd --foreground --no-process-group └─1152 /usr/sbin/nmbd --foreground --no-process-group Nov 09 09:02:14 wallace.alba.lan nmbd[1068]: ***** Nov 09 09:02:14 wallace.alba.lan nmbd[1068]: [6B blob data] Nov 09 09:02:14 wallace.alba.lan nmbd[1068]: Samba name server ALBA_NB is now a local master browser for workgroup ALBA on subnet 192.168.122.1 Nov 09 09:02:14 wallace.alba.lan nmbd[1068]: [6B blob data] Nov 09 09:02:14 wallace.alba.lan nmbd[1068]: ***** Nov 09 09:04:49 wallace.alba.lan nmbd[1068]: [2018/11/09 09:04:49.013107, 0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names) Nov 09 09:04:49 wallace.alba.lan nmbd[1068]: add_domain_logon_names: Nov 09 09:04:49 wallace.alba.lan nmbd[1068]: Attempting to become logon server for workgroup ALBA on subnet 192.168.122.1 Nov 09 09:04:53 wallace.alba.lan nmbd[1068]: [2018/11/09 09:04:53.017543, 0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success) Nov 09 09:04:53 wallace.alba.lan nmbd[1068]: become_logon_server_success: Samba is now a logon server for workgroup ALBA on subnet 192.168.122.1 [root@wallace samba]# systemctl status winbind.service ● winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-11-09 08:59:50 EST; 1h 30min ago Docs: man:winbindd(8) man:samba(7) man:smb.conf(5) Main PID: 1153 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 3 (limit: 4915) Memory: 10.3M CGroup: /system.slice/winbind.service ├─1153 /usr/sbin/winbindd --foreground --no-process-group ├─1229 /usr/sbin/winbindd --foreground --no-process-group └─1230 /usr/sbin/winbindd --foreground --no-process-group Nov 09 08:59:41 wallace.alba.lan systemd[1]: Starting Samba Winbind Daemon... Nov 09 08:59:43 wallace.alba.lan winbindd[1153]: [2018/11/09 08:59:43.389677, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) Nov 09 08:59:43 wallace.alba.lan winbindd[1153]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Nov 09 08:59:50 wallace.alba.lan winbindd[1153]: [2018/11/09 08:59:50.114323, 0] ../lib/util/become_daemon.c:138(daemon_ready) Nov 09 08:59:50 wallace.alba.lan winbindd[1153]: daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Nov 09 08:59:50 wallace.alba.lan systemd[1]: Started Samba Winbind Daemon.
In the thread you mention I explain why this happens and how you can fix the problem. Run net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin to map BUILTIN\Guests to group 'nobody'. This should allow getting through the required step. You should also fix your smb.conf because it doesn't have idmap configuration and it is considered incorrect by Samba. A quote from the thread: ---------------------------------- The behavior with failing when idmap configuration is incorrect was first introduced in 4.6.0: https://www.samba.org/samba/history/samba-4.6.0.html ----- ID Mapping ---------- We discovered that the majority of users have an invalid or incorrect ID mapping configuration. We implemented checks in the 'testparm' tool to validate the ID mapping configuration. You should run it and check if it prints any warnings or errors after upgrading! If it does you should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage. There are some ID mapping backends which are not allowed to be used for the default backend. Winbind will no longer start if an invalid backend is configured as the default backend. ----- With 4.8.0 we demand working winbindd for 'security = domain|ads' https://www.samba.org/samba/history/samba-4.8.0.html ----- Domain member setups require winbindd ------------------------------------- Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone. ----- With 4.9.0 we expanded guest handling to differentiate between anonymous and guest sessions. This required a proper handling of BUILTIN\Guests and thus is now forces to be able to have either writable backend or aliases configured properly. Question is mostly what defaults we should have for BUILTIN\Guests. Perhaps, we should always do the groupmap rule I added... ---------------------------------- Since your configuration uses 'security = user', the failure only started to appear for you with 4.9.0 because you have no mapping for BUILTIN\Guests and there is no proper idmap configuration to allow automatically allocating entries for BUILTIN groups.
I have also documented this in the Release Notes for Fedora 29: https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/ Please fix your configuration.
*** Bug 1657553 has been marked as a duplicate of this bug. ***
Hi, How about LDAB userdb? Any way to achieve the same without directly fiddling in LDAP? many thanks, L.
I came across this thread from a search engine, and I'm on Debian 10.7. I'm sure this also applies to Ubuntu, but to fix this issue I had to run: net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nogroup type=builtin