Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1740986

Summary:	Samba 4.9.1-6: Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!
Product:	Red Hat Enterprise Linux 7	Reporter:	Glen Babiano <gbabiano>
Component:	samba	Assignee:	Andreas Schneider <asn>
Status:	CLOSED ERRATA	QA Contact:	Niranjan Mallapadi Raghavender <mniranja>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.6	CC:	asn, dkarpele, gdeschner, iboukris, jarrpa, jstephen, mniranja, sgoveas, tscherf
Target Milestone:	rc	Keywords:	ZStream
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	samba-4.10.4-4.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1754835 (view as bug list)		Environment:
Last Closed:	2020-03-31 19:56:34 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1754835

Description Glen Babiano 2019-08-14 04:52:01 UTC

Description of problem:
After a system update, Samba fails to start with "create_local_token failed: NT_STATUS_ACCESS_DENIED"

Version-Release number of selected component (if applicable):
Samba 4.9.1-6

Actual results:
Samba fails to start with "create_local_token failed: NT_STATUS_ACCESS_DENIED"

Expected results:
Samba should start successfully after the update.

Additional info:
Running the command below resolves the issue.
----- 
# net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
-----

However, customer is requesting that this be added by default instead of running the command manually after an update to avoid downtime. Additional information was gathered from idm-tech mailing list as per below:

The following snippet needs to be added to 'samba' package:

-----
# /usr/lib/systemd/system/smb.service.d/nobody.conf
[Service]
ExecStartPre=/bin/sh -c '/usr/bin/net groupmap -s /dev/null add sid=S-1-5-32-546 unixgroup=nobody type=builtin ||:'
-----

Note that we have to use shell construct to avoid propagating non-zero result of running /usr/bin/net to systemd. Otherwise result of ExecStartPre would be should as failing even if it could be ignored with 'ExecStartPre=-/usr/bin/net ...' -- you still will see it in 'systemctl status smb' in red color:

-----
  Process: 6630 ExecStartPre=/usr/bin/net groupmap -s /dev/null add sid=S-1-5-32-546 unixgroup=nobody type=builtin (code=exited, status=255/EXCEPTION)

While with shell's ||: it will be silent:

  Process: 6735 ExecStartPre=/bin/sh -c /usr/bin/net groupmap -s /dev/null add sid=S-1-5-32-546 unixgroup=nobody type=builtin ||: (code=exited, status=0/SUCCESS)
-----

Comment 2 Andreas Schneider 2019-08-14 07:32:11 UTC

The net command doesn't need to be run if winbind is running and Samba is configured correctly. It is likely that the customer is running sssd and did not start winbind which caused those issues.

Comment 3 Glen Babiano 2019-08-15 01:44:15 UTC

Hi Andreas,

Thanks for the feedback.

I have reached out to the customer and here's what he has to say:
-----
I'm afraid that's not correct, we do start winbind before starting samba.
-----

Any other thoughts?

Thanks and regards,

Glen

Comment 5 Isaac Boukris 2019-08-27 10:32:49 UTC

Hi, I seems to me that this issue was addressed upstream and the patch is actually included in the latest samba package samba-4.10.4-1.el7, please try using this package.

Comment 7 Glen Babiano 2019-09-12 06:58:06 UTC

Hi Isaac,

Customer found that Samba version 4.10.x is available upstream but not on the RHEL 7 repos. Is there any chance this will be ported in RHEL 7?

Thanks and regards,

Glen

Comment 16 Andreas Schneider 2019-11-26 13:50:44 UTC

Problems could happen if winbind is not running or idmap is not set up correctly. If this is the case there should be no problems. However we improved the code in this area.

Comment 17 Niranjan Mallapadi Raghavender 2019-12-02 10:09:04 UTC

Version:
samba-common-4.10.4-9.el7.noarch
samba-libs-4.10.4-9.el7.x86_64
samba-common-tools-4.10.4-9.el7.x86_64
samba-4.10.4-9.el7.x86_64
samba-common-libs-4.10.4-9.el7.x86_64
samba-winbind-modules-4.10.4-9.el7.x86_64
samba-winbind-clients-4.10.4-9.el7.x86_64
samba-client-libs-4.10.4-9.el7.x86_64
samba-winbind-4.10.4-9.el7.x86_64

1. Test using winbind and samba
================================

1. Join system to Windows 2012 R2 using realm with winbind and samba

[root@qe-blade-11 ~]# realm join -U Administrator --client-software=winbind --membership-software=samba -v CYGNUS.TEST
 * Resolving: _ldap._tcp.cygnus.test
 * Performing LDAP DSE lookup on: 10.65.201.120
 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895
 * Successfully discovered: cygnus.test
Password for Administrator:
 * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads join cygnus.test
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CYGNUS
Joined 'QE-BLADE-11' to dns domain 'cygnus.test'
DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable winbind.service
Created symlink from /etc/systemd/system/multi-user.target.wants/winbind.service to /usr/lib/systemd/system/winbind.service.
 * /usr/bin/systemctl restart winbind.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

2. Run testparam

[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
[root@qe-blade-11 samba]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        kerberos method = system keytab
        printcap name = cups
        realm = CYGNUS.TEST
        security = ADS
        template homedir = /home/%U@%D
        template shell = /bin/bash
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        workgroup = CYGNUS
        idmap config * : range = 10000-999999
        idmap config cygnus : backend = rid
        idmap config cygnus : range = 2000000-2999999
        idmap config * : backend = tdb
        cups options = raw

[homes] 
        browseable = No
        comment = Home Directories
        inherit acls = Yes
        read only = No
        valid users = %S %D%w%S


[printers]
        browseable = No   
        comment = All Printers
        create mask = 0600
        path = /var/tmp   
        printable = Yes   


[print$]
        comment = Printer Drivers
        create mask = 0664
        directory mask = 0775
        force group = @printadmin
        path = /var/lib/samba/drivers
        write list = @printadmin root

3. Start smb service and verify net groupmap list lists builtin groups

[root@qe-blade-11 samba]# systemctl start smb
[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
[root@qe-blade-11 samba]# testparm


Test using sssd and samba
==========================
[root@qe-blade-11 ~]# realm join -U Administrator --client-software=sssd --membership-software=samba -v CYGNUS.TEST
 * Resolving: _ldap._tcp.cygnus.test
 * Performing LDAP DSE lookup on: 10.65.201.120
 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895
 * Successfully discovered: cygnus.test
Password for Administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads join cygnus.test
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CYGNUS
Joined 'QE-BLADE-11' to dns domain 'cygnus.test'
DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm


2. Configure  /etc/samba/smb.conf as below:

[global]
        server string = File Server
        passdb backend = tdbsam
        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 200KB per log file, then rotate:
        max log size = 200
        log level = 2
        # Domain Config
        realm = CYGNUS.TEST
        workgroup = CYGNUS
        security = ADS
        kerberos method = secrets and keytab
        idmap config * : backend = autorid
        idmap config * : range = 1000000-19999999
        idmap config * : rangesize = 1000000
        template shell = /bin/bash
        template homedir = /home/%U


[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[share1]

        path = /mnt/samba/share1
        comment = test share1
        writable = yes
        printable = no
</snip>

3. start winbind and smb service

[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> 1000002
Administrators (S-1-5-32-544) -> 1000000
Users (S-1-5-32-545) -> 1000001

Comment 19 errata-xmlrpc 2020-03-31 19:56:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1084