Bug 1740986 - Samba 4.9.1-6: Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!
Summary: Samba 4.9.1-6: Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Niranjan Mallapadi Raghavender
URL:
Whiteboard:
Depends On:
Blocks: 1754835
TreeView+ depends on / blocked
 
Reported: 2019-08-14 04:52 UTC by Glen Babiano
Modified: 2020-03-31 19:57 UTC (History)
9 users (show)

Fixed In Version: samba-4.10.4-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1754835 (view as bug list)
Environment:
Last Closed: 2020-03-31 19:56:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1084 None None None 2020-03-31 19:57:08 UTC

Description Glen Babiano 2019-08-14 04:52:01 UTC
Description of problem:
After a system update, Samba fails to start with "create_local_token failed: NT_STATUS_ACCESS_DENIED"

Version-Release number of selected component (if applicable):
Samba 4.9.1-6

Actual results:
Samba fails to start with "create_local_token failed: NT_STATUS_ACCESS_DENIED"

Expected results:
Samba should start successfully after the update.

Additional info:
Running the command below resolves the issue.
----- 
# net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
-----

However, customer is requesting that this be added by default instead of running the command manually after an update to avoid downtime. Additional information was gathered from idm-tech mailing list as per below:

The following snippet needs to be added to 'samba' package:

-----
# /usr/lib/systemd/system/smb.service.d/nobody.conf
[Service]
ExecStartPre=/bin/sh -c '/usr/bin/net groupmap -s /dev/null add sid=S-1-5-32-546 unixgroup=nobody type=builtin ||:'
-----

Note that we have to use shell construct to avoid propagating non-zero result of running /usr/bin/net to systemd. Otherwise result of ExecStartPre would be should as failing even if it could be ignored with 'ExecStartPre=-/usr/bin/net ...' -- you still will see it in 'systemctl status smb' in red color:

-----
  Process: 6630 ExecStartPre=/usr/bin/net groupmap -s /dev/null add sid=S-1-5-32-546 unixgroup=nobody type=builtin (code=exited, status=255/EXCEPTION)

While with shell's ||: it will be silent:

  Process: 6735 ExecStartPre=/bin/sh -c /usr/bin/net groupmap -s /dev/null add sid=S-1-5-32-546 unixgroup=nobody type=builtin ||: (code=exited, status=0/SUCCESS)
-----

Comment 2 Andreas Schneider 2019-08-14 07:32:11 UTC
The net command doesn't need to be run if winbind is running and Samba is configured correctly. It is likely that the customer is running sssd and did not start winbind which caused those issues.

Comment 3 Glen Babiano 2019-08-15 01:44:15 UTC
Hi Andreas,

Thanks for the feedback.

I have reached out to the customer and here's what he has to say:
-----
I'm afraid that's not correct, we do start winbind before starting samba.
-----

Any other thoughts?

Thanks and regards,

Glen

Comment 5 Isaac Boukris 2019-08-27 10:32:49 UTC
Hi, I seems to me that this issue was addressed upstream and the patch is actually included in the latest samba package samba-4.10.4-1.el7, please try using this package.

Comment 7 Glen Babiano 2019-09-12 06:58:06 UTC
Hi Isaac,

Customer found that Samba version 4.10.x is available upstream but not on the RHEL 7 repos. Is there any chance this will be ported in RHEL 7?

Thanks and regards,

Glen

Comment 16 Andreas Schneider 2019-11-26 13:50:44 UTC
Problems could happen if winbind is not running or idmap is not set up correctly. If this is the case there should be no problems. However we improved the code in this area.

Comment 17 Niranjan Mallapadi Raghavender 2019-12-02 10:09:04 UTC
Version:
samba-common-4.10.4-9.el7.noarch
samba-libs-4.10.4-9.el7.x86_64
samba-common-tools-4.10.4-9.el7.x86_64
samba-4.10.4-9.el7.x86_64
samba-common-libs-4.10.4-9.el7.x86_64
samba-winbind-modules-4.10.4-9.el7.x86_64
samba-winbind-clients-4.10.4-9.el7.x86_64
samba-client-libs-4.10.4-9.el7.x86_64
samba-winbind-4.10.4-9.el7.x86_64

1. Test using winbind and samba
================================

1. Join system to Windows 2012 R2 using realm with winbind and samba

[root@qe-blade-11 ~]# realm join -U Administrator --client-software=winbind --membership-software=samba -v CYGNUS.TEST
 * Resolving: _ldap._tcp.cygnus.test
 * Performing LDAP DSE lookup on: 10.65.201.120
 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895
 * Successfully discovered: cygnus.test
Password for Administrator:
 * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads join cygnus.test
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CYGNUS
Joined 'QE-BLADE-11' to dns domain 'cygnus.test'
DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable winbind.service
Created symlink from /etc/systemd/system/multi-user.target.wants/winbind.service to /usr/lib/systemd/system/winbind.service.
 * /usr/bin/systemctl restart winbind.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

2. Run testparam

[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
[root@qe-blade-11 samba]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        kerberos method = system keytab
        printcap name = cups
        realm = CYGNUS.TEST
        security = ADS
        template homedir = /home/%U@%D
        template shell = /bin/bash
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        workgroup = CYGNUS
        idmap config * : range = 10000-999999
        idmap config cygnus : backend = rid
        idmap config cygnus : range = 2000000-2999999
        idmap config * : backend = tdb
        cups options = raw

[homes] 
        browseable = No
        comment = Home Directories
        inherit acls = Yes
        read only = No
        valid users = %S %D%w%S


[printers]
        browseable = No   
        comment = All Printers
        create mask = 0600
        path = /var/tmp   
        printable = Yes   


[print$]
        comment = Printer Drivers
        create mask = 0664
        directory mask = 0775
        force group = @printadmin
        path = /var/lib/samba/drivers
        write list = @printadmin root

3. Start smb service and verify net groupmap list lists builtin groups

[root@qe-blade-11 samba]# systemctl start smb
[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
[root@qe-blade-11 samba]# testparm


Test using sssd and samba
==========================
[root@qe-blade-11 ~]# realm join -U Administrator --client-software=sssd --membership-software=samba -v CYGNUS.TEST
 * Resolving: _ldap._tcp.cygnus.test
 * Performing LDAP DSE lookup on: 10.65.201.120
 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895
 * Successfully discovered: cygnus.test
Password for Administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads join cygnus.test
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CYGNUS
Joined 'QE-BLADE-11' to dns domain 'cygnus.test'
DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm


2. Configure  /etc/samba/smb.conf as below:

[global]
        server string = File Server
        passdb backend = tdbsam
        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 200KB per log file, then rotate:
        max log size = 200
        log level = 2
        # Domain Config
        realm = CYGNUS.TEST
        workgroup = CYGNUS
        security = ADS
        kerberos method = secrets and keytab
        idmap config * : backend = autorid
        idmap config * : range = 1000000-19999999
        idmap config * : rangesize = 1000000
        template shell = /bin/bash
        template homedir = /home/%U


[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[share1]

        path = /mnt/samba/share1
        comment = test share1
        writable = yes
        printable = no
</snip>

3. start winbind and smb service

[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> 1000002
Administrators (S-1-5-32-544) -> 1000000
Users (S-1-5-32-545) -> 1000001

Comment 19 errata-xmlrpc 2020-03-31 19:56:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1084


Note You need to log in before you can comment on or make changes to this bug.