Bug 182468 - Winbind fails to start via /etc/init.d/winbind script
Summary: Winbind fails to start via /etc/init.d/winbind script
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba
Version: 4.0
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Jay Fenlason
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-02-22 19:29 UTC by Eugenio Jordán González
Modified: 2014-08-31 23:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-23 15:04:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Eugenio Jordán González 2006-02-22 19:29:55 UTC
Description of problem:

We can't get Winbind start correctly using scripts at /etc/init.d.

Facts:

i)   Both SMB and NMB seems to start fine.
ii)  Winbind can be started in background simply typing
     # winbind
     without problems.
iii) If, instead:
     # /etc/init.d/winbind start
     ,
     # sh -x /etc/init.d/winbind start
     it starts fine!
iv) Extract from /var/log/messages:

Feb 22 17:15:22 mtvisadorh01 kernel: audit(1140624922.398:0): avc:  denied  { 
write } for  pid=24483 exe=/usr/sbin/winbindd name=secrets.tdb 
dev=cciss/c0d0p2 ino=343440 scontext=root:system_r:winbind_t 
tcontext=root:object_r:samba_etc_t tclass=file

v) Extract from /var/lob/samba/winbindd.log
[2006/02/22 18:48:03, 5] tdb/tdbutil.c:tdb_log(725)
  tdb(unnamed): tdb_open_ex: could not open file /etc/samba/secrets.tdb: 
Permiso denegado
[2006/02/22 18:48:03, 0] passdb/secrets.c:secrets_init(64)
  Failed to open /etc/samba/secrets.tdb
[2006/02/22 18:48:03, 0] nsswitch/winbindd.c:main(881)
  Could not initialize domain trust account secrets. Giving up
[2006/02/22 18:49:34, 1] nsswitch/winbindd.c:main(864)

vi) net ads join command works properly:
[2006/02/22 20:35:12, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for mtvisadorh01 already exists - 
modifying old account
Using short domain name -- COAM
Joined 'MTVISADORH01' to realm 'COAM.ORG'
vii) Samba configuration:
        workgroup = COAM
        realm = COAM.ORG
        security = ads
   
        name resolve order = lmhosts host wins bcast
        netbios name = mtvisadorh01
        wins server = NTServer
        wins support = yes
   
        encrypt passwords = yes
        passdb backend = tdbsam
        password server = NTServer
   
        idmap uid = 11000-20000
        idmap gid = 11000-20000
        winbind separator = _
        winbind enum users = yes
        winbind enum groups = yes

        ldap ssl = no
        log level = 10
        os level = 33
        short preserve case = no
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        syslog = 0
        time server = Yes
        unix extensions = Yes
        unix charset = LOCALE
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/




Version-Release number of selected component (if applicable):

[root@mtvisadorh01 samba]# rpm -qa | grep -i samba
samba-client-3.0.10-1.4E.2
system-config-samba-1.2.21-1
samba-3.0.10-1.4E.2
samba-common-3.0.10-1.4E.2

How reproducible:

At will.

Steps to Reproduce:
1. /etc/init.d/winbind start
2.
3.
  
Actual results:
It states it starts, but:

[root@mtvisadorh01 samba]# /etc/init.d/winbind start 
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 samba]# /etc/init.d/winbind status
winbindd dead but subsys locked


Expected results:
[root@mtvisadorh01 samba]# /etc/init.d/winbind start 
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 samba]# /etc/init.d/winbind status
winbindd (pid 2513 2512) is running...


Additional info:

Comment 1 Nalin Dahyabhai 2006-02-23 13:22:02 UTC
Can you add the version of the selinux-policy-targeted package which you have
installed, and the output of 'restorecon -v /etc/samba/secrets.tdb' in case
there's a labeling problem involved?

Comment 2 Eugenio Jordán González 2006-02-23 15:04:00 UTC
Sorry, had already checked as per other related bugs but forgot to provide:

[root@mtvisadorh01 ~]# rpm -qa | grep policy
checkpolicy-1.17.5-1
selinux-policy-targeted-1.17.30-2.110
policycoreutils-1.18.1-4.7


[root@mtvisadorh01 ~]# restorecon -v /etc/samba/secrets.tdb 
restorecon reset context /etc/samba/secrets.tdb:root:object_r:samba_etc_t-
>system_u:object_r:samba_secrets_t

After doing this, according to your instructions, problems's solved:
[root@mtvisadorh01 ~]# /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 ~]# /etc/init.d/winbind status
winbindd (pid 21433 21432) is running...
[root@mtvisadorh01 ~]# /etc/init.d/winbind stop  

Shutting down Winbind services:                            [  OK  ]
[root@mtvisadorh01 ~]# /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]
[root@mtvisadorh01 ~]# /etc/init.d/winbind status
winbindd (pid 21456 21455) is running...


Thank you so much for your help, and sorry for wasting your time, as it's 
clearly not a bug.

Comment 3 Nalin Dahyabhai 2006-02-23 15:24:26 UTC
It may still be a bug if the file was created while SELinux was in use, but
somehow didn't get the correct label applied right then, but I'll leave that for
Jay to decide.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.