Web lists-archives.com

[Samba] 4.5 -> 4.8 samba fails to start




Hi all,
I'm trying to upgrade samba from 4.5 to 4.8 and it no longer starts. This is using the Debian Jessie (4.5.12+dfsg-2+deb9u2) and Debian testing (4.8.2+dfsg-1) packages. Below are a log file from the non-starting server, and testparm on the working 4.5, and again on the non-working 4.8.
  I do so an ERROR in the the testparm for 4.8:

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

If someone could guide me through making samba happy about that, that would be great. I may have an usual setup. In 4.5 Samba checks against an MIT kerberos server for authentication.

Thanks!
Chad.



The last few lines of log.smbd are : (I've got more!)
  create_builtin_administrators: Failed to create Administrators
[2018/06/18 06:11:21.308167, 4, pid=19610, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/06/18 06:11:21.308250, 3, pid=19610, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:708(finalize_local_nt_token) Failed to check for local Administrators membership (NT_STATUS_INVALID_PARAMETER_MIX) [2018/06/18 06:11:21.308384, 4, pid=19610, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/06/18 06:11:21.308461, 4, pid=19610, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/06/18 06:11:21.308533, 4, pid=19610, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/06/18 06:11:21.308604, 5, pid=19610, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2018/06/18 06:11:21.308675, 5, pid=19610, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:810(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2018/06/18 06:11:21.308838, 5, pid=19610, effective(0, 0), real(0, 0)] ../source3/passdb/pdb_util.c:128(create_builtin_users)
  create_builtin_users: Failed to create Users
[2018/06/18 06:11:21.308953, 4, pid=19610, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/06/18 06:11:21.309036, 3, pid=19610, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:751(finalize_local_nt_token) Failed to check for local Guests membership (NT_STATUS_INVALID_PARAMETER_MIX) [2018/06/18 06:11:21.309118, 0] ../source3/auth/auth_util.c:1372(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_NO_MEMORY
[2018/06/18 06:11:21.309208, 0, pid=19610, effective(0, 0), real(0, 0)] ../source3/smbd/server.c:1993(main)
  ERROR: failed to setup guest info.

Googling get me the most interesting result of a Debian bug. The reported "resolved" it for themselves by using Samba 4.7 ;) .
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269

testparm in 4.5
------------------------------------------------------------------------
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[LabSoftware]"
Processing section "[monitor]"
Processing section "[smb]"
Processing section "[guest]"
Loaded services file OK.
WARNING: some services use vfs_fruit, others don't. Mounting them in conjunction on OS X clients results in undefined behaviour.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        realm = PHYSICS.WISC.EDU
        server string = %h server
        workgroup = PHYSICS
        max log size = 100000
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        kerberos method = secrets and keytab
        map to guest = Bad User
        security = ADS
        server signing = required
        hostname lookups = Yes
        dns proxy = No
        fruit:nfs_aces = no
        idmap config * : backend = tdb

[LabSoftware]
        path = /srv/smb/LabSoftware
        guest ok = Yes
        hosts allow = blah blay blax
        smb encrypt = No


[monitor]
        path = /srv/monitor
        browseable = No
        read only = No
        vfs objects = btrfs


[smb]
        path = /srv/smb
        ea support = Yes
        inherit acls = Yes
        inherit permissions = Yes
        read only = No
        smb encrypt = desired
        msdfs root = Yes
        vfs objects = btrfs catia fruit streams_xattr
        fruit:encoding = native


[guest]
        path = /srv/smb
        hide unreadable = Yes
        ea support = Yes
        guest ok = Yes
        inherit acls = Yes
        inherit permissions = Yes
        read only = No
        smb encrypt = desired
        msdfs root = Yes
        vfs objects = btrfs catia fruit streams_xattr
        fruit:encoding = native

-----------------------------------------------

testparm for same config file in 4.8
------------------------------------------------------------------------
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[monitor]"
Processing section "[smb]"
Processing section "[guest]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

WARNING: some services use vfs_fruit, others don't. Mounting them in conjunction on OS X c
lients results in undefined behaviour.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dns proxy = No
        hostname lookups = Yes
        kerberos method = secrets and keytab
        map to guest = Bad User
        max log size = 100000
        panic action = /usr/share/samba/panic-action %d
        realm = PHYSICS.WISC.EDU
        security = ADS
        server signing = required
        server string = %h server
        syslog = 0
        workgroup = PHYSICS
        fruit:nfs_aces = no
        idmap config * : backend = tdb


[monitor]
        browseable = No
        path = /srv/monitor
        read only = No
        vfs objects = btrfs

[smb]
        ea support = Yes
        inherit acls = Yes
        inherit permissions = Yes
        msdfs root = Yes
        path = /srv/smb
        read only = No
        smb encrypt = desired
        vfs objects = btrfs catia fruit streams_xattr
        fruit:encoding = native

[guest]
        ea support = Yes
        guest ok = Yes
        hide unreadable = Yes
        inherit acls = Yes
        inherit permissions = Yes
        msdfs root = Yes
        path = /srv/smb
        read only = No
        smb encrypt = desired
        vfs objects = btrfs catia fruit streams_xattr
        fruit:encoding = native


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba