Dear Maintainer,

I have rebuilt samba 4.16.1 packages as I am including a samba INTERNAL DNS
patch, bt I have not altered the packaging significantly other than this, and
have not touched winbind

I have been finding that when I login to the machine using a user from samba AD,with groups from samba AD, none of those AD groups that user is a member of
show up in the output from the 'groups' command.

Further more:

shalom: -root- [/home/admin]
# wbinfo -r grantma
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user grantma

And in the samba logs:

[2022/06/02 16:30:45.687576,  0] ../../source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn)
  open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_ACCESS_DENIED

The above works fine when the samba package is installed along with winbind.

After the call find that the following programs are running:

shalom: -root- [/home/admin]
# ps -ef | grep samba
root      139564       1  0 16:29 ?        00:00:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=40 --np-helper --debuglevel=0
root      139574  139564  0 16:29 ?        00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=5 --debuglevel=0
root      139576  139564  0 16:29 ?        00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=6 --debuglevel=0
root      139578  139564  0 16:29 ?        00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=7 --debuglevel=0
root      139580  139564  0 16:29 ?        00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=8 --debuglevel=0
root      139583  136857  0 16:29 pts/5    00:00:00 grep samba

When the above binaries permisions are set by:

shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad

the following happens:

shalom: -root- [/home/admin]
# chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad

It appears that wind bind needs samba-dcerpcd and rpcd_lsad to function
correctly.  Could these binaries and dependent libraries be moved to the
winbind package please?

Thank you!

Matt Grant

Just make sure we don't get the opposite problem if smbd is installed
without winbindd.

(I've not checked the deps, but upstream you can still run smbd that
without winbindd for a standalone fileserver)

02.06.2022 10:38, Andrew Bartlett wrote:

Where does one can find some information about these new binaries,
how they're being used and by what?

For quite some time I had a standalone machine with smbd & nmbd running
(this is my primary work machine where I build samba and usually experiment
with the newly built binaries).  Usually, systemctl restart smbd nmbd has
been enough. But a few times already I've seen other binaries, something
from /usr/libexec/samba/ - like mentioned in this bugreport before.  I don't
know who started these and why, and why they're left running.

Thanks,

/mjt

Ask us really, particularly if there isn't a manpage.  This new DCE/RPC
server approach was mentioned in the WHATSNEW, but perhaps not to the
detail you need.

Andrew,

02.06.2022 19:06, Andrew Bartlett wrote:
..

Andrew, what's this new dce/rpc server processes, where/when they're being
used?  In particular, in context of this bug report, should we split out
some of the new servers into samba-common-bin package for example, so
that winbindd can run them too? (Probably not a good idea for smbclient
which depends on samba-common-bin too).  Also, should these processes
be now killed/restarted together with smbd/nmbd/winbindd?

See the first changelog entry for debian samba 4.16.0 package :)

Thank you!

/mjt

Hi!

May be best to move the contents of /usr/libexec/samba to samba-libs.

shalom: -admin- [/usr/libexec/samba]
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '`  |cut -f 1 -d
':' | sort |uniq
libwbclient0
samba-libs

If you remove the uniq:

shalom: -admin- [/usr/libexec/samba]
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '`  |cut -f 1 -d
':' | sort | grep samba-libs | wc -l
64

shalom: -admin- [/usr/libexec/samba]
$ dpkg -S `ldd samba-dcerpcd | grep samba |cut -f 1 -d ' '`  |cut -f 1 -d
':' | sort | grep libwbclient0 | wc -l
9

Probably the same for the rest of /usr/libexec/samba

Hope this helps.

Matt Grant
Debian Developer

PS: Have a good set up here at home for testing and development.  2 smbd
servers, witn 2 samba AD server kvm virtuals, and client kerberos
workstations, all mostly configured using ansible.  Also extensively uses
ZFS.  Mostly use all of this at my employer.

Or maybe even a new package to untangle dependencies on libwbclient0, named
'samba-libexec', moving the contents of /usr/libexec/samba to samba-libexec?

Otherwise, libwbclient0 ends up being installed when samba-lbs is installed
due to depending on samba-libs?

Or far simpler, combine libwbclient0 into samba-libs, and add contents of
/usr/libexec/samba.

Michael, you will have to see what works.

Regards,

Matt Grant

Debian Developer

libwbclient0 should not depend on anything else in Samba (due to
licence requirements) so if there is a linking reason for this we
should check into this.

There have been regressions in the past, so if only expressed in
packaging this might be historical.

03.06.2022 05:31, Andrew Bartlett wrote:

I read this like samba-libs uses libwbclient, not like libwbclient
uses samba-libs (would be wrong).

I did move one more library from samba-libs to libwbclient while
packaging 4.16 on debian.

Overall, this is the current content of libwbclient0.deb:

/usr/lib/x86_64-linux-gnu/libwbclient.so.0.15

/usr/lib/x86_64-linux-gnu/libsamba-util.so.0.0.1
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libiov-buf-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libreplace-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libsamba-debug-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libsocket-blocking-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libsys-rw-samba4.so.0
/usr/lib/x86_64-linux-gnu/samba/libtime-basic-samba4.so.0

Some of these has been there before. Some (I think it was
just one, can't remember which) were added by me during
4.16 packaging time. One of my todo items about samba states
to review which libs are actually used by which binary and
move them between packages - somewhat similar to how I moved
files between samba-libs and python3-samba packages.  When I
did 4.16 initially I didn't think much about that aspect, b/c
else we'd not have 4.16 now :)

Now when I looked at this, I don't see why libsamba-util.so is
in there at all.  Maybe in 4.13 there was a reason for that,
I don't know the reason for it to be there for 4.16.  The
rest (in /samba/) are ones used by libsamba-utils, it seems.

/mjt

03.06.2022 04:00, Matt Grant wrote:

No, definitely not. A library is a library, it is multiarch and different
arch must be co-installable.

It might be more appropriate to move these executables to samba-common-bin
as I already mentioned.

But before that I need to understand how/when they're used.  Maybe some day
I will find a time to dig into the code to understand this...

/mjt

Hi!

Please find attached the patch I made to fix this issue.

It moves the DCE RPC binaries in /usr/libexec/samba into their own package
along with required libs from the samba package creating the
samba-libexec-dcerpc package, and makes samba and winbind depend on it,
thus solving all the issues.

Michael, could you please incorporate this in the sid samba packages you
have created?

Kind Regards,

Matt Grant

FYI, Tested patch after merging Samba 2:4.16.1+dfsg-8 source build with my
work, so should apply directly to your current source Michael.

13.06.2022 10:46, Matt Grant wrote:

Thank you for the work Matt!

For the start I really want some comments from the samba folks about where/when these
binaries are supposed to be used.  I understand creating a new package might solve
the immediate issue, based on what we observe now. But without knowledge about how
it is supposed to work, it's difficult to verify if it's done correctly.

And once again, I already suggested moving these binaries to the already existing
samba-common-bin - this will definitely fix the issue too, without we waiting for
the debian NEW queue processing (there's a separate manual procedure in debian each
new binary package have to follow). I'm not convinced a separate binary package is
needed (based on what I observe), - yes, smbclient also uses samba-common-bin, but
so far it's not a problem, it seems.  I might be wrong though.

Thank you!

/mjt

13.06.2022 10:46, Matt Grant wrote:

Matt, how did you find out the 2 libs -- libRPC-SERVER-LOOP-samba4.so.0 &
libREG-FULL-samba4.so.0 - which can be moved to the new package too, out
of many other libraries in there?

Thanks!

/mjt

Hi Michael!

For the libraries to move from the samba package, just used the following
command on each rpcd binary in /usr/libexec/samba:

dpkg -S `ldd rpcd_epmapper | grep samba | cut -f 1 -d ' '`

You could put the contents of this new package ( ie
debian/samba-libexec-dcerpc.install) into the  samba-libs package, or
samba-common-bin...  Samba-libs was my first thought if not creating a new
package.

Adding the new samba-libexec-dcerpc package to the archive in my experience
is not much of a problem actually. When I have had to create a fresh
package as part of an already in archive source (no licensing evaluation
needed), the FTP Master team only took a few days to add the new package.
You can email ftpmaster@debian.org ahead of the upload to check how long it
will take them to get on to it, or you can put it through experimental?
Sid is 'unstable' for a reason.

Here is a good reason for the new package:  samba-dcerpcd and rpcd_* are
needed for support binaries for in-kernel ksmbd, though what that will need
exactly will require more fleshing out no doubt.  The new package is a
start. Check the samba-dcerpcd man page, it helped me work out what to put
in the new package, as samba-dcerpcd can call any of the
/usr/libexec/samba/rpcd_* binaries

Hope that all helps.

Matt Grant
Debian Developer



Best Regards,

Matt Grant
Debian Developer

PS: Also have tested new package and winbind now does work by itself for
getgroups(3) and initgroups(3), ie kerberos logins over ssh work again!

After thinking about it, Puting everything which s
in debian/samba-libexec-dcerpc.install into samba-common-bin would work.

Regards,

Matt Grant
Debian Developer

13.06.2022 12:12, Matt Grant wrote:

I suspected it was something like that.

The problem here is that the two libs you moved from
samba to the new dcerpc package, are also used by the
samba package itself.  By moving stuff like this, it
is too easy to create a circular dependency, which we
had quite a few in the past.  I placed libs into the
samba package (and to winbind package and some other
cases) *only* when those libs are used by those packages
and not by other packages. The rest of libraries -
the ones which are used by more than a single package -
goes to samba-libs.  Again, maybe I'm wrong there.

Just thought that these libs which are used by a single
package *now*, may be used by more than a single package
in the future, and I should have a way to check for that,
maybe similar to how I check for unneeded inter-package
deps in d/rules already, but for more packages.

BTW, you forgot the manpage for samba-dcerpcd.

For now I moved the executables into samba-common-bin
and the two libs into samba-libs. Let's see how it will
be, maybe we'll create a new package for it.

Thank you for the work and for the inspiration!

/mjt

Hi Michael!

OK, see what you are thinking.

Was planning to do just what you did.  Bins into samba-common-bin, libs
into samba-libs.

My bad about samba-dcerpcd.8 man page.

Maybe ksmbd support should be started with all needed bins in
samba-common-bin, and systemctl disabled ksmbd/samba-dcercpd service
file(s) in samba package or elsewhere.  Some smb.conf settings are
specially needed for ksmbd apparently (samba-dcerpcd.8 manpage)

Regards,

Matt Grant

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012240@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 13 Jun 2022 19:08:44 +0300
Source: samba
Architecture: source
Version: 2:4.16.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1012240
Changes:
 samba (2:4.16.2+dfsg-1) unstable; urgency=medium
 .
   * new upstream minor/bugfix release.
   * removed waf-add-support-for-GNU-kFreeBSD.patch (applied upstream)
   * new minor version of libldb
     (no code changes, just the build system update to support python 3.11)
   * move samba-dcerpcd from samba package to samba-common-bin due to winbind
     New in 4.16 samba-dcerpcd binary is used by smbd and winbind, so putting
     it to samba package makes winbind unable to run it without samba.
     For now, in order to fix this issue, move this binary from samba to
     samba-common-bin package. It might be worth creating its own package
     for this binary (or maybe some more binaries), once it is clear where
     upstream is going to.  Making this binary a part of samba-common-bin
     adds some more files to smbclient-only setup.
     (Closes: #1012240)
   * remove mksmbpasswd script and manpage: we have smbpasswd whcih can add
     entries to smbpasswd file if needed, and can handle other passwod storage
     formats too
Checksums-Sha1:
 4e3056181930c26bb4a26b9f6aeef9c5d8ea3402 4225 samba_4.16.2+dfsg-1.dsc
 dd63e81d77b138c2c422f7e6bc9c2a7ad3070823 18127992 samba_4.16.2+dfsg.orig.tar.xz
 927212574475e4e3981c0634bb26fcf0c5a4ba6c 263624 samba_4.16.2+dfsg-1.debian.tar.xz
 0edc98b74029f9ff5ad961ab4ae9e686ca843020 6046 samba_4.16.2+dfsg-1_source.buildinfo
Checksums-Sha256:
 d4932d187db8dfc94ea62b80d6e23f936971157f5d2c20b643badd9e26696dbb 4225 samba_4.16.2+dfsg-1.dsc
 102928de50a85107f174e18b3f6fffad96cbeb1b94896a66d9343fc8bf443861 18127992 samba_4.16.2+dfsg.orig.tar.xz
 6356cf93d5fddd68995b1a8bdd83d4b76d76a02bc93e07161cb85659265ff12a 263624 samba_4.16.2+dfsg-1.debian.tar.xz
 a4d5743a81ad4d7b59ddb712e631526ae3f25b46a10dff4df7e5bdd8e7d0abff 6046 samba_4.16.2+dfsg-1_source.buildinfo
Files:
 339b6899eb8df3a6b2041354f90ea908 4225 net optional samba_4.16.2+dfsg-1.dsc
 1ea495e129711482d20ec9829b494744 18127992 net optional samba_4.16.2+dfsg.orig.tar.xz
 9d13e31edbc06523cb415d5b87771936 263624 net optional samba_4.16.2+dfsg-1.debian.tar.xz
 5655286a09b12d4e2bdb08b04b6469f3 6046 net optional samba_4.16.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmKnYVYPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZmhkH/R2KeMYns8VqfMd/HHmxld4p4yv14tzKvuZ4
gsTfG5V724Vwcg74OfSAubWeYVUL7x5QmtuXFV9B7HO+xa8Q9iBNWHDFTZ7hpdRY
QVGyfAKUwPrgnODq5WieWxUTfk7w24ww+EbC7hSM8C/FIjEVqBzkg1wxfb5Ydnup
ir8kfAJx38HthlhNOkj6a6fLNd7OD4Ho0y4QKUkSq1uwrQxSifoDQRHos92Qcy0C
IRrtGQxemiyYHeez8gYBPE9fiISuZj+9ksf/bA4siTrG6+LKk+/pFwyoVwwtAo13
xCh5AKIzQ7FeBc9C0PkZ5Y/GWAS7f+/MhfGfgyWZ/lgQXZOIuGM=
=avq7
-----END PGP SIGNATURE-----