Dear colleagues, Yesterday I upgraded to samba (from 2:4.8.5+dfsg-1 to 2:4.9.1+dfsg-2) and had a similar issue, after the upgrade samba would not start, breaking the 'apt-get dist-upgrade' at the end. To fix it I had to run 'net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin' and restart the smbd service.
Note that: - The issue was not detected by testparm - Smbd would not start, nmbd and winbind would restart properly - My smb.conf is very similar to the standard default one provided in the package already (if you want a copy let me know) Reviewing the upgrade information here is some relevant output: ______________________________________________ $ apt-get dist-upgrade (....) Preparing to unpackage .../0256-samba-common_2%3a4.9.1+dfsg-2_all.deb ... Unpackaging samba-common (2:4.9.1+dfsg-2) over (2:4.8.5+dfsg-1) ... (...) Configuring samba-common-bin (2:4.9.1+dfsg-2) ... Checking smb.conf with testparm Load smb config files from /etc/samba/smb.conf WARNING: The "syslog" option is deprecated Loaded services file OK. Server role: ROLE_STANDALONE Done (...) Configuring samba (2:4.9.1+dfsg-2) ... Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service Please ignore the following error about deb-systemd-helper not finding those services. (samba-ad-dc.service already masked) Job for smbd.service failed because the control process exited with error code. See "systemctl status smbd.service" and "journalctl -xe" for details. invoke-rc.d: initscript smbd, action "restart" failed. (...) ______________________________________________ This is from /var/log/samba/smbd.log: ______________________________________________ 2018/11/11 02:36:13.835610, 0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest) create_local_token failed: NT_STATUS_ACCESS_DENIED [2018/11/11 02:36:13.836169, 0] ../source3/smbd/server.c:2000(main) ERROR: failed to setup guest info. _____________________________________________ After looking for similar problems I found RedHat Bug #1648399 (https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1648399) which points to the folowing thread in the Samba mailing list: https://lists.samba.org/archive/samba-technical/2018-September/130377.html And apparently boils down to the following change in Samba and the fact that the BUILTIN\Guests group is not mapped to a proper Unix user : ______________________________________________ With 4.9.0 we expanded guest handling to differentiate between anonymous and guest sessions. This required a proper handling of BUILTIN\Guests and thus is now forces to be able to have either writable backend or aliases configured properly. ______________________________________________ The action proposed in the bug reported, worked for me, and is the following: ______________________________________________ # net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin Successfully added group nobody to the mapping db as a wellknown group ______________________________________________ Maybe this action should be added into the postinst? (after checking if the group is not mapped properly?) Regards Javier