Samba failed to start

[nodrock]

Hello,

I was reinstalling samba module and I got this error:

An internal error has occurred. This is most probably a bug, relevant information can be found in the logs. Please look for the details in the /var/log/zentyal/zentyal.log file and take a minute to submit a bug report so we can fix the issue as soon as possible.

/var/log/zentyal/zentyal.log:
2012/11/28 19:50:32 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dns
2012/11/28 19:50:32 WARN> DNS.pm:1445 EBox::DNS::_launchNSupdate - Cannot contact with named, trying in posthook
2012/11/28 19:50:32 WARN> DNS.pm:1445 EBox::DNS::_launchNSupdate - Cannot contact with named, trying in posthook
2012/11/28 19:50:34 ERROR> Sudo.pm:233 EBox::Sudo::_rootError - root command nsupdate -l -t 10 /var/lib/zentyal/tmp/9tgUqZfv_W failed.
Error output: update failed: NOTAUTH

Command output: .
Exit value: 2

Could you please help me?

[btzmacin]

Bump.  Same exact VERY SIMILAR issue.  See log appended to bottom of post.

I thought my install had been irrevocably borked by the repo snafu before (which is indeed FIXED!!) but upon a fresh reinstall (Ubuntu Server LTS first, then zenbuntu-desktop) I can't even get through initial install process without the "status is unknown" message showing up on the webend.

I depend heavily on SMB for various projects, and what was supposed to be an easy server-swap that only took a night is now going on 24 hours sans-SMB. 

Log:

Code: [Select]

2012/12/07 21:40:15 ERROR> Software.pm:237 EBox::Software::__ANON__ - Error updating package list
2012/12/07 21:40:28 INFO> notify-job:62 EBox::RemoteServices::Job::Notifier::__ANON__ - Job 12 finished with exit value 0 CC will be notified
2012/12/07 21:40:31 INFO> notify-job:62 EBox::RemoteServices::Job::Notifier::__ANON__ - Job 5 finished with exit value 0 CC will be notified
2012/12/07 21:45:01 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 21:46:23 INFO> GlobalImpl.pm:604 EBox::GlobalImpl::saveAllModules - Saving config and restarting services: network dhcp events openvpn samba firewall dns
2012/12/07 21:46:23 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: network
2012/12/07 21:46:23 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dhcp
2012/12/07 21:46:24 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: events
2012/12/07 21:46:24 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: openvpn
2012/12/07 21:46:24 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: samba
2012/12/07 21:46:26 INFO> Samba.pm:838 EBox::Samba::provisionAsDC - Provisioning database '/usr/bin/samba-tool domain provision  --domain='VALDES' --workgroup='VALDES' --realm='VALDES.HOME.LAN' --dns-backend=BIND9_DLZ --use-xattrs=yes  --use-rfc2307  --server-role='dc' --users='__USERS__' --host-name='valdesserver' --host-ip='192.168.1.1''
2012/12/07 21:46:27 WARN> EventDaemon.pm:177 EBox::EventDaemon::__ANON__ - Error executing run from EBox::Event::Watcher::Updates: Can't call method "mtime" on an undefined value at /usr/share/perl5/EBox/Util/Software.pm line 47.
2012/12/07 21:46:32 INFO> Samba.pm:859 EBox::Samba::provisionAsDC - Setting password policy
2012/12/07 21:46:33 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dns
2012/12/07 21:46:33 WARN> DNS.pm:1494 EBox::DNS::_launchNSupdate - Cannot contact with named, trying in posthook
2012/12/07 21:46:33 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2012/12/07 21:46:35 ERROR> Sudo.pm:233 EBox::Sudo::_rootError - root command nsupdate -l -t 10 /var/lib/zentyal/tmp/GixwPLiq4B failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2012/12/07 21:46:35 ERROR> GlobalImpl.pm:642 EBox::GlobalImpl::__ANON__ - Failed to save changes in module samba: root command nsupdate -l -t 10 /var/lib/zentyal/tmp/GixwPLiq4B failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2012/12/07 21:46:35 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: firewall
2012/12/07 21:46:36 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dns
2012/12/07 21:46:36 ERROR> Sudo.pm:233 EBox::Sudo::_rootError - root command nsupdate -l -t 10 /var/lib/zentyal/tmp/rODjP5qWO_ failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2012/12/07 21:46:37 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2012/12/07 21:46:38 ERROR> Sudo.pm:233 EBox::Sudo::_rootError - root command nsupdate -l -t 10 /var/lib/zentyal/tmp/GixwPLiq4B failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2012/12/07 21:46:38 ERROR> GlobalImpl.pm:642 EBox::GlobalImpl::__ANON__ - Failed to save changes in module dns: root command nsupdate -l -t 10 /var/lib/zentyal/tmp/GixwPLiq4B failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2012/12/07 21:46:38 ERROR> GlobalImpl.pm:699 EBox::GlobalImpl::saveAllModules - The following modules failed while saving their changes, their state is unknown: samba dns
2012/12/07 21:50:02 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 21:50:02 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 21:55:01 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 22:00:02 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 22:00:02 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 22:00:02 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 22:05:01 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 22:10:02 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server
2012/12/07 22:10:02 INFO> Redis.pm:509 EBox::Config::Redis::_initRedis - Starting redis server


[btzmacin]

Got it working!

Apparmor was preventing bind9 from reading stuff.  In my case it was ldap.conf and session.key

look at /var/log/syslog at the time when zentyal.log says "restarting...dns", find any messages from kernel or apparmor that have "DENIED" in allcaps.  Look at all the lines, paying special attention to the operation - in my case, "open" - the target file, and at the end the type/class/whatever of action (e.g., 'r' for read, 'w' for write...or 'rw' - self explanatory).

When you've got all that straight, add the applicable rules to /etc/apparmor.d/usr.sbin.named
What I did was just add lines to allow reading in the whole directories where the "DENIED" files reside since all the other rules in the config file were in that format.

I do NOT have any prior experience with apparmor, only just having learned of its existence in the troubleshooting of this issue so I'm sorry if what I did is somehow taboo, or if there's a more proper way to do this than what I've suggested.  I'm just trying to help the next schmoe who comes around confused like I was for the past few hours, since there's no other documentation for this issue in a single place.  If someone with actual experience and/or legitimate programming talent can possibly provide more correct, specific, or concise direction for how to fix/workaround this - please do so!!



ps: Thanks to the dev team for making such good stuff!!

[Barrydocks]

@btzmacin

Thanks for this, I have experienced exactly the same problem.  I simply un-installed apparour which solved the problem.

Please can you explain in a little more detail what changes you made to the apparour profiles to get things working?

Thanks

[stuartiannaylor]

Apparmor is an selinux like system security run on profiles.

Its not needed for a working system.

Just google ubuntu apparmor disable and that will allow all services to start without need for addition.

[half_life]

But why disable apparmor if the solution is apparent? While apparmor is not needed for a working system, it does indeed help protect a server. 

[stuartiannaylor]

Whilst bug checking a common approach is a process of elimination. You remove completely so that you know and have absolutely no doubts that the removed process has any effect. You keep doing this until you get to hopefully a minimal working system then you build back up until the error reappears.

You will find that many dev's and bugcheckers don't run production protection methods whilst bug checking or developing.

[Sand_man]

Thanks, too, to suffer with this problem. Disabling Apparmor saved me.

[Mahmood]

Excellent !!!
Worked for me too....

Just for note who want to update the Apparmor profile and get it work.
 
Modify the file "/etc/apparmor.d/usr.sbin.named", so that files7directories should have flags as follows (you might need to add few more based on your installation):

  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** rw,
  /var/cache/bind/ rw,
  /etc/ldap.conf r,
  /var/run/named/ rw,
  /var/run/named/** rw,
  /usr/sbin/ r,
  /usr/sbin/** r,
  /etc/ldap/ r,
  /etc/ldap/** r,
  /usr/sbin/ r,
  /usr/sbin/** r,
  /run/named/ r,
  /run/named/** r,


Best of luck.

[Barrydocks]

Alternatively use the command:

Code: [Select]

aa-logprofAnd use Allow for the options given.

Then try to restart samba again

[vinny74]

Alternatively use the command:

Code: [Select]

aa-logprofAnd use Allow for the options given.

Then try to restart samba again

THANKS