# Cannot start Samba4 from jail



## breefsd (Apr 29, 2013)

Hello,

I'm trying to run Samba4 (version 4.0.4) as an AD Domain Controller from a FreeBSD jail (FreeBSD 9.1) so I am following this HowTo:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
but after configuring Samba with `samba-tool domain provision`, I'm not able to start Samba deamons (trying to start with "samba4" command from the jail).

When I query `/.../rc.d/samba4 status` I get the message "Samba4 is not running".  Samba4 is enabled in rc.conf.

I installed Samba for the first time, not any previous version.

Here is `ifconfig` (on em0) result from the host:

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:cd:8a:4a
	inet 192.168.33.140 netmask 0xffffff00 broadcast 192.168.33.255
	inet6 fe80::20c:29ff:fecd:8a4a%em0 prefixlen 64 scopeid 0x1 
	inet 192.168.33.120 netmask 0xffffffff broadcast 192.168.33.120
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
```

The jail has 192.168.33.120.

The smb4.conf (generated by samba-tool except for interfaces and bind interfaces only) is as follows:

```
# Global parameters
[global]
	workgroup = SECRETNAME
	realm = SECRETNAME.SECRETDOMAIN.FR
	netbios name = SECRET_JAIL
	server role = active directory domain controller
	interfaces = em0, 192.168.33.120
	bind interfaces only = yes
	dns forwarder = 192.168.33.140

[netlogon]
	path = /var/db/samba4/sysvol/secretname.secretdomain.fr/scripts
	read only = No

[sysvol]
	path = /var/db/samba4/sysvol
	read only = No
```

The DNS forwarder is my host (DNS with BIND).

Here are the logs generated when attempting to start Samba:
log.samba

```
task_server_terminate: [kdc failed to setup interfaces]
[2013/04/29 17:55:59,  0] ../source4/smbd/server.c:369(binary_smbd_main)
  samba version 4.0.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/04/29 17:56:00,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2013/04/29 17:56:00,  0] ../source4/nbt_server/interfaces.c:228(nbtd_add_socket)
  Failed to bind to 192.168.33.120:137 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2013/04/29 17:56:00,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [nbtd failed to setup interfaces]
[2013/04/29 17:56:01,  0] ../source4/smbd/server.c:210(samba_terminate)
  samba_terminate: nbtd failed to setup interfaces
```

and log.smbd is empty.

I don't understand what the problem is...:x

Thanks.


----------



## Sylhouette (Apr 29, 2013)

What does it do if you set this.

```
interfaces = em0
```
The error says failed to bind to 192.168.33.120. So I guess that it binds to that IP address already through em0 and then again tries it on the IP address and then fails.

Regards
Johan


----------



## breefsd (Apr 30, 2013)

Hello,

I set 
	
	



```
interfaces = em0
```
 but the problem is still the same...

However I tried to disable pf in host, this time the log.smbd is not empty:

```
[2013/04/30 10:54:31,  0] ../source3/smbd/server.c:1200(main)
  smbd version 4.0.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
```

I guess there is something more to enable in pf even though I open ports as it's recommended in Samba official website (that is UDP 137,138 and TCP 139,445).

But even with pf turned off Samba doesn't start and the log.samba is still the same.

Any idea?


----------



## breefsd (May 2, 2013)

I also tried to set 

```
interfaces = 192.168.33.120
```

This time I don't have errors on log.samba and log.smbd is empty.

log.samba is as follow*s*:

```
[2013/05/02 15:21:43,  0] ../source4/smbd/server.c:369(binary_smbd_main)
  samba version 4.0.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/05/02 15:21:43,  0] ../source4/smbd/server.c:461(binary_smbd_main)
  At this time the 'samba' binary should only be used for either:
  'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = remote'
  You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks
```

It says that Samba is started but I still have `/.../rc.d/samba4 status` saying Samba is not running...

Someone to help me?
Thanks.


----------



## mix_room (May 3, 2013)

Did you install from ports? net/samba4 If not, deinstall and reinstall from ports and then try again. 

I would also try dropping all the interface statements to see what happens.

It seems as though some other process is already binding to the ports you want to have. Is anything else running that might be using that port?


----------



## breefsd (May 7, 2013)

Yes I installed Samba4 from net/samba4 with `make install` because I was not able to fetch any net/samba4 from FTP (my package site is ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.1-release/Latest/).

I already tried to start Samba without interfaces statements, the result was exactly the same. I don't have any other process using the ports used by Samba on any interface. Here is my rc.conf in the jail, maybe I should add something?


```
# Pretuned by German Engineers

# No network interfaces in jails
network_interfaces=""

# Prevent rpc
rpcbind_enable="NO"

# Prevent loads of jails doing their cron jobs at the same time
cron_flags="$cron_flags -J 15"

# Prevent syslog to open sockets
syslogd_flags="-ss"

# Prevent sendmail to try to connect to localhost
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Bring up sshd, it takes some time and uses some entropy on first startup
# sshd_enable="YES"

#SAMBA
samba4_enable="YES"
```

*T*hank you.


----------



## mix_room (May 11, 2013)

Out of curiosity, when you say that you run `/../rc.d/samba4`, while file are you actually running*?*. Maybe the error is somewhere there.


----------



## breefsd (May 11, 2013)

`/usr/local/etc/rc.d/samba4`


----------



## breefsd (May 21, 2013)

*H*as anyone known the same issue? I tried to install Samba4 on the host (rather than directly in the jail) and I managed to make Samba4 work in this case. So I think the problem is related to the jail but I really do not know what it is.

The only thing I know is that Samba seems to believe ports are already busy but I am sure not any port is used within the jail x(


----------



## mix_room (May 22, 2013)

breefsd said:
			
		

> The only thing I know is that Samba seems to believe ports are already busy but I am sure not any port is used within the jail x(



If the host is already listening to them, and has not restricted that to not include the jail IP, then the jail won't be able to get them.
You should try finding out if anything is listening on the host as well.


----------



## breefsd (May 23, 2013)

Here is `sockstat -4L` result from the host (return nothing from the jail):


```
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sshd       861   3  tcp4   192.168.33.140:22     *:*
_ntp     ntpd       819   4  udp4   192.168.33.140:26618  88.190.17.126:123
_ntp     ntpd       819   6  udp4   192.168.33.140:123    *:*
_ntp     ntpd       819   9  udp4   192.168.33.140:25273  88.191.227.26:123
_ntp     ntpd       819   10 udp4   192.168.33.140:53939  88.190.19.201:123
_ntp     ntpd       819   11 udp4   192.168.33.140:59858  195.83.66.158:123
bind     named      774   20 tcp4   192.168.33.140:53     *:*
bind     named      774   512 udp4  192.168.33.140:53     *:*
bind     named      774   514 udp4  192.168.33.140:53000  *:*
root     syslogd    679   8  udp4   192.168.33.140:514    *:*
```

So I don't see why port 137 should not be available on 192.168.33.120?

Thanks.


----------



## nORKy (Jun 4, 2013)

Hi,

I use a jail with an IP alias. I have the same issue, not solved. I have the same error about nbtd.


----------



## breefsd (Jun 4, 2013)

Hi,

*W*ithout any solution for the moment I have decided to install Samba on a dedicated virtual host, but I think the issue lies in the fact there is no 127.0.0.1 in the jail, because I noticed Samba needs for it. To make Samba work correctly on my host I must have a loopback interface else I get many errors. I don't understand how Samba works but I'm not sure you can run it without 127.0.0.1. Feel free to update the thread in case you achieve making Samba run from jail!

*R*egards.


----------



## nORKy (Jun 6, 2013)

Hi, it works now for me. Put this in your smb4.conf

```
server services = rpc,wrepl,ldap,cldap,kdc,drepl,winbind,ntp_signd,kcc,dnsupdate,dns,smb
```


----------



## breefsd (Jun 6, 2013)

Ok thanks,

*S*o what did you set about "interfaces" statements in your smb4.conf? And in your resolv.conf if you use "SAMBA_INTERNAL" DNS configuration?


----------



## fbsd1 (Jun 9, 2013)

That sure looks like ezjail created your jail. You need to add an alias for the jail*'*s *IP* address to the host*'*s interface and copy your host*'*s /etc/resolv.conf file to the each jail.


----------



## nORKy (Jun 18, 2013)

breefsd said:
			
		

> Ok thanks,
> 
> *S*o what did you set about "interfaces" statements in your smb4.conf? And in your resolv.conf if you use "SAMBA_INTERNAL" DNS configuration?




Nothing special. I set my jail's IP in my in smb4.conf and 127.0.0.1 in my resolv.conf.


----------



## breefsd (Jun 19, 2013)

> I set my jail's IP in my in smb4.conf


So something to custom in smb4.conf about interfaces. Strange, I don't have any 127.0.0.1 on my jail (because I set it with ezjail?). I just have a loopback lo1 on my jail's IP. I think in this case you have to add the jail's IP in resolv.conf.

I tried to set this statement in Samba running on a real host (not a jail):

```
server services = rpc,wrepl,ldap,cldap,kdc,drepl,winbind,ntp_signd,kcc,dnsupdate,dns,smb
```

So it seems the "smb" service is the difference from the default statement:

```
Default: server services = [B]s3fs[/B] rpc [B]nbt[/B] wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns
```

But although Samba was running I had troubles with shares (I was not able to access my shares from Windows clients anymore).  So make sure your Samba services work properly from your jail.

Thanks.


----------



## gkontos (Aug 17, 2013)

I don't know if you ever really solved the problem. I am facing a similar issue with net/samba4 in a jail:


```
[2013/08/17 12:32:57,  0] ../source4/smbd/server.c:369(binary_smbd_main)
  samba version 4.0.8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/08/17 12:32:57,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2013/08/17 12:32:57,  0] ../source4/cldap_server/cldap_server.c:134(cldapd_add_socket)
  Failed to bind to ipv4:10.1.1.109:389 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2013/08/17 12:32:57,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [cldapd failed to setup interfaces]
[2013/08/17 12:32:57,  0] ../source4/kdc/kdc.c:690(kdc_add_socket)
  Failed to bind to 10.1.1.109:88 UDP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2013/08/17 12:32:57,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [kdc failed to setup interfaces]
[2013/08/17 12:32:57,  0] ../source4/smbd/server.c:210(samba_terminate)
  samba_terminate: cldapd failed to setup interfaces
```


```
# Global parameters
[global]
        workgroup = RDU
        realm = RDU.US.DOMAIN.NET
        netbios name = JSF00011
        server role = active directory domain controller
        dns forwarder = 10.1.1.200
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc

[netlogon]
        path = /var/db/samba4/sysvol/rdu.us.domain.net/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No
```

 There is no other service in the host listening on port 389.

Any ideas?


----------



## breefsd (Aug 21, 2013)

I managed to run Samba on the jail but randomly and I faced many other issues with Samba4 (and/or Windows protocols perhaps...), I keep using Samba4 - 4.0.4 on my host (not in the jail) for the moment because it works quite properly.

I suppose Samba4 is still very new for the moment and I can find hardly *any* documentation on the web... All I'm able to tell is that I must use GPOs with "Windows remote server management tools" to properly use Samba4 - 4.0.4 with my Windows clients. I have not tested latest versions so far.

So I guess people are waiting for Samba4 to be more tested and "released" before really using it!

Good luck.


----------



## gkontos (Aug 22, 2013)

The solution that worked for me was to remove nbt from the services. It works absolutely fine now.


----------

