There are still some issues with the *.system files, so we don't install them.

* https://bugzilla.samba.org/show_bug.cgi?id=13184
* https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service_Using_Systemd
  i.e. on Samba/AD DCs we would have to do this:
    systemctl mask smbd winbind
    systemctl disable smbd winbind
    systemctl --system daemon-reload
* Sometimes the samba-ad-dc.service and nmbd.service files take about a minute
  to stop the service
* Currently we run nmbd as separate process.
  We should probably switch to the builtin service "nbt" as some point.

Bug #45326

diff --git a/debian/ctdb.install b/debian/ctdb.install
index 484fc67..2ba914c 100755
--- a/debian/ctdb.install
+++ b/debian/ctdb.install
@@ -4,7 +4,6 @@ ctdb/config/ctdb.tunables etc/ctdb
 ctdb/config/script.options etc/ctdb
 etc/ctdb
 etc/sudoers.d
-[linux-any] lib/systemd/system/ctdb.service
 usr/bin/ctdb
 usr/bin/ctdb_diagnostics
 usr/bin/ltdbtool
diff --git a/debian/rules b/debian/rules
index 05122e3..eaf59a7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -73,7 +73,7 @@ config-args = \
 	--with-socketpath=/run/ctdb/ctdbd.socket \
 	--with-logdir=/var/log/ctdb \
 
-ifeq (${DEB_HOST_ARCH_OS}, linux) # extra linux-specific features
+ifeq (${DEB_HOST_ARCH_OS}, ucs-future) # extra linux-specific features
 with-glusterfs = yes
 with-ceph = yes
 with-snapper = yes
@@ -236,7 +236,7 @@ override_dh_auto_install-arch:
 	install -p -m755 debian/update-apparmor-samba-profile -t debian/tmp/usr/share/samba/
 	install -Dp -m0644 debian/samba.ufw.profile debian/tmp/etc/ufw/applications.d/samba
 	install -Dp -m0644 debian/source_samba.py -t debian/tmp/usr/share/apport/package-hooks/
-ifeq ($(DEB_HOST_ARCH_OS), linux)
+ifeq ($(DEB_HOST_ARCH_OS), ucs-future)
 # Services fixups. Historically, debian used smbd, nmbd and samba-ad-dc service names.
 # Upstream samba used names smb, nmb and samba.
 # We can not easily rename them now (need to rename possible overrides and drop-ins),
diff --git a/debian/samba.install b/debian/samba.install
index 65a8600..8402d74 100755
--- a/debian/samba.install
+++ b/debian/samba.install
@@ -1,8 +1,5 @@
 #!/usr/bin/dh-exec --with-scripts=filter-arch,filter-build-profiles
 etc/ufw/applications.d/samba
-[linux-any] lib/systemd/system/nmb*.service
-[linux-any] lib/systemd/system/samba*.service
-[linux-any] lib/systemd/system/smb*.service
 usr/bin/dumpmscat
 usr/bin/mvxattr
 usr/bin/oLschema2ldif
diff --git a/debian/winbind.install b/debian/winbind.install
index 490d2b8..a2a406c 100755
--- a/debian/winbind.install
+++ b/debian/winbind.install
@@ -1,5 +1,4 @@
 #!/usr/bin/dh-exec --with-scripts=filter-arch,filter-build-profiles
-[linux-any] lib/systemd/system/winbind.service
 <pkg.samba.mitkrb5> usr/lib/*/samba/krb5/winbind_krb5_localauth.so
 <pkg.samba.mitkrb5> usr/share/man/man8/winbind_krb5_localauth.8
 usr/bin/ntlm_auth
diff --git a/debian/samba.postinst b/debian/samba.postinst
index ceb0b641100..c1c2b7e3fef 100644
--- a/debian/samba.postinst
+++ b/debian/samba.postinst
@@ -6,12 +6,12 @@ nmbd_error_handler() {
     if [ -d /sys/class/net/lo ] && ls /sys/class/net | grep -qv ^lo$; then
         # https://bugs.debian.org/893762
         echo 'WARNING: nmbd failed to start as there is no non-loopback interfaces available.'
-        echo 'Either add an interface or set "disable netbios = yes" in smb.conf'
+        echo 'Either add an interface or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"'
         return 0
     elif command -v ip > /dev/null && ip a show | grep '^[[:space:]]*inet ' | grep -vq ' lo$'; then
         # https://bugs.debian.org/859526
         echo 'WARNING: nmbd failed to start as there is no local IPv4 non-loopback interfaces available.'
-        echo 'Either add an IPv4 address or set "disable netbios = yes" in smb.conf'
+        echo 'Either add an IPv4 address or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"'
         return 0
     else
         echo 'ERROR: nmbd failed to start.'
@@ -19,6 +19,38 @@ nmbd_error_handler() {
     fi
 }
 
+mask_services() {
+    local reason="$1"
+    shift
+    local masked_count=0
+    mkdir -p /etc/systemd/system
+    echo "${reason}: Masking $*"
+    echo "Please ignore the following error about deb-systemd-helper not finding those services."
+    while true; do
+        local service_name="$1"
+        if [ -z "$service_name" ]; then
+            break
+        fi
+        shift
+        if [ ! -e "/etc/systemd/system/${service_name}" ]; then
+            ln -s /dev/null "/etc/systemd/system/${service_name}"
+            echo "(${service_name} masked)"
+            masked_count=$((masked_count+1))
+        elif [ -h "/etc/systemd/system/${service_name}" ] \
+            && [ "$(realpath /etc/systemd/system/${service_name})" = /dev/null ] \
+        ; then
+            echo "(${service_name} already masked)"
+        else
+            echo "WARNING ${service_name} should be masked. The install may fail."
+        fi
+    done
+    # In case this system is running systemd, we make systemd reload the unit files
+    # to pick up changes.
+    if [ "${masked_count}" -ge 1 -a -d /run/systemd/system ] ; then
+        systemctl --system daemon-reload >/dev/null || true
+    fi
+}
+
 # We generate several files during the postinst, and we don't want
 #	them to be readable only by root.
 umask 022
@@ -31,15 +63,29 @@ then
     [ -d $dir ] || install -d -m 1770 -g sambashare $dir
 fi
 
-# in 4.17.4+dfsg-3 we stopped masking services, unmask them here
-if [ configure = "$1" ] && dpkg --compare-versions "$2" lt-nl 2:4.17.4+dfsg-3~
-then
-    for s in nmbd smbd samba-ad-dc; do
-	if [ /dev/null = $(realpath /etc/systemd/system/$s.service) ]
-	then
-	    rm -f /etc/systemd/system/$s.service
-	fi
-    done
+mkdir -p /run/samba # shut up [samba-tool] testparm warning
+
+# mimic source4/smbd/server.c and mask service before it fails
+# NB: server role = active directory domain controller is what we need to properly support
+# NB: server services = smb is not compiled in
+# NB: dcerpc endpoint servers = remote is for developpement
+# NB: dcerpc endpoint servers = mapiproxy is for OpenChange which is dead
+SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
+SERVER_SERVICES=`samba-tool testparm --parameter-name="server services"  2>/dev/null | tail -1`
+DCERPC_ENDPOINT_SERVERS=`samba-tool testparm --parameter-name="dcerpc endpoint servers"  2>/dev/null | tail -1`
+DISABLE_NETBIOS=`samba-tool testparm --parameter-name="disable netbios"  2>/dev/null | tail -1`
+
+if [ "$SERVER_ROLE" != "active directory domain controller" ] \
+        && ( echo "$SERVER_SERVICES" | grep -qv '\(^\|, \)smb\(,\|$\)' ) \
+        && ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)remote\(,\|$\)' ) \
+        && ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)mapiproxy\(,\|$\)' ) \
+; then
+    mask_services "Samba is not being run as an AD Domain Controller" samba-ad-dc.service
+fi
+if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
+    mask_services "Samba is being run as an AD Domain Controller" smbd.service # Not in UCS: nmbd.service
+elif [ "$DISABLE_NETBIOS" = Yes ]; then
+    mask_services "NetBIOS is disabled" nmbd.service
 fi
 
 # remove old spool directory (point it to /var/tmp if in use)