Web lists-archives.com

Re: [Samba] Samba 4.6.2 member server errors




Hi Louis,

On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:

Hai,

You googled with the wrong words i think.

I have no problem believing that. :-)

1 search, 6 words. 4e link and 5e link, for explanation and solution.  ;-)
Based on your question, what i experianced and what i found with google.

https://support.oneidentity.com/authentication-services/kb/92515
Dont look at the product here, but its an exact match on the error code.
They say, source of the problem is AD out of sync.

And now im thinking, i had such a problem also due to an out of sync AD database.
Here/how the out of sync happend i never found out.
Can you check if you DC's are in sync?

The other i found
https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU
Is a problem in the keytab files, and, i did replace my keytab file, which solved 90% of my problem.
The 10% left over problem, a nfs keytab caching related thing, only involved my user account, so low prio for me.
Here the solution is to replace all keytab files. I did only the member server.
And that verifies it to me.

I appreciate the information but I am confused. The above articles talk about this
being a krb5.keytab issue. This is confusing to me because the errors occur on a
Samba AD member server not either of the DC's.

There is no keytab on the member servers.

I do not know if it matters but all of the machines are Centos 7.4. The DC's are
compiled from source using the 4.7.0 tarball but the member servers are using the
4.6.2-11 rpms supplied with Centos 7.4.

So i dont have an exact solution, only one big advice,
if you upgrade make sure you db replication is in sync and you checked all ADDC Db's.

So are you saying this is a DC problem even though the errors only occur on a
member server?

Regards,

--
Tom			me@xxxxxxxxxx


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Tom
Diehl via samba
Verzonden: donderdag 12 oktober 2017 7:01
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] Samba 4.6.2 member server errors

Hi,

I have 2 samba AD DC's running 4.7.0 and 2 member servers
running 4.6.2.

Everything seems to be working OK except that I see the
following errors
over and over again in the winbind log on one of the member servers:

[2017/10/12 00:53:52.351095,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt
integrity check failed (-1765328353)
[2017/10/12 00:53:52.871160,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt
integrity check failed (-1765328353)
[2017/10/12 00:53:54.588468,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt
integrity check failed (-1765328353)

Can someone tell me what this means and if I should
troubleshoot this further?

My Google foo has not been helpful.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba