Web lists-archives.com

Re: [Samba] Samba 4.6.2 member server errors




Hi,

On Fri, 13 Oct 2017, L.P.H. van Belle via samba wrote:

Hai,

I'll explain a bit.

-----Oorspronkelijk bericht-----
Van: me@xxxxxxxxxx [mailto:me@xxxxxxxxxx]
Verzonden: donderdag 12 oktober 2017 19:15
Aan: L.P.H. van Belle
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] Samba 4.6.2 member server errors

Hi Louis,

On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:

Hai,

You googled with the wrong words i think.

I have no problem believing that. :-)

1 search, 6 words. 4e link and 5e link, for explanation and
solution.  ;-)
Based on your question, what i experienced and what i found
with google.

https://support.oneidentity.com/authentication-services/kb/92515
Dont look at the product here, but its an exact match on
the error code.
They say, source of the problem is AD out of sync.

And now im thinking, i had such a problem also due to an
out of sync AD database.
Here/how the out of sync happend i never found out.
Can you check if you DC's are in sync?

The other i found

https://groups.google.com/forum/#!topic/comp.protocols.kerbero
s/g-s76WeWyUU
Is a problem in the keytab files, and, i did replace my
keytab file, which solved 90% of my problem.
The 10% left over problem, a nfs keytab caching related
thing, only involved my user account, so low prio for me.
Here the solution is to replace all keytab files. I did
only the member server.
And that verifies it to me.

I appreciate the information but I am confused. The above
articles talk about this
being a krb5.keytab issue. This is confusing to me because
the errors occur on a
Samba AD member server not either of the DC's.
Ok, im not a star in explaining in english.

You do OK with English, I just do not understand Kerberos. :-)

Look at this picture. That shows how kerberos tickets works.
https://i-technet.sec.s-msft.com/dynimg/IC195542.gif
( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx )


Now look at this one
https://i-technet.sec.s-msft.com/dynimg/IC195551.gif
Thats the user/computer login.
And if im correct, you problem is the systemkey on the member.
Due to somehow, an out of sync password in AD and the member server.

You might be correct. I just noticed that the AD administrator's password had
expired. I went into AD and set it to never expire so I was able to
login again. I am wondering if that has anything to do with this problem?

If you are correct, how do I get the systemkey on the member server back
in sync with AD?

There is no keytab on the member servers.
Ok, can you post your smb.conf
Because without it is a guessing game as of this point.

Sorry for not doing that from the beginning. Here it is:

[global]
    security = ADS
    workgroup = SAMDOM
    realm = SAMDOM.MYDOMAIN.com.COM

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:unix_nss_info = yes
    idmap config SAMDOM:range = 10000-999999
    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no
    username map = /etc/samba/user.map
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    log file = /var/log/samba/%m.log
    log level = 2
    deadtime = 5

[accounting]
    comment = Accounting Share
    path = /home/samba/accounting
    readonly = no

There are other shares but they are all configured the same way as above.

Regards,

--
Tom			me@xxxxxxxxxx


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Tom
Diehl via samba
Verzonden: donderdag 12 oktober 2017 7:01
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] Samba 4.6.2 member server errors

Hi,

I have 2 samba AD DC's running 4.7.0 and 2 member servers
running 4.6.2.

Everything seems to be working OK except that I see the
following errors
over and over again in the winbind log on one of the
member servers:

[2017/10/12 00:53:52.351095,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt
integrity check failed (-1765328353)
[2017/10/12 00:53:52.871160,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt
integrity check failed (-1765328353)
[2017/10/12 00:53:54.588468,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt
integrity check failed (-1765328353)

Can someone tell me what this means and if I should
troubleshoot this further?

My Google foo has not been helpful.






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba