Web lists-archives.com

Re: [Samba] Samba 4.6.2 member server errors




Hi Rowland,


On Sun, 15 Oct 2017, Rowland Penny via samba wrote:

On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
me@xxxxxxxxxx wrote:

Yes I understand, however, there are 2 things I am concerned about.

When the errors are spewing, winbind never goes to sleep and the load
on the server runs somewhere between 6-8 constantly (as shown by
top.). Even when there is no one in the office and hence no files
being served I still see the high load.

When the errors stop (This happens intermittently) winbind will sleep
and the load settles down to < 1.

The other thing that concerns me is that I am wondering if this is an
indication that something more serious is about to break. It is one
thing for me to see things in the background and entirely something
else for it to impact the users. :-)

Suggestions?

Regards,


If nothing is connecting, then winbind shouldn't be doing much, so if
it is, you need to find out why.

Check the Samba logs on the DCs, is there anything relevant showing at
the time that winbind is overloading on the domain member
Raise the log levels on the DCs and domain members and see if anything
pops out.

I ran the logging up to level 10 on the DC's and the file server.
The DC's do not show anything significant, at least not that I can tell.
There is so much info there I might be missing something.

On the file server I see the following at level 10:

[2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
  accepted socket 44
[2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
  process_request: Handling async request 58214:GETPWNAM
[2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam kmg\mb-shop9-17$
[2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : 'KMG'
              name                     : *
                  name                     : 'MB-SHOP9-17$'
              flags                    : 0x00000008 (8)
[2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_USER (1)
              sid                      : *
                  sid                      : S-1-5-21-3052942767-4183929206-737583365-1617
              result                   : NT_STATUS_OK
[2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
  SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
[2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
  Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: value=[-1:N]
[2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
  Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: id=[4294967295], endptr=[:N]
[2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
  wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
  process_request: Handling async request 58217:PAM_AUTH_CRAP
[2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
  check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Decrypt integrity check failed
[2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
  Found account name from PAC: MB-RECEPTION-17$ []

I do not know if it is important or not but these machines were just joined
to the domain within the last week or so.

I see many of these for different machines.

Please let me know what you think.

Regards,


--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba