Web lists-archives.com

Re: [Samba] Samba 4.6.2 member server errors




On Mon, 16 Oct 2017 10:40:44 -0400 (EDT)
me@xxxxxxxxxx wrote:

> Hi Rowland,
> 
> 
> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
> 
> > On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> > me@xxxxxxxxxx wrote:
> >
> >> Yes I understand, however, there are 2 things I am concerned about.
> >>
> >> When the errors are spewing, winbind never goes to sleep and the
> >> load on the server runs somewhere between 6-8 constantly (as shown
> >> by top.). Even when there is no one in the office and hence no
> >> files being served I still see the high load.
> >>
> >> When the errors stop (This happens intermittently) winbind will
> >> sleep and the load settles down to < 1.
> >>
> >> The other thing that concerns me is that I am wondering if this is
> >> an indication that something more serious is about to break. It is
> >> one thing for me to see things in the background and entirely
> >> something else for it to impact the users. :-)
> >>
> >> Suggestions?
> >>
> >> Regards,
> >>
> >
> > If nothing is connecting, then winbind shouldn't be doing much, so
> > if it is, you need to find out why.
> >
> > Check the Samba logs on the DCs, is there anything relevant showing
> > at the time that winbind is overloading on the domain member
> > Raise the log levels on the DCs and domain members and see if
> > anything pops out.
> 
> I ran the logging up to level 10 on the DC's and the file server.
> The DC's do not show anything significant, at least not that I can
> tell. There is so much info there I might be missing something.
> 
> On the file server I see the following at level 10:
> 
> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0,
> 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
> accepted socket 44 [2017/10/16 10:11:21.392850, 10, pid=1440,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
> process_request: Handling async request 58214:GETPWNAM [2017/10/16
> 10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam kmg\mb-shop9-17$ [2017/10/16 10:11:21.392868,  1, pid=1440,
> effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
> domain                   : * domain                   : 'KMG'
> name                     : * name                     :
> 'MB-SHOP9-17$' flags                    : 0x00000008 (8) [2017/10/16
> 10:11:21.392899,  1, pid=1440, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName out: struct
> wbint_LookupName type                     : *
> type                     : SID_NAME_USER (1)
> sid                      : * sid                      :
> S-1-5-21-3052942767-4183929206-737583365-1617
> result                   : NT_STATUS_OK [2017/10/16 10:11:21.392926,
> 10, pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 [2017/10/16
> 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
> value=[-1:N] [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0,
> 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
> id=[4294967295], endptr=[:N] [2017/10/16 10:11:21.392955,  5,
> pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617:
> NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392963, 10, pid=1440,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
> wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2017/10/16
> 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
> process_request: Handling async request 58217:PAM_AUTH_CRAP
> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> check_pac_checksum: PAC Verification failed: Decrypt integrity check
> failed (-1765328353) [2017/10/16 10:11:21.913139,  5, pid=1440,
> effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Decrypt integrity
> check failed [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0,
> 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found
> account name from PAC: MB-RECEPTION-17$ []
> 
> I do not know if it is important or not but these machines were just
> joined to the domain within the last week or so.
> 
> I see many of these for different machines.
> 
> Please let me know what you think.
> 
> Regards,
> 
> 

It seems to be treating computers as users (I could be barking up the
wrong tree here), can you post the contents
of /etc/hosts, /etc/hostname, /etc/resolv.conf and /etc/nsswitch.conf 
from the domain member

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba