Web lists-archives.com

Re: [Samba] Samba 4.6.2 member server errors




On Mon, 16 Oct 2017, Rowland Penny via samba wrote:

On Mon, 16 Oct 2017 10:40:44 -0400 (EDT)
me@xxxxxxxxxx wrote:

Hi Rowland,


On Sun, 15 Oct 2017, Rowland Penny via samba wrote:

On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
me@xxxxxxxxxx wrote:

Yes I understand, however, there are 2 things I am concerned about.

When the errors are spewing, winbind never goes to sleep and the
load on the server runs somewhere between 6-8 constantly (as shown
by top.). Even when there is no one in the office and hence no
files being served I still see the high load.

When the errors stop (This happens intermittently) winbind will
sleep and the load settles down to < 1.

The other thing that concerns me is that I am wondering if this is
an indication that something more serious is about to break. It is
one thing for me to see things in the background and entirely
something else for it to impact the users. :-)

Suggestions?

Regards,


If nothing is connecting, then winbind shouldn't be doing much, so
if it is, you need to find out why.

Check the Samba logs on the DCs, is there anything relevant showing
at the time that winbind is overloading on the domain member
Raise the log levels on the DCs and domain members and see if
anything pops out.

I ran the logging up to level 10 on the DC's and the file server.
The DC's do not show anything significant, at least not that I can
tell. There is so much info there I might be missing something.

On the file server I see the following at level 10:

[2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0,
0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
accepted socket 44 [2017/10/16 10:11:21.392850, 10, pid=1440,
effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
process_request: Handling async request 58214:GETPWNAM [2017/10/16
10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam kmg\mb-shop9-17$ [2017/10/16 10:11:21.392868,  1, pid=1440,
effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
domain                   : * domain                   : 'KMG'
name                     : * name                     :
'MB-SHOP9-17$' flags                    : 0x00000008 (8) [2017/10/16
10:11:21.392899,  1, pid=1440, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName out: struct
wbint_LookupName type                     : *
type                     : SID_NAME_USER (1)
sid                      : * sid                      :
S-1-5-21-3052942767-4183929206-737583365-1617
result                   : NT_STATUS_OK [2017/10/16 10:11:21.392926,
10, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 [2017/10/16
10:11:21.392939, 10, pid=1440, effective(0, 0), real(0,
0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
value=[-1:N] [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0,
0), real(0,
0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
id=[4294967295], endptr=[:N] [2017/10/16 10:11:21.392955,  5,
pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617:
NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392963, 10, pid=1440,
effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2017/10/16
10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
process_request: Handling async request 58217:PAM_AUTH_CRAP
[2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353) [2017/10/16 10:11:21.913139,  5, pid=1440,
effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Decrypt integrity
check failed [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0,
0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0,
0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found
account name from PAC: MB-RECEPTION-17$ []

I do not know if it is important or not but these machines were just
joined to the domain within the last week or so.

I see many of these for different machines.

Please let me know what you think.

Regards,



It seems to be treating computers as users (I could be barking up the
wrong tree here), can you post the contents
of /etc/hosts, /etc/hostname, /etc/resolv.conf and /etc/nsswitch.conf
from the domain member

Here you go:

(vfs1 pts6) # cat /etc/resolv.conf search kmg.mydomain.com mydomain.com
nameserver 172.30.0.7
nameserver 10.224.135.7
(vfs1 pts6) #

The 2 name server ip addresses are the 2 dc's.

(vfs1 pts6) # cat /etc/hosts

127.0.0.1 localhost localhost.localdomain 172.30.0.8 vfs1.kmg.mydomain.com vfs1
(vfs1 pts6) #

(vfs1 pts6) # cat /etc/hostname
vfs1.kmg.mydomain.com
(vfs1 pts6) #

(vfs1 pts6) # cat /etc/nsswitch.conf
passwd:     files winbind
shadow: files group: files winbind

hosts:      files dns myhostname

bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

(vfs1 pts6) #

Sorry for the delay getting back to you. I was out for a few days.

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba