Web lists-archives.com

Re: [Samba] Samba 4.6.2 member server errors




Hi Louis,

On Mon, 16 Oct 2017, L.P.H. van Belle via samba wrote:

Hi Tom,

Small update.

I'am also still looking into this but im not getting much futher..
I am just reading :
https://blogs.msdn.microsoft.com/openspecification/2009/12/31/verifying-the-server-signature-in-kerberos-privilege-account-certificate/
Bit older but, im trying to understand more what happens here.

And the only "guess" i can make here is .
A kerberos ticket, with the wrong encryption type tried to validate.
Base on that, but again, this is what i would try.

For all servers in krb5.conf.  (* do you have any xp/w2003 or older in you lan ? )

No, only win7 at this time.

; for Windows 2008 with AES

I do not have any Windows 2008.

;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Or at least make sure they are the same.

Are you saying I should insert the above into the krb5.conf files?

For the record, All of the krb5.conf files have the following in them:

(vfs1 pts6) # cat /etc/krb5.conf
[libdefaults]
    default_realm = KMG.MYDOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
(vfs1 pts6) #

Run net cache flush on all server and reboot them.

We have done this a couple of times.


Of a wrong verifcation is somewhere in cache or memory, then this could help.

Now,

I do not know if it is important or not but these machines
were just joined to the domain within the last week or so.
Yes, very important, because .. Whats the default time for a kerberos ticket.
The default value for a TGT (also referred to as a user ticket) is 7 days, ...

And a computer is a user..
So we are imo getting in the right direction.

.... Still reading things here

Still reading here also. Just not making much progress.

I found https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting article.
In there it says I need

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes

In the smb.conf. Is this still revelant?

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
does not say anything about setting up a keytab file in smb.conf.

Thank You for the help.

Regards,

--
Tom			me@xxxxxxxxxx


Greetz,

Louis



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Tom
Diehl via samba
Verzonden: maandag 16 oktober 2017 16:41
Aan: Rowland Penny
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] Samba 4.6.2 member server errors

Hi Rowland,


On Sun, 15 Oct 2017, Rowland Penny via samba wrote:

On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
me@xxxxxxxxxx wrote:

Yes I understand, however, there are 2 things I am concerned about.

When the errors are spewing, winbind never goes to sleep
and the load
on the server runs somewhere between 6-8 constantly (as shown by
top.). Even when there is no one in the office and hence no files
being served I still see the high load.

When the errors stop (This happens intermittently) winbind
will sleep
and the load settles down to < 1.

The other thing that concerns me is that I am wondering if
this is an
indication that something more serious is about to break. It is one
thing for me to see things in the background and entirely something
else for it to impact the users. :-)

Suggestions?

Regards,


If nothing is connecting, then winbind shouldn't be doing
much, so if
it is, you need to find out why.

Check the Samba logs on the DCs, is there anything relevant
showing at
the time that winbind is overloading on the domain member
Raise the log levels on the DCs and domain members and see
if anything
pops out.

I ran the logging up to level 10 on the DC's and the file server.
The DC's do not show anything significant, at least not that
I can tell.
There is so much info there I might be missing something.

On the file server I see the following at level 10:

[2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0),
real(0, 0), class=winbind]
../source3/winbindd/winbindd.c:919(new_connection)
   accepted socket 44
[2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0),
real(0, 0), class=winbind]
../source3/winbindd/winbindd.c:734(process_request)
   process_request: Handling async request 58214:GETPWNAM
[2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0),
real(0, 0), class=winbind]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam kmg\mb-shop9-17$
[2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0),
real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
        wbint_LookupName: struct wbint_LookupName
           in: struct wbint_LookupName
               domain                   : *
                   domain                   : 'KMG'
               name                     : *
                   name                     : 'MB-SHOP9-17$'
               flags                    : 0x00000008 (8)
[2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0),
real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
        wbint_LookupName: struct wbint_LookupName
           out: struct wbint_LookupName
               type                     : *
                   type                     : SID_NAME_USER (1)
               sid                      : *
                   sid                      :
S-1-5-21-3052942767-4183929206-737583365-1617
               result                   : NT_STATUS_OK
[2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0),
real(0, 0), class=winbind]
../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
   SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
[2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0),
real(0, 0)]
../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
   Parsing value for key
[IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
 value=[-1:N]
[2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0),
real(0, 0)]
../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
   Parsing value for key
[IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
 id=[4294967295], endptr=[:N]
[2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0),
real(0, 0), class=winbind]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
   Could not convert sid
S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0),
real(0, 0), class=winbind]
../source3/winbindd/winbindd.c:796(wb_request_done)
   wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0),
real(0, 0), class=winbind]
../source3/winbindd/winbindd.c:734(process_request)
   process_request: Handling async request 58217:PAM_AUTH_CRAP
[2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt
integrity check failed (-1765328353)
[2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Decrypt integrity check failed
[2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature:
Invalid argument
[2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0),
real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
   Found account name from PAC: MB-RECEPTION-17$ []

I do not know if it is important or not but these machines
were just joined
to the domain within the last week or so.

I see many of these for different machines.

Please let me know what you think.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba