[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently

Bharath Bheemarasetti bharath.bheemarasetti at gmail.com
Sat Jun 3 07:39:10 UTC 2023 

A couple of things possible, from 4.8.0 winbind must be running and your
smb.conf is, to be blunt, rubbish. You need to set the workgroup, you
need to have idmap config lines for the workgroup, the 'winbind enum'
lines only slow things down and 'map untrusted to domain' has been removed.

Winbind is running and the workgroup was set as well. I omitted some
lines from the smb.conf shared previously as I wasn't sure if they
were relevant or not. I've added the full content below. Also share is
being accessed by a windows client which is part of the domain and it
does work fine for a few hours after restarting the smbd and winbind
services. Does 'winbind enum' have any relation to that?

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS
mentions turning off 'winbind enum' can cause some problems

*Configuration:*

netbios name = clustF994DF
realm = <domain>

bind interfaces only = yes
interfaces = 127.0.0.138 lo:138

workgroup = <workgroup>
security = ads
server role = member server

auth methods = winbind

idmap config * : backend = tdb
idmap config * : range = 10000-24999999

winbind enum users = yes
winbind enum groups = yes
usershare allow guests = no

map untrusted to domain = Yes
allow trusted domains = no
server string = %h
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
smb ports = 1445
pid directory = /var/run/samba

server min protocol = SMB2
strict sync = yes
sync always = no

smb encrypt = auto

aio read size = 1
aio write size = 1

smb2 max read = 1048576
smb2 max write = 1048576
smb2 max trans = 1048576

socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760

usershare owner only = no

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

machine password timeout = 0

nt acl support = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

log level = 5
max log size = 1000

*Share configuration:*

  path = <path>

  guest ok = no

  writeable = no

  browseable = no

  valid users = "<domain>\<user>","+<domain>\<user group>"

  force user = root

On Fri, Jun 2, 2023 at 3:21 AM Bharath Bheemarasetti <
bharath.bheemarasetti at gmail.com> wrote:

> Hi,
> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
> required the Samba version to be upgraded from 4.7.6 to 4.15.13.
> Post the upgrade, winbind authentication fails
> with  NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
> restarting the smb service but comes back after some time. There were no
> isses with the setup before the upgrade.
> Tried clearing the cached tdb files as well but the issue still come back
> after some time.
> <trimmed the log lines>
>

> Below is the configuration:
> security = ads
> server role = member server
> auth methods = winbind
> idmap config * : backend = tdb
> idmap config * : range = 10000-24999999
> winbind enum users = yes
> winbind enum groups = yes
> usershare allow guests = no
> map untrusted to domain = Yes
> allow trusted domains = no
>

More information about the samba mailing list