[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
Rowland Penny
rpenny at samba.org
Sat Jun 3 08:43:32 UTC 2023
On 03/06/2023 08:39, Bharath Bheemarasetti via samba wrote:
>>
> Winbind is running and the workgroup was set as well. I omitted some
> lines from the smb.conf shared previously as I wasn't sure if they
> were relevant or not.
Can I ask that if anyone is going to post their smb.conf, they post it
in its entirety, fragments are useless.
I've added the full content below. Also share is
> being accessed by a windows client which is part of the domain and it
> does work fine for a few hours after restarting the smbd and winbind
> services. Does 'winbind enum' have any relation to that?
First 'winbind enum' lines, they can and do slow things down in large
domains and aren't required at all, getent etc will work without them.
there are some old programs that will not work without them, but when
was the last time you ran 'finger' for instance ?
From your smb.conf below, it looks like you are putting everything into
the default '*' domain, because you haven't got any 'idmap config' lines
for the 'workgroup' domain.
Have you read the wiki pages I pointed you to ?
You might also want to read the smb.conf manpage, you have lots of lines
that I would never set.
You also have 'smb ports = 1445'. Is this a typo ?
Rowland
>
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS
> mentions turning off 'winbind enum' can cause some problems
>
> *Configuration:*
>
> netbios name = clustF994DF
> realm = <domain>
>
> bind interfaces only = yes
> interfaces = 127.0.0.138 lo:138
>
> workgroup = <workgroup>
> security = ads
> server role = member server
>
> auth methods = winbind
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-24999999
>
> winbind enum users = yes
> winbind enum groups = yes
> usershare allow guests = no
>
> map untrusted to domain = Yes
> allow trusted domains = no
> server string = %h
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> smb ports = 1445
> pid directory = /var/run/samba
>
> server min protocol = SMB2
> strict sync = yes
> sync always = no
>
> smb encrypt = auto
>
> aio read size = 1
> aio write size = 1
>
> smb2 max read = 1048576
> smb2 max write = 1048576
> smb2 max trans = 1048576
>
> socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760
>
> usershare owner only = no
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> machine password timeout = 0
>
> nt acl support = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> log level = 5
> max log size = 1000
>
> *Share configuration:*
>
> path = <path>
>
> guest ok = no
>
> writeable = no
>
> browseable = no
>
> valid users = "<domain>\<user>","+<domain>\<user group>"
>
> force user = root
>
> On Fri, Jun 2, 2023 at 3:21 AM Bharath Bheemarasetti <
> bharath.bheemarasetti at gmail.com> wrote:
>
>> Hi,
>> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
>> required the Samba version to be upgraded from 4.7.6 to 4.15.13.
>> Post the upgrade, winbind authentication fails
>> with NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
>> restarting the smb service but comes back after some time. There were no
>> isses with the setup before the upgrade.
>> Tried clearing the cached tdb files as well but the issue still come back
>> after some time.
>> <trimmed the log lines>
>>
>
>> Below is the configuration:
>> security = ads
>> server role = member server
>> auth methods = winbind
>> idmap config * : backend = tdb
>> idmap config * : range = 10000-24999999
>> winbind enum users = yes
>> winbind enum groups = yes
>> usershare allow guests = no
>> map untrusted to domain = Yes
>> allow trusted domains = no
>>
More information about the samba
mailing list