[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently

Bharath Bheemarasetti bharath.bheemarasetti at gmail.com
Fri Jun 16 07:56:59 UTC 2023 

First 'winbind enum' lines, they can and do slow things down in large
domains and aren't required at all, getent etc will work without them.
there are some old programs that will not work without them, but when
was the last time you ran 'finger' for instance ?

I made this change and it makes some difference but doesn't fix the
issue entirely. Earlier the auth calls used to fail in around a day
which has increased to 2 days now after which the auth calls fail with
NT_STATUS_RPC_SEC_PKG_ERROR and winbind needs to be restarted for it
to work. We use NTLMv2 for authentication and using the ntlm_auth tool
(https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html)
returns the same NT_STATUS_RPC_SEC_PKG_ERROR error as well while
wbinfo -i returns the correct user info.

Is there anything else that can be done to fix this permanently?

You might also want to read the smb.conf manpage, you have lots of lines
that I would never set.

Thanks, I removed some lines which are not used anymore and will be
cleaning up others shortly.


On Sat, Jun 3, 2023 at 1:09 PM Bharath Bheemarasetti <
bharath.bheemarasetti at gmail.com> wrote:

> A couple of things possible, from 4.8.0 winbind must be running and your
> smb.conf is, to be blunt, rubbish. You need to set the workgroup, you
> need to have idmap config lines for the workgroup, the 'winbind enum'
> lines only slow things down and 'map untrusted to domain' has been removed.
>
> Winbind is running and the workgroup was set as well. I omitted some lines from the smb.conf shared previously as I wasn't sure if they were relevant or not. I've added the full content below. Also share is being accessed by a windows client which is part of the domain and it does work fine for a few hours after restarting the smbd and winbind services. Does 'winbind enum' have any relation to that?
>
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS mentions turning off 'winbind enum' can cause some problems
>
> *Configuration:*
>
> netbios name = clustF994DF
> realm = <domain>
>
> bind interfaces only = yes
> interfaces = 127.0.0.138 lo:138
>
> workgroup = <workgroup>
> security = ads
> server role = member server
>
> auth methods = winbind
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-24999999
>
> winbind enum users = yes
> winbind enum groups = yes
> usershare allow guests = no
>
> map untrusted to domain = Yes
> allow trusted domains = no
> server string = %h
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> smb ports = 1445
> pid directory = /var/run/samba
>
> server min protocol = SMB2
> strict sync = yes
> sync always = no
>
> smb encrypt = auto
>
> aio read size = 1
> aio write size = 1
>
> smb2 max read = 1048576
> smb2 max write = 1048576
> smb2 max trans = 1048576
>
> socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760
>
> usershare owner only = no
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> machine password timeout = 0
>
> nt acl support = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> log level = 5
> max log size = 1000
>
> *Share configuration:*
>
>   path = <path>
>
>   guest ok = no
>
>   writeable = no
>
>   browseable = no
>
>   valid users = "<domain>\<user>","+<domain>\<user group>"
>
>   force user = root
>
> On Fri, Jun 2, 2023 at 3:21 AM Bharath Bheemarasetti <
> bharath.bheemarasetti at gmail.com> wrote:
>
>> Hi,
>> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
>> required the Samba version to be upgraded from 4.7.6 to 4.15.13.
>> Post the upgrade, winbind authentication fails
>> with  NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
>> restarting the smb service but comes back after some time. There were no
>> isses with the setup before the upgrade.
>> Tried clearing the cached tdb files as well but the issue still come back
>> after some time.
>> <trimmed the log lines>
>>
>
>> Below is the configuration:
>> security = ads
>> server role = member server
>> auth methods = winbind
>> idmap config * : backend = tdb
>> idmap config * : range = 10000-24999999
>> winbind enum users = yes
>> winbind enum groups = yes
>> usershare allow guests = no
>> map untrusted to domain = Yes
>> allow trusted domains = no
>>
>

More information about the samba mailing list