Winbindd DCERPC requests to DC are intermittently failing with NT_STATUS_RPC_SEC_PKG_ERROR.

Jeremy Allison jra at samba.org
Wed Jan 16 23:32:28 UTC 2019 

On Wed, Jan 16, 2019 at 10:41:41PM +0000, Hemanth Thummala via samba-technical wrote:
> Hello All,
> 
> We are running Samba 4.3.11 stack. We are witnessing that DCERPC(NetrLogon*) requests( as part of establishing the secure channel from winbindd) frequently failing with RPC_SEC_PKG_ERRORs. Sometimes, next retry would be successful or the error would be persistent till we restart winbind.
> 
> [2019/01/16 12:12:14.669030,  1, pid=57612, effective(0, 0), real(0, 0), class=rpc_cli] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
>   ../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_FAULT_SEC_PKG_ERROR received from host DCDC-1.DRMAFS.LAB!
> [2019/01/16 12:12:14.669044, 10, pid=57612, effective(0, 0), real(0, 0), class=rpc_cli] ../source3/rpc_client/cli_pipe.c:975(rpc_api_pipe_got_pdu)
>   rpc_api_pipe: got frag len of 32 at offset 0: NT_STATUS_RPC_SEC_PKG_ERROR
> 
> And the very next request succeeded.
> 
> 
> [2019/01/16 12:12:19.280066, 10, pid=57612, effective(0, 0), real(0, 0), class=rpc_cli] ../source3/rpc_client/cli_pipe.c:3341(cli_rpc_pipe_open_schannel_with_creds)
> 
>   cli_rpc_pipe_open_schannel_with_creds: opened pipe netlogon to machine DCDC-1.DRMAFS.LAB for domain DRMAFS and bound using schannel.
> 
> [2019/01/16 12:12:19.280076,  3, pid=57612, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:677(_wbint_CheckMachineAccount)
> 
>   domain DRMAFS secret is good
> 
> Capture  on DC shows that request failing with with FAULT PKG error.
> 
> 1133       17.712152            x.x.x.x   y.y.y.y   RPC_NETLOGON              454         NetrLogonDummyRoutine1 request
> 1134       17.712402            y.y.y.y   x.x.x.x   DCERPC 214         Fault: call_id: 17866, Fragment: Single, Ctx: 0, status: nca_s_fault_sec_pkg_error
> 
> This is causing all the LookupName DCERPCs to fail which inturn affecting the user authentication. Any inputs to debug this issue?

Can you get wireshark traces ? Do you have multiple clients
with the same name / sharing machine credentials ?

Windows servers will keep only one credential chain
for Netlogon requests, so if you call into it with
multiple connections using the same name they'll
trample on each other.

More information about the samba-technical mailing list