Winbindd DCERPC requests to DC are intermittently failing with NT_STATUS_RPC_SEC_PKG_ERROR.
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Jan 17 11:07:54 UTC 2019
On Thu, Jan 17, 2019 at 12:43:45AM +0000, Hemanth Thummala via samba-technical wrote:
> Thanks Jeremy, for the quick response.
>
> On 1/16/19, 3:32 PM, "Jeremy Allison" <jra at samba.org> wrote:
>
> > Can you get wireshark traces ?
> Please see the attached.
>
> > Do you have multiple clients with the same name / sharing machine credentials ?
> Yes. It's actually a cluster. And we store the machine creds in centralized location which each node fetches when it tries communicate with DC.
>
> > Windows servers will keep only one credential chain
> for Netlogon requests, so if you call into it with
> multiple connections using the same name they'll
> trample on each other.
> We have been using the centralized machine creds for some time. But,
> we see this issue very randomly. Once its seen on a specific
> cluster, it persists. If windows has issues with handling multiple
> connections with same name, we should have seen this all the time.
You need to share netlogon_creds_cli.tdb in the cluster to make this
work reliably. netlogon_creds_cli.tdb is updated much more often than
secrets.tdb, so you need to watch the performance of your centralized
location. It might also require some code to be backported from
versions later than 4.3 to become efficient. For details, you might
take a look at the slides of my 2018 SambaXP talk.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kontakt at sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
AG Göttingen: HR-B 2816 - http://www.sernet.de
More information about the samba-technical
mailing list