[Samba] Sudden authentication failures, hex dumps in log.samba

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Fri May 10 07:32:17 MDT 2013 

On 10.5.2013 14:04, Pekka L.J. Jalkanen wrote:
> Question: how much more verbosity for log.samba would be needed to
> further investigate this problem? I'd rather not log everything with
> "-d10" for extended periods of time, because I really can't know how
> long it will take for the problem to reappear. I've now increased
> logging from the default level to "-d3".

"-d3" logging pays off:

[2013/05/10 14:31:05,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ someuser at MYDOMAIN.SITE from ipv4:10.10.59.151:4736
for cifs/w2k3r2dc.mydomain.site at MYDOMAIN.SITE [renewable, forwardable]
[2013/05/10 14:31:06,  1] ../librpc/ndr/ndr.c:412(ndr_pull_error)
  ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
[2013/05/10 14:31:06,  0] ../lib/util/util.c:457(dump_data)
  [0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b...
.... . .
  [0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
[2013/05/10 14:31:06,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client no longer in database: someuser at MYDOMAIN.SITE
[2013/05/10 14:31:06,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:10.10.59.151:4736
[2013/05/10 14:31:06,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ someuser at MYDOMAIN.SITE from ipv4:10.10.59.151:4737
for cifs/w2k3r2dc.mydomain.site at MYDOMAIN.SITE [renewable, forwardable]
[2013/05/10 14:31:06,  1] ../librpc/ndr/ndr.c:412(ndr_pull_error)
  ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
[2013/05/10 14:31:06,  0] ../lib/util/util.c:457(dump_data)
  [0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b...
.... . .
  [0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
[2013/05/10 14:31:06,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client no longer in database: someuser at MYDOMAIN.SITE
[2013/05/10 14:31:06,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:10.10.59.151:4737
[2013/05/10 14:31:20,  3]
../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)

Client is Windows XP. I've yet to see this problem on newer clients...
this and the other one that previously failed are the last two XP
clients here that still remain in heavy production use.

What is also common with this client and the other that previously
failed is that they both have once been migrated from a different domain
(that no longer exists) using MS ADMT. This also applies to the users'
accounts that were used. Don't know if that really matters, but just for
the record.

Any ideas how to resolve this problem?


Pekka L.J. Jalkanen

More information about the samba mailing list