[Samba] Samba 4 Domain Members stop autenticate with Samba 3 PDC after seven (7) days
Dario Lesca
d.lesca at solinos.it
Fri Feb 5 10:59:21 UTC 2016
On a server Centos 7 with samba-4.2.3-11.el7_2.x86_64, joined to a
server samba-3.6.23-24.el6_7.x86_64 PDC on Centos 6.7 up to date, after
7 days I want restart winbind service because the users are not
autenticate anymore.
This is the error into log file:
> Feb 4 10:15:26 s-graph smbd[28960]: [2016/02/04 10:15:26.529467, 0]
> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
> Feb 4 10:15:26 s-graph smbd[28960]: NTLMSSP NTLM2 packet check
> failed due to invalid signature!
> Feb 4 10:15:26 s-graph smbd[28960]: [2016/02/04 10:15:26.539866, 0]
> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
> Feb 4 10:15:26 s-graph smbd[28960]: NTLMSSP NTLM2 packet check
> failed due to invalid signature!
> Feb 4 10:15:47 s-graph smbd[28963]: [2016/02/04 10:15:47.992997, 0]
> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
> Feb 4 10:15:47 s-graph smbd[28963]: NTLMSSP NTLM2 packet check
> failed due to invalid signature!
> Feb 4 10:15:48 s-graph smbd[28963]: [2016/02/04 10:15:48.003989, 0]
> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
> Feb 4 10:15:48 s-graph smbd[28963]: NTLMSSP NTLM2 packet check
> failed due to invalid signature!
> Feb 4 10:16:01 s-graph smbd[28963]: [2016/02/04 10:16:01.075622, 0]
> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
> Feb 4 10:16:01 s-graph smbd[28963]: NTLMSSP NTLM2 packet check
> failed due to invalid signature!
> Feb 4 10:17:16 s-graph smbd[28969]: [2016/02/04 10:17:16.574940, 0]
> ../libcli/smb/smb_signing.c:138(smb_signing_good)
> Feb 4 10:17:16 s-graph smbd[28969]: smb_signing_good: BAD SIG: seq
> 2
> Feb 4 10:17:16 s-graph smbd[28969]: [2016/02/04 10:17:16.579065, 0]
> ../source3/smbd/process.c:571(receive_smb_talloc)
> Feb 4 10:17:16 s-graph smbd[28969]: receive_smb: SMB Signature
> verification failed on incoming packet!
Into the file log of PDC I see this message:
> Feb 4 09:56:36 s-domino smbd[26114]: [2016/02/04
> 09:56:36.010299, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> Feb 4 09:56:36 s-domino smbd[26114]: _netr_ServerAuthenticate3:
> netlogon_creds_server_check failed. Rejecting auth request from
> client S-GRAPH machine account S-GRAPH$
> Feb 4 10:19:32 s-domino smbd[25808]: [2016/02/04
> 10:19:32.599553, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> Feb 4 10:19:32 s-domino smbd[25808]: _netr_ServerAuthenticate3:
> netlogon_creds_server_check failed. Rejecting auth request from
> client S-GRAPH machine account S-GRAPH$
After restart winbind on Centos7 everything starts to work properly.
This problem also occur on another network with the same scenario and
same configuration, in that case, without useful suggestion[1], I have
resolve to put a "systemctl restart winbind.service" into cron.daily/
Someone can suggest to me how to resolve this problem without restart
the service?
Follow the "testparm -s" of two server [2]
Many thanks
Dario
[1] - https://lists.samba.org/archive/samba/2015-September/194284.html
[2] - testparm -s
Centos 7 - Domain member:
> # Global parameters
> [global]
> workgroup = DOM
> interfaces = lo ens32
> security = DOMAIN
> passdb backend = tdbsam:/etc/samba/account.tdb
> log file = /var/log/samba/log.%m
> max log size = 50
> unix extensions = No
> server signing = required
> load printers = No
> printcap name = /dev/null
> preferred master = No
> local master = No
> domain master = No
> wins server = 192.168.0.10
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> idmap config graphimedia : backend = rid
> idmap config graphimedia : range = 1000000-9999999
> idmap config * : range = 2000-9999
> idmap config * : backend = tdb
> printing = bsd
> cups options = raw
> store dos attributes = Yes
Centos 6 - PDC
> [global]
> workgroup = DOM
> netbios aliases = s-afp1, s-printer
> server string = %L
> interfaces = lo, eth0
> passdb backend = tdbsam:/etc/samba/account.tdb
> log file = /var/log/samba/log.%m
> max log size = 50
> smb ports = 139
> unix extensions = No
> show add printer wizard = No
> add user script = /usr/sbin/useradd -m -c "Utente Samba (%u)"
> -g smbusers -d "/u/samba/home/%u" -s /sbin/nologin "%u"
> delete user script = test 0$(id -u "%u" 2>/dev/null) -gt
> 100 && /usr/sbin/userdel "%u"
> add group script = /usr/sbin/groupadd "%g"
> delete group script = test 0$(id -g "%g" 2>/dev/null) -gt
> 100 && /usr/sbin/groupdel "%g"
> add user to group script = /usr/bin/gpasswd -a "%u" "%g"
> delete user from group script = /usr/bin/gpasswd -d "%u" "%g"
> set primary group script = /usr/sbin/usermod -g "%g" "%u"
> add machine script = /usr/sbin/useradd -M -c "Computer di
> dominio (%u)" -g smbhosts -d /tmp/smbpc -s /sbin/nologin "%u"
> logon script = netlogon.bat
> logon path =
> logon drive = X:
> logon home = \\%L\%U
> domain logons = Yes
> os level = 83
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> utmp directory = /var/log/samba/utmp
> wtmp directory = /var/log/samba/wtmp
> utmp = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind trusted domains only = Yes
> idmap config * : range = 16777216-33554431
> idmap config * : backend = tdb
> cups options = raw
> map archive = No
> map readonly = no
> store dos attributes = Yes
--
Dario Lesca
(inviato dal mio Linux Fedora 23 Workstation)
More information about the samba
mailing list