[Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
Oliver Werner
oliver.werner at kontrast.de
Mon Oct 3 15:56:07 UTC 2016
hey,
now after observe last changes on the weekend… i have also the issue.
After 10 hours i can’t connect to the shares on my member server.
On Log of DC i found this:
[2016/10/02 20:35:45.601265, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ PL0024$@HQ.KONTRAST from ipv4:<member-ip>:55578 for krbtgt/HQ.KONTRAST at HQ.KONTRAST
[2016/10/02 20:35:45.605069, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- PL0024$@HQ.KONTRAST
[2016/10/02 20:35:45.605960, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ PL0024$@HQ.KONTRAST from ipv4:<member-ip>:52659 for krbtgt/HQ.KONTRAST at HQ.KONTRAST
[2016/10/02 20:35:45.610083, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp
[2016/10/02 20:35:45.610128, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- PL0024$@HQ.KONTRAST
[2016/10/02 20:35:45.610144, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- PL0024$@HQ.KONTRAST
[2016/10/02 20:35:45.610200, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- PL0024$@HQ.KONTRAST using arcfour-hmac-md5
[2016/10/02 20:35:45.617582, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2016-10-02T20:35:45 starttime: unset endtime: 2016-10-03T06:35:45 renew till: 2016-10-09T20:35:45
[2016/10/02 20:35:45.617699, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, using arcfour-hmac-md5/arcfou
r-hmac-md5
[2016/10/02 20:35:45.617748, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable, forwardable
[2016/10/02 20:35:45.619243, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED‘
That looks ok, yes? When i see it means my member got a new ticket?
But i found this on member:
[2016/10/03 17:50:03.311002, 10, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:512(child_process_request)
child_process_request: request fn NDRCMD
[2016/10/03 17:50:03.311015, 10, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd)
winbindd_dual_ndrcmd: Running command WBINT_LOOKUPNAME (HQKONTRAST)
[2016/10/03 17:50:03.311064, 10, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:467(fetch_cache_seqnum)
fetch_cache_seqnum: success [HQKONTRAST][4294967295 @ 1475509803]
[2016/10/03 17:50:03.311081, 3, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1493(sequence_number)
ads: fetch sequence_number for HQKONTRAST
[2016/10/03 17:50:03.311119, 10, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:230(ads_cached_connection)
ads_cached_connection
[2016/10/03 17:50:03.311191, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "vl0227.hq.kontrast, *"
[2016/10/03 17:50:03.321144, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server <DC-IP>
[2016/10/03 17:50:03.321230, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "vl0227.hq.kontrast, *"
[2016/10/03 17:50:03.323699, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "vl0227.hq.kontrast, *"
[2016/10/03 17:50:03.328830, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "vl0227.hq.kontrast, *"
[2016/10/03 17:50:03.332100, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server <DC-IP>
[2016/10/03 17:50:03.332177, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "vl0227.hq.kontrast, *"
[2016/10/03 17:50:03.335277, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "vl0227.hq.kontrast, *"
[2016/10/03 17:50:03.343177, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server <DC-IP>5
[2016/10/03 17:50:03.343268, 3] ../source3/libads/ldap.c:661(ads_connect)
Connected to LDAP server vl0227.hq.kontrast
[2016/10/03 17:50:03.350195, 3] ../source3/libads/sasl.c:733(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2016/10/03 17:50:03.350226, 3] ../source3/libads/sasl.c:733(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2016/10/03 17:50:03.350238, 3] ../source3/libads/sasl.c:733(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2016/10/03 17:50:03.379973, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
gss_init_sec_context failed with [ The context has expired: Success]
[2016/10/03 17:50:03.380079, 1] ../auth/gensec/spnego.c:623(gensec_spnego_create_negTokenInit)
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2016/10/03 17:50:03.380131, 0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2016/10/03 17:50:03.380176, 1, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
ads_connect for domain HQKONTRAST failed: An internal error occurred.
[2016/10/03 17:50:03.380272, 3, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1493(sequence_number)
ads: fetch sequence_number for HQKONTRAST
[2016/10/03 17:50:03.380291, 10, pid=26714, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:230(ads_cached_connection)
ads_cached_connection
may this helps to find the problem :/
OLIVER WERNER
Systemadministrator
> Am 30.09.2016 um 14:53 schrieb Oliver Werner via samba <samba at lists.samba.org>:
>
> Ok lets try it :)
>
>
> So… here the awnser for your last questions
>
> Did you create the libnss_win* links ?
>
> yes i have add winbind in nsswitch.
>
> Do you require your users to have home directories on the domain member?
>
> yes but not on this member
>
>
>
> OLIVER WERNER
> Systemadministrator
>
>
>> Am 30.09.2016 um 14:43 schrieb Rowland Penny via samba <samba at lists.samba.org>:
>>
>> On Fri, 30 Sep 2016 14:31:06 +0200
>> Oliver Werner <oliver.werner at kontrast.de> wrote:
>>
>>> Hi rowland,
>>>
>>> is pam really need?
>>>
>>> Users should not login via terminal to this system. this is only as
>>> Samba File-Server
>>>
>>
>> Lets put it this way, to connect to the domain member your users must
>> be known to the underlying OS.
>>
>> The domain member I am typing this on, uses a smb.conf very similar to
>> yours and has been up for nearly 16 days. The only difference that I
>> can see between your setup and mine, is the PAM configuration.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list