[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 19 07:23:03 UTC 2016
I review a few other servers, all 4.4.5 works fine.
The few i test now with 4.4.6 all the same errors in the logs.
The smb.conf of this setup.
P.S.
This server is accessed only by windows clients so this is why all the shares have : acl_xattr:ignore system acl = yes
[global]
workgroup = NTDOM
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = MEMBER1
# Prio member server1. LVL-1/4 (user homes and profiles)
# set master browser for the network.
# preffered + domain master = guarantee master browser ( man smb.conf )
preferred master = yes
domain master = yes
host msdfs = no
interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
dns proxy = yes
server signing = mandatory
ntlm auth = no
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/keyfile.key.pem
tls certfile = /etc/ssl/local/certs/certfile.cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem
## map id's outside to domain to tdb files.
idmap config * :backend = tdb
idmap config * :range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config NTDOM : backend = ad
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
# Global, defaults No.
# show users with id/getent
winbind enum users = yes
winbind enum groups = yes
# enable offline logins
winbind offline logon = yes
# check depth of nested groups,
# ! slows down you samba, if to much groups depth ( min 4 )
winbind expand groups = 4
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
######## SHARE DEFINITIONS ################
[profiles]
# windows profiles
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
[users]
# Users homes
browseable = yes
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes
[public]
# Distribtion share
browseable = yes
path = /home/samba/public
read only = no
acl_xattr:ignore system acl = yes
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: woensdag 19 oktober 2016 9:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected
> bug)
>
> Hai,
>
>
>
> I had some users today that couldnt login.
>
> Windows stopped at the ?Welcome? screen.
>
>
>
> Now, i checked the logs and i noticed a change in winbind.
>
> i noticed 2 logs files with increase a 1000% in size. log.winbindd-idmap
> and log.wb-NTDOM
>
>
>
>
>
> Before ( samba 4.4.5 ) log.winbindd-idmap
>
> [2016/09/30 11:32:37.040567, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/09/30 11:33:17.967227, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/05 16:18:58.799428, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/12 13:31:55.689930, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/18 15:35:41.931491, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:39:57.249786, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The caontext has expired: Success]
>
> ( the last line was and restart of winbind.)
>
>
>
> after ( 4.4.6 ) log.winbindd-idmap
>
> [2016/10/18 15:35:41.931491, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:39:57.249786, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:39:57.255431, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:44:56.909360, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
>
>
> Before ( samba 4.4.5 ) log.wb-NTDOM
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/12 13:31:55.689792, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/12 13:32:05.276839, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/13 00:32:19.370114, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/18 15:35:41.931396, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/18 15:35:54.299672, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:36:08.441464, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
>
>
> after ( 4.4.6 ) log.wb-NTDOM
>
> [2016/10/19 01:36:08.441464, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:08.446288, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:36:08.510460, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:08.510540, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:36:39.285046, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:39.285142, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
>
>
>
>
> fix was very simple.
>
>
>
> turned of the pc.
>
> restarted winbind on this server and these users could login again.
>
> I did not update my DC?s, since i?ve seen more about this on the mailing
> list.
>
>
>
> The server in question is a samba member server, and this server contains
> the profiles and users home folders.
>
> Debian Jessie, samba/winbind 4.4.6
>
>
>
> The strange thing here.
>
> About 60 users logged in ok and 3 not.
>
> This is the first time this happend since im running 4.2 and up.
>
> so im very sure this is a bug.
>
>
>
> Anyone, is this a known bug
>
> and if so any patch i can test?
>
> Or anything i can do else to help debug this if there is no patch?
>
>
>
>
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list