[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)

L.P.H. van Belle belle at bazuin.nl
Wed Oct 19 11:19:05 UTC 2016 

Fixed by reverting to 4.4.5. 

If you have to do this also, make sure ALL samba related packages are downgraded. (tevent talloc ldb tdb samba winbind etc.. ) 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: woensdag 19 oktober 2016 9:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] auth problems with samba 4.4.6 (winbind)
> *(suppected bug)
> 
> I review a few other servers, all 4.4.5 works fine.
> The few i test now with 4.4.6 all the same errors in the logs.
> 
> The smb.conf of this setup.
> P.S.
> This server is accessed only by windows clients so this is why all the
> shares have : acl_xattr:ignore system acl = yes
> 
> 
> [global]
>     workgroup = NTDOM
>     security = ADS
>     realm = INTERNAL.DOMAIN.TLD
>     netbios name = MEMBER1
> 
>     # Prio member server1. LVL-1/4 (user homes and profiles)
>     # set master browser for the network.
>     # preffered + domain master = guarantee master browser ( man smb.conf
> )
>     preferred master = yes
>     domain master = yes
>     host msdfs = no
> 
>     interfaces = 192.168.0.1 127.0.0.1
>     bind interfaces only = yes
>     dns proxy = yes
> 
>     server signing = mandatory
>     ntlm auth = no
> 
>     # Add and Update TLS Key
>     tls enabled = yes
>     tls keyfile = /etc/ssl/local/private/keyfile.key.pem
>     tls certfile = /etc/ssl/local/certs/certfile.cert.pem
>     tls cafile = /etc/ssl/certs/company-ca.pem
> 
>     ## map id's outside to domain to tdb files.
>     idmap config * :backend = tdb
>     idmap config * :range = 2000-9999
> 
>     ## map ids from the domain  the range may not overlap !
>     idmap config NTDOM : backend = ad
>     idmap config NTDOM : schema_mode = rfc2307
>     idmap config NTDOM : range = 10000-3999999
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     # renew the kerberos ticket
>     winbind refresh tickets = yes
> 
>     # Use home directory and shell information from AD
>     winbind nss info = rfc2307
> 
>     winbind trusted domains only = no
>     winbind use default domain = yes
> 
>     # Global, defaults No.
>     # show users with id/getent
>     winbind enum users  = yes
>     winbind enum groups = yes
> 
>     # enable offline logins
>     winbind offline logon = yes
> 
>     # check depth of nested groups,
>     # ! slows down you samba, if to much groups depth ( min 4 )
>     winbind expand groups = 4
> 
>     # user Administrator workaround, without it you are unable to set
> privileges
>     username map = /etc/samba/samba_usermapping
> 
>     # disable usershares creating, when set empty no error log messages.
>     usershare path =
> 
>     # Disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
>     # For Windows ACL support on member file server, enabled globaly,
> OBLIGATED
>     # For a mixed setup of rights, put this per share!
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
> 
>     # Share Setting Globally
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
> 
> ######## SHARE DEFINITIONS ################
> [profiles]
>     # windows profiles
>     browseable = yes
>     path = /home/samba/profiles
>     read only = no
>     acl_xattr:ignore system acl = yes
> 
> [users]
>     # Users homes
>     browseable = yes
>     path = /home/samba/users
>     read only = no
>     acl_xattr:ignore system acl = yes
> 
> [public]
>     # Distribtion share
>     browseable = yes
>     path = /home/samba/public
>     read only = no
>     acl_xattr:ignore system acl = yes
> 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> > via samba
> > Verzonden: woensdag 19 oktober 2016 9:02
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected
> > bug)
> >
> > Hai,
> >
> >
> >
> > I had some users today that couldnt login.
> >
> > Windows stopped at the ?Welcome? screen.
> >
> >
> >
> > Now, i checked the logs and i noticed a change in winbind.
> >
> > i noticed 2 logs files with increase a 1000% in size.  log.winbindd-
> idmap
> > and log.wb-NTDOM
> >
> >
> >
> >
> >
> > Before ( samba 4.4.5 ) log.winbindd-idmap
> >
> > [2016/09/30 11:32:37.040567,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/09/30 11:33:17.967227,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/05 16:18:58.799428,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/12 13:31:55.689930,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/18 15:35:41.931491,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/19 01:39:57.249786,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The caontext has expired: Success]
> >
> > ( the last line was and restart of winbind.)
> >
> >
> >
> > after ( 4.4.6 ) log.winbindd-idmap
> >
> > [2016/10/18 15:35:41.931491,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/19 01:39:57.249786,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:39:57.255431,  0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> >   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> > [2016/10/19 01:44:56.909360,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> >
> >
> > Before ( samba 4.4.5 ) log.wb-NTDOM
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/12 13:31:55.689792,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/12 13:32:05.276839,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/13 00:32:19.370114,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/18 15:35:41.931396,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/18 15:35:54.299672,  0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> >   Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/19 01:36:08.441464,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> >
> >
> > after ( 4.4.6 ) log.wb-NTDOM
> >
> > [2016/10/19 01:36:08.441464,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:36:08.446288,  0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> >   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> > [2016/10/19 01:36:08.510460,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:36:08.510540,  0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> >   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> > [2016/10/19 01:36:39.285046,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> >   gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:36:39.285142,  0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> >   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> >
> >
> >
> >
> > fix was very simple.
> >
> >
> >
> > turned of the pc.
> >
> > restarted winbind on this server and these users could login again.
> >
> > I did not update my DC?s, since i?ve seen more about this on the mailing
> > list.
> >
> >
> >
> > The server in question is a samba member server, and this server
> contains
> > the profiles and users home folders.
> >
> > Debian Jessie, samba/winbind 4.4.6
> >
> >
> >
> > The strange thing here.
> >
> > About 60 users logged in ok and 3 not.
> >
> > This is the first time this happend since im running 4.2 and up.
> >
> > so im very sure this is a bug.
> >
> >
> >
> > Anyone, is this a known bug
> >
> > and if so any patch i can test?
> >
> > Or anything i can do else to help debug this if there is no patch?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list