[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 19 11:19:05 UTC 2016
Fixed by reverting to 4.4.5.
If you have to do this also, make sure ALL samba related packages are downgraded. (tevent talloc ldb tdb samba winbind etc.. )
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: woensdag 19 oktober 2016 9:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] auth problems with samba 4.4.6 (winbind)
> *(suppected bug)
>
> I review a few other servers, all 4.4.5 works fine.
> The few i test now with 4.4.6 all the same errors in the logs.
>
> The smb.conf of this setup.
> P.S.
> This server is accessed only by windows clients so this is why all the
> shares have : acl_xattr:ignore system acl = yes
>
>
> [global]
> workgroup = NTDOM
> security = ADS
> realm = INTERNAL.DOMAIN.TLD
> netbios name = MEMBER1
>
> # Prio member server1. LVL-1/4 (user homes and profiles)
> # set master browser for the network.
> # preffered + domain master = guarantee master browser ( man smb.conf
> )
> preferred master = yes
> domain master = yes
> host msdfs = no
>
> interfaces = 192.168.0.1 127.0.0.1
> bind interfaces only = yes
> dns proxy = yes
>
> server signing = mandatory
> ntlm auth = no
>
> # Add and Update TLS Key
> tls enabled = yes
> tls keyfile = /etc/ssl/local/private/keyfile.key.pem
> tls certfile = /etc/ssl/local/certs/certfile.cert.pem
> tls cafile = /etc/ssl/certs/company-ca.pem
>
> ## map id's outside to domain to tdb files.
> idmap config * :backend = tdb
> idmap config * :range = 2000-9999
>
> ## map ids from the domain the range may not overlap !
> idmap config NTDOM : backend = ad
> idmap config NTDOM : schema_mode = rfc2307
> idmap config NTDOM : range = 10000-3999999
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
> winbind trusted domains only = no
> winbind use default domain = yes
>
> # Global, defaults No.
> # show users with id/getent
> winbind enum users = yes
> winbind enum groups = yes
>
> # enable offline logins
> winbind offline logon = yes
>
> # check depth of nested groups,
> # ! slows down you samba, if to much groups depth ( min 4 )
> winbind expand groups = 4
>
> # user Administrator workaround, without it you are unable to set
> privileges
> username map = /etc/samba/samba_usermapping
>
> # disable usershares creating, when set empty no error log messages.
> usershare path =
>
> # Disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # For Windows ACL support on member file server, enabled globaly,
> OBLIGATED
> # For a mixed setup of rights, put this per share!
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Share Setting Globally
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> ######## SHARE DEFINITIONS ################
> [profiles]
> # windows profiles
> browseable = yes
> path = /home/samba/profiles
> read only = no
> acl_xattr:ignore system acl = yes
>
> [users]
> # Users homes
> browseable = yes
> path = /home/samba/users
> read only = no
> acl_xattr:ignore system acl = yes
>
> [public]
> # Distribtion share
> browseable = yes
> path = /home/samba/public
> read only = no
> acl_xattr:ignore system acl = yes
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> > via samba
> > Verzonden: woensdag 19 oktober 2016 9:02
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected
> > bug)
> >
> > Hai,
> >
> >
> >
> > I had some users today that couldnt login.
> >
> > Windows stopped at the ?Welcome? screen.
> >
> >
> >
> > Now, i checked the logs and i noticed a change in winbind.
> >
> > i noticed 2 logs files with increase a 1000% in size. log.winbindd-
> idmap
> > and log.wb-NTDOM
> >
> >
> >
> >
> >
> > Before ( samba 4.4.5 ) log.winbindd-idmap
> >
> > [2016/09/30 11:32:37.040567, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/09/30 11:33:17.967227, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/05 16:18:58.799428, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/12 13:31:55.689930, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/18 15:35:41.931491, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/19 01:39:57.249786, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The caontext has expired: Success]
> >
> > ( the last line was and restart of winbind.)
> >
> >
> >
> > after ( 4.4.6 ) log.winbindd-idmap
> >
> > [2016/10/18 15:35:41.931491, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/19 01:39:57.249786, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:39:57.255431, 0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> > [2016/10/19 01:44:56.909360, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> >
> >
> > Before ( samba 4.4.5 ) log.wb-NTDOM
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/12 13:31:55.689792, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/12 13:32:05.276839, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/13 00:32:19.370114, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/18 15:35:41.931396, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/18 15:35:54.299672, 0]
> > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
> >
> > Got sig[15] terminate (is_parent=0)
> >
> > [2016/10/19 01:36:08.441464, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> >
> >
> > after ( 4.4.6 ) log.wb-NTDOM
> >
> > [2016/10/19 01:36:08.441464, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:36:08.446288, 0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> > [2016/10/19 01:36:08.510460, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:36:08.510540, 0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> > [2016/10/19 01:36:39.285046, 0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >
> > gss_init_sec_context failed with [ The context has expired: Success]
> >
> > [2016/10/19 01:36:39.285142, 0]
> > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
> >
> > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> >
> >
> >
> >
> >
> > fix was very simple.
> >
> >
> >
> > turned of the pc.
> >
> > restarted winbind on this server and these users could login again.
> >
> > I did not update my DC?s, since i?ve seen more about this on the mailing
> > list.
> >
> >
> >
> > The server in question is a samba member server, and this server
> contains
> > the profiles and users home folders.
> >
> > Debian Jessie, samba/winbind 4.4.6
> >
> >
> >
> > The strange thing here.
> >
> > About 60 users logged in ok and 3 not.
> >
> > This is the first time this happend since im running 4.2 and up.
> >
> > so im very sure this is a bug.
> >
> >
> >
> > Anyone, is this a known bug
> >
> > and if so any patch i can test?
> >
> > Or anything i can do else to help debug this if there is no patch?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list