[Samba] GID range full!!

[Stefan G. Weichinger]

Am 2017-12-04 um 18:07 schrieb Stefan G. Weichinger via samba:
> On 12/04/2017 02:15 PM, Rowland Penny via samba wrote:
> 
>> Possibly, if, by using the old config, Samba is ignoring the 'idmap
>> config DOMAIN' lines and putting everything into the '*' domain, then
>> you may (probably would) have more than your original set up allowed.
>> If this fixes it, you have found another bug ;-)
>> It should work with the old lines.
> 
> I now changed that parameter, edited the range down to 2000-2999 again
> and restarted services. We can connect OK, fine. We test some things now.
> 
> Can I somehow check how many of those IDs are used right now?
> Somehow monitor if this change fixed it?
> 
> Last time it took a week to crash again, I would prefer to be able to
> know things earlier.

The DM gave up again today. No more gid-related stuff inside the logs,
had to kill the daemons to get the shares up again.

I increased loglevel to 2 and see in

# tail winbindd.log
[2017/12/06 13:12:50.216478,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
  check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)
[2017/12/06 13:12:50.216523,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
  check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)
[2017/12/06 13:12:50.216566,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
  check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)

This is a gentoo linux DM, and their samba-ebuild pulls in mit-krb5 for
samba per default.

Unfortunately that mit-krb5 package is still at 1.14.2 while 1.15.2 is
available.

I assume I should upgrade that and reinstall samba-4.6.11 after?

Could it somehow be the case that the kerberos-ticket between DM and DC
runs out after X hours or so?

Just guessing ...

I also consider downgrading samba to 4.5.15. At another site with about
the same setup we don't face any problems.

Stefan