[Samba] Samba 4.6.2 member server errors

me at tdiehl.org me at tdiehl.org
Thu Oct 12 17:15:17 UTC 2017

Hi Louis,

On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:

> Hai,
> You googled with the wrong words i think.

I have no problem believing that. :-)

> 1 search, 6 words. 4e link and 5e link, for explanation and solution.  ;-)
> Based on your question, what i experianced and what i found with google.
> https://support.oneidentity.com/authentication-services/kb/92515
> Dont look at the product here, but its an exact match on the error code.
> They say, source of the problem is AD out of sync.
> And now im thinking, i had such a problem also due to an out of sync AD database.
> Here/how the out of sync happend i never found out.
> Can you check if you DC's are in sync?
> The other i found
> https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU
> Is a problem in the keytab files, and, i did replace my keytab file, which solved 90% of my problem.
> The 10% left over problem, a nfs keytab caching related thing, only involved my user account, so low prio for me.
> Here the solution is to replace all keytab files. I did only the member server.
> And that verifies it to me.

I appreciate the information but I am confused. The above articles talk about this
being a krb5.keytab issue. This is confusing to me because the errors occur on a
Samba AD member server not either of the DC's.

There is no keytab on the member servers.

I do not know if it matters but all of the machines are Centos 7.4. The DC's are
compiled from source using the 4.7.0 tarball but the member servers are using the
4.6.2-11 rpms supplied with Centos 7.4.

> So i dont have an exact solution, only one big advice,
> if you upgrade make sure you db replication is in sync and you checked all ADDC Db's.

So are you saying this is a DC problem even though the errors only occur on a
member server?


Tom			me at tdiehl.org

>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
>> Diehl via samba
>> Verzonden: donderdag 12 oktober 2017 7:01
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Samba 4.6.2 member server errors
>> Hi,
>> I have 2 samba AD DC's running 4.7.0 and 2 member servers
>> running 4.6.2.
>> Everything seems to be working OK except that I see the
>> following errors
>> over and over again in the winbind log on one of the member servers:
>> [2017/10/12 00:53:52.351095,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> [2017/10/12 00:53:52.871160,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> [2017/10/12 00:53:54.588468,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> Can someone tell me what this means and if I should
>> troubleshoot this further?
>> My Google foo has not been helpful.

More information about the samba mailing list