[Samba] Samba 4.6.2 member server errors
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 13 09:45:43 UTC 2017
Hai,
I'll explain a bit.
> -----Oorspronkelijk bericht-----
> Van: me at tdiehl.org [mailto:me at tdiehl.org]
> Verzonden: donderdag 12 oktober 2017 19:15
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>
> Hi Louis,
>
> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
>
> > Hai,
> >
> > You googled with the wrong words i think.
>
> I have no problem believing that. :-)
>
> > 1 search, 6 words. 4e link and 5e link, for explanation and
> solution. ;-)
> > Based on your question, what i experianced and what i found
> with google.
> >
> > https://support.oneidentity.com/authentication-services/kb/92515
> > Dont look at the product here, but its an exact match on
> the error code.
> > They say, source of the problem is AD out of sync.
> >
> > And now im thinking, i had such a problem also due to an
> out of sync AD database.
> > Here/how the out of sync happend i never found out.
> > Can you check if you DC's are in sync?
> >
> > The other i found
> >
> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
> s/g-s76WeWyUU
> > Is a problem in the keytab files, and, i did replace my
> keytab file, which solved 90% of my problem.
> > The 10% left over problem, a nfs keytab caching related
> thing, only involved my user account, so low prio for me.
> > Here the solution is to replace all keytab files. I did
> only the member server.
> > And that verifies it to me.
>
> I appreciate the information but I am confused. The above
> articles talk about this
> being a krb5.keytab issue. This is confusing to me because
> the errors occur on a
> Samba AD member server not either of the DC's.
Ok, im not a star in explaining in english.
Look at this picture. That shows how kerberos tickets works.
https://i-technet.sec.s-msft.com/dynimg/IC195542.gif
( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx )
Now look at this one
https://i-technet.sec.s-msft.com/dynimg/IC195551.gif
Thats the user/computer login.
And if im correct, you problem is the systemkey on the member.
Due to somehow, an out of sync password in AD and the member server.
>
> There is no keytab on the member servers.
Ok, can you post your smb.conf
Because without it is a guessing game as of this point.
>
> I do not know if it matters but all of the machines are
> Centos 7.4. The DC's are
> compiled from source using the 4.7.0 tarball but the member
> servers are using the
> 4.6.2-11 rpms supplied with Centos 7.4.
>
> > So i dont have an exact solution, only one big advice,
> > if you upgrade make sure you db replication is in sync and
> you checked all ADDC Db's.
>
> So are you saying this is a DC problem even though the errors
> only occur on a member server?
Yes, that is possible, but i cannot determin that yet.
And Centos is not really my things.
But there are multiple Centos users on the list, so lets hope they are reading this also.
>
> Regards,
>
> --
> Tom me at tdiehl.org
>
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
> >> Diehl via samba
> >> Verzonden: donderdag 12 oktober 2017 7:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Samba 4.6.2 member server errors
> >>
> >> Hi,
> >>
> >> I have 2 samba AD DC's running 4.7.0 and 2 member servers
> >> running 4.6.2.
> >>
> >> Everything seems to be working OK except that I see the
> >> following errors
> >> over and over again in the winbind log on one of the
> member servers:
> >>
> >> [2017/10/12 00:53:52.351095, 2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >> check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:52.871160, 2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >> check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:54.588468, 2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >> check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >>
> >> Can someone tell me what this means and if I should
> >> troubleshoot this further?
> >>
> >> My Google foo has not been helpful.
>
>
More information about the samba
mailing list