[Samba] Samba 4.6.2 member server errors

L.P.H. van Belle belle at bazuin.nl
Fri Oct 13 09:45:43 UTC 2017 

Hai, 

I'll explain a bit. 

> -----Oorspronkelijk bericht-----
> Van: me at tdiehl.org [mailto:me at tdiehl.org] 
> Verzonden: donderdag 12 oktober 2017 19:15
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
> 
> Hi Louis,
> 
> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
> 
> > Hai,
> >
> > You googled with the wrong words i think.
> 
> I have no problem believing that. :-)
> 
> > 1 search, 6 words. 4e link and 5e link, for explanation and 
> solution.  ;-)
> > Based on your question, what i experianced and what i found 
> with google.
> >
> > https://support.oneidentity.com/authentication-services/kb/92515
> > Dont look at the product here, but its an exact match on 
> the error code.
> > They say, source of the problem is AD out of sync.
> >
> > And now im thinking, i had such a problem also due to an 
> out of sync AD database.
> > Here/how the out of sync happend i never found out.
> > Can you check if you DC's are in sync?
> >
> > The other i found
> > 
> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
> s/g-s76WeWyUU
> > Is a problem in the keytab files, and, i did replace my 
> keytab file, which solved 90% of my problem.
> > The 10% left over problem, a nfs keytab caching related 
> thing, only involved my user account, so low prio for me.
> > Here the solution is to replace all keytab files. I did 
> only the member server.
> > And that verifies it to me.
> 
> I appreciate the information but I am confused. The above 
> articles talk about this
> being a krb5.keytab issue. This is confusing to me because 
> the errors occur on a
> Samba AD member server not either of the DC's.
Ok, im not a star in explaining in english.  

Look at this picture. That shows how kerberos tickets works. 
https://i-technet.sec.s-msft.com/dynimg/IC195542.gif 
( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx ) 


Now look at this one
https://i-technet.sec.s-msft.com/dynimg/IC195551.gif 
Thats the user/computer login. 
And if im correct, you problem is the systemkey on the member. 
Due to somehow, an out of sync password in AD and the member server.

> 
> There is no keytab on the member servers.
Ok, can you post your smb.conf 
Because without it is a guessing game as of this point. 

> 
> I do not know if it matters but all of the machines are 
> Centos 7.4. The DC's are
> compiled from source using the 4.7.0 tarball but the member 
> servers are using the
> 4.6.2-11 rpms supplied with Centos 7.4.
> 
> > So i dont have an exact solution, only one big advice,
> > if you upgrade make sure you db replication is in sync and 
> you checked all ADDC Db's.
> 
> So are you saying this is a DC problem even though the errors 
> only occur on a  member server?

Yes, that is possible, but i cannot determin that yet. 
And Centos is not really my things. 
But there are multiple Centos users on the list, so lets hope they are reading this also. 

> 
> Regards,
> 
> -- 
> Tom			me at tdiehl.org
> 
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
> >> Diehl via samba
> >> Verzonden: donderdag 12 oktober 2017 7:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Samba 4.6.2 member server errors
> >>
> >> Hi,
> >>
> >> I have 2 samba AD DC's running 4.7.0 and 2 member servers
> >> running 4.6.2.
> >>
> >> Everything seems to be working OK except that I see the
> >> following errors
> >> over and over again in the winbind log on one of the 
> member servers:
> >>
> >> [2017/10/12 00:53:52.351095,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:52.871160,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:54.588468,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >>
> >> Can someone tell me what this means and if I should
> >> troubleshoot this further?
> >>
> >> My Google foo has not been helpful.
> 
>

More information about the samba mailing list