[Samba] Samba 4.6.2 member server errors

me at tdiehl.org me at tdiehl.org
Sat Oct 14 09:16:58 UTC 2017


Hi,

On Fri, 13 Oct 2017, L.P.H. van Belle via samba wrote:

> Hai,
>
> I'll explain a bit.
>
>> -----Oorspronkelijk bericht-----
>> Van: me at tdiehl.org [mailto:me at tdiehl.org]
>> Verzonden: donderdag 12 oktober 2017 19:15
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>>
>> Hi Louis,
>>
>> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
>>
>>> Hai,
>>>
>>> You googled with the wrong words i think.
>>
>> I have no problem believing that. :-)
>>
>>> 1 search, 6 words. 4e link and 5e link, for explanation and
>> solution.  ;-)
>>> Based on your question, what i experienced and what i found
>> with google.
>>>
>>> https://support.oneidentity.com/authentication-services/kb/92515
>>> Dont look at the product here, but its an exact match on
>> the error code.
>>> They say, source of the problem is AD out of sync.
>>>
>>> And now im thinking, i had such a problem also due to an
>> out of sync AD database.
>>> Here/how the out of sync happend i never found out.
>>> Can you check if you DC's are in sync?
>>>
>>> The other i found
>>>
>> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
>> s/g-s76WeWyUU
>>> Is a problem in the keytab files, and, i did replace my
>> keytab file, which solved 90% of my problem.
>>> The 10% left over problem, a nfs keytab caching related
>> thing, only involved my user account, so low prio for me.
>>> Here the solution is to replace all keytab files. I did
>> only the member server.
>>> And that verifies it to me.
>>
>> I appreciate the information but I am confused. The above
>> articles talk about this
>> being a krb5.keytab issue. This is confusing to me because
>> the errors occur on a
>> Samba AD member server not either of the DC's.
> Ok, im not a star in explaining in english.

You do OK with English, I just do not understand Kerberos. :-)

> Look at this picture. That shows how kerberos tickets works.
> https://i-technet.sec.s-msft.com/dynimg/IC195542.gif
> ( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx )
>
>
> Now look at this one
> https://i-technet.sec.s-msft.com/dynimg/IC195551.gif
> Thats the user/computer login.
> And if im correct, you problem is the systemkey on the member.
> Due to somehow, an out of sync password in AD and the member server.

You might be correct. I just noticed that the AD administrator's password had
expired. I went into AD and set it to never expire so I was able to
login again. I am wondering if that has anything to do with this problem?

If you are correct, how do I get the systemkey on the member server back
in sync with AD?

>> There is no keytab on the member servers.
> Ok, can you post your smb.conf
> Because without it is a guessing game as of this point.

Sorry for not doing that from the beginning. Here it is:

[global]
     security = ADS
     workgroup = SAMDOM
     realm = SAMDOM.MYDOMAIN.com.COM

     winbind use default domain = yes
     winbind expand groups = 4
     winbind refresh tickets = Yes
     winbind offline logon = yes

     idmap config * : backend = tdb
     idmap config * : range = 3000-7999

     idmap config SAMDOM:backend = ad
     idmap config SAMDOM:schema_mode = rfc2307
     idmap config SAMDOM:unix_nss_info = yes
     idmap config SAMDOM:range = 10000-999999
     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no
     username map = /etc/samba/user.map
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes
     log file = /var/log/samba/%m.log
     log level = 2
     deadtime = 5

[accounting]
     comment = Accounting Share
     path = /home/samba/accounting
     readonly = no

There are other shares but they are all configured the same way as above.

Regards,

-- 
Tom			me at tdiehl.org


>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
>>>> Diehl via samba
>>>> Verzonden: donderdag 12 oktober 2017 7:01
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Samba 4.6.2 member server errors
>>>>
>>>> Hi,
>>>>
>>>> I have 2 samba AD DC's running 4.7.0 and 2 member servers
>>>> running 4.6.2.
>>>>
>>>> Everything seems to be working OK except that I see the
>>>> following errors
>>>> over and over again in the winbind log on one of the
>> member servers:
>>>>
>>>> [2017/10/12 00:53:52.351095,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:52.871160,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:54.588468,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>>
>>>> Can someone tell me what this means and if I should
>>>> troubleshoot this further?
>>>>
>>>> My Google foo has not been helpful.
>>
>>
>
>
>



More information about the samba mailing list