[Samba] Samba 4.6.2 member server errors
me at tdiehl.org
me at tdiehl.org
Sat Oct 14 09:16:58 UTC 2017
Hi,
On Fri, 13 Oct 2017, L.P.H. van Belle via samba wrote:
> Hai,
>
> I'll explain a bit.
>
>> -----Oorspronkelijk bericht-----
>> Van: me at tdiehl.org [mailto:me at tdiehl.org]
>> Verzonden: donderdag 12 oktober 2017 19:15
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>>
>> Hi Louis,
>>
>> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
>>
>>> Hai,
>>>
>>> You googled with the wrong words i think.
>>
>> I have no problem believing that. :-)
>>
>>> 1 search, 6 words. 4e link and 5e link, for explanation and
>> solution. ;-)
>>> Based on your question, what i experienced and what i found
>> with google.
>>>
>>> https://support.oneidentity.com/authentication-services/kb/92515
>>> Dont look at the product here, but its an exact match on
>> the error code.
>>> They say, source of the problem is AD out of sync.
>>>
>>> And now im thinking, i had such a problem also due to an
>> out of sync AD database.
>>> Here/how the out of sync happend i never found out.
>>> Can you check if you DC's are in sync?
>>>
>>> The other i found
>>>
>> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
>> s/g-s76WeWyUU
>>> Is a problem in the keytab files, and, i did replace my
>> keytab file, which solved 90% of my problem.
>>> The 10% left over problem, a nfs keytab caching related
>> thing, only involved my user account, so low prio for me.
>>> Here the solution is to replace all keytab files. I did
>> only the member server.
>>> And that verifies it to me.
>>
>> I appreciate the information but I am confused. The above
>> articles talk about this
>> being a krb5.keytab issue. This is confusing to me because
>> the errors occur on a
>> Samba AD member server not either of the DC's.
> Ok, im not a star in explaining in english.
You do OK with English, I just do not understand Kerberos. :-)
> Look at this picture. That shows how kerberos tickets works.
> https://i-technet.sec.s-msft.com/dynimg/IC195542.gif
> ( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx )
>
>
> Now look at this one
> https://i-technet.sec.s-msft.com/dynimg/IC195551.gif
> Thats the user/computer login.
> And if im correct, you problem is the systemkey on the member.
> Due to somehow, an out of sync password in AD and the member server.
You might be correct. I just noticed that the AD administrator's password had
expired. I went into AD and set it to never expire so I was able to
login again. I am wondering if that has anything to do with this problem?
If you are correct, how do I get the systemkey on the member server back
in sync with AD?
>> There is no keytab on the member servers.
> Ok, can you post your smb.conf
> Because without it is a guessing game as of this point.
Sorry for not doing that from the beginning. Here it is:
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.MYDOMAIN.com.COM
winbind use default domain = yes
winbind expand groups = 4
winbind refresh tickets = Yes
winbind offline logon = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:range = 10000-999999
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/%m.log
log level = 2
deadtime = 5
[accounting]
comment = Accounting Share
path = /home/samba/accounting
readonly = no
There are other shares but they are all configured the same way as above.
Regards,
--
Tom me at tdiehl.org
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
>>>> Diehl via samba
>>>> Verzonden: donderdag 12 oktober 2017 7:01
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Samba 4.6.2 member server errors
>>>>
>>>> Hi,
>>>>
>>>> I have 2 samba AD DC's running 4.7.0 and 2 member servers
>>>> running 4.6.2.
>>>>
>>>> Everything seems to be working OK except that I see the
>>>> following errors
>>>> over and over again in the winbind log on one of the
>> member servers:
>>>>
>>>> [2017/10/12 00:53:52.351095, 2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>> check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:52.871160, 2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>> check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:54.588468, 2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>> check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>>
>>>> Can someone tell me what this means and if I should
>>>> troubleshoot this further?
>>>>
>>>> My Google foo has not been helpful.
>>
>>
>
>
>
More information about the samba
mailing list