[Samba] Samba 4.6.2 member server errors
me at tdiehl.org
me at tdiehl.org
Mon Oct 16 14:40:44 UTC 2017
Hi Rowland,
On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> Yes I understand, however, there are 2 things I am concerned about.
>>
>> When the errors are spewing, winbind never goes to sleep and the load
>> on the server runs somewhere between 6-8 constantly (as shown by
>> top.). Even when there is no one in the office and hence no files
>> being served I still see the high load.
>>
>> When the errors stop (This happens intermittently) winbind will sleep
>> and the load settles down to < 1.
>>
>> The other thing that concerns me is that I am wondering if this is an
>> indication that something more serious is about to break. It is one
>> thing for me to see things in the background and entirely something
>> else for it to impact the users. :-)
>>
>> Suggestions?
>>
>> Regards,
>>
>
> If nothing is connecting, then winbind shouldn't be doing much, so if
> it is, you need to find out why.
>
> Check the Samba logs on the DCs, is there anything relevant showing at
> the time that winbind is overloading on the domain member
> Raise the log levels on the DCs and domain members and see if anything
> pops out.
I ran the logging up to level 10 on the DC's and the file server.
The DC's do not show anything significant, at least not that I can tell.
There is so much info there I might be missing something.
On the file server I see the following at level 10:
[2017/10/16 10:11:21.392833, 6, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
accepted socket 44
[2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
process_request: Handling async request 58214:GETPWNAM
[2017/10/16 10:11:21.392857, 3, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam kmg\mb-shop9-17$
[2017/10/16 10:11:21.392868, 1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'KMG'
name : *
name : 'MB-SHOP9-17$'
flags : 0x00000008 (8)
[2017/10/16 10:11:21.392899, 1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid : S-1-5-21-3052942767-4183929206-737583365-1617
result : NT_STATUS_OK
[2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
[2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: value=[-1:N]
[2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: id=[4294967295], endptr=[:N]
[2017/10/16 10:11:21.392955, 5, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
process_request: Handling async request 58217:PAM_AUTH_CRAP
[2017/10/16 10:11:21.912764, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912829, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912865, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912935, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912976, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913011, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913047, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913079, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913124, 2, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2017/10/16 10:11:21.913139, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Decrypt integrity check failed
[2017/10/16 10:11:21.913203, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913243, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913281, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913316, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913353, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913392, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913431, 5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913475, 3, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
Found account name from PAC: MB-RECEPTION-17$ []
I do not know if it is important or not but these machines were just joined
to the domain within the last week or so.
I see many of these for different machines.
Please let me know what you think.
Regards,
--
Tom me at tdiehl.org
More information about the samba
mailing list