[Samba] Samba 4.6.2 member server errors

L.P.H. van Belle belle at bazuin.nl
Mon Oct 16 14:58:20 UTC 2017


Hi Tom, 

Small update. 

I'am also still looking into this but im not getting much futher..  
I am just reading :
https://blogs.msdn.microsoft.com/openspecification/2009/12/31/verifying-the-server-signature-in-kerberos-privilege-account-certificate/ 
Bit older but, im trying to understand more what happens here. 

And the only "guess" i can make here is . 
A kerberos ticket, with the wrong encryption type tried to validate. 
Base on that, but again, this is what i would try. 

For all servers in krb5.conf.  (* do you have any xp/w2003 or older in you lan ? ) 
; for Windows 2008 with AES
;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 

Or at least make sure they are the same. 
Run net cache flush on all server and reboot them. 

Of a wrong verifcation is somewhere in cache or memory, then this could help. 

Now, 

> I do not know if it is important or not but these machines 
> were just joined to the domain within the last week or so.
Yes, very important, because .. Whats the default time for a kerberos ticket. 
The default value for a TGT (also referred to as a user ticket) is 7 days, ...

And a computer is a user..  
So we are imo getting in the right direction. 

.... Still reading things here

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom 
> Diehl via samba
> Verzonden: maandag 16 oktober 2017 16:41
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
> 
> Hi Rowland,
> 
> 
> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
> 
> > On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> > me at tdiehl.org wrote:
> >
> >> Yes I understand, however, there are 2 things I am concerned about.
> >>
> >> When the errors are spewing, winbind never goes to sleep 
> and the load
> >> on the server runs somewhere between 6-8 constantly (as shown by
> >> top.). Even when there is no one in the office and hence no files
> >> being served I still see the high load.
> >>
> >> When the errors stop (This happens intermittently) winbind 
> will sleep
> >> and the load settles down to < 1.
> >>
> >> The other thing that concerns me is that I am wondering if 
> this is an
> >> indication that something more serious is about to break. It is one
> >> thing for me to see things in the background and entirely something
> >> else for it to impact the users. :-)
> >>
> >> Suggestions?
> >>
> >> Regards,
> >>
> >
> > If nothing is connecting, then winbind shouldn't be doing 
> much, so if
> > it is, you need to find out why.
> >
> > Check the Samba logs on the DCs, is there anything relevant 
> showing at
> > the time that winbind is overloading on the domain member
> > Raise the log levels on the DCs and domain members and see 
> if anything
> > pops out.
> 
> I ran the logging up to level 10 on the DC's and the file server.
> The DC's do not show anything significant, at least not that 
> I can tell.
> There is so much info there I might be missing something.
> 
> On the file server I see the following at level 10:
> 
> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:919(new_connection)
>    accepted socket 44
> [2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:734(process_request)
>    process_request: Handling async request 58214:GETPWNAM
> [2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam kmg\mb-shop9-17$
> [2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0), 
> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>         wbint_LookupName: struct wbint_LookupName
>            in: struct wbint_LookupName
>                domain                   : *
>                    domain                   : 'KMG'
>                name                     : *
>                    name                     : 'MB-SHOP9-17$'
>                flags                    : 0x00000008 (8)
> [2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0), 
> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>         wbint_LookupName: struct wbint_LookupName
>            out: struct wbint_LookupName
>                type                     : *
>                    type                     : SID_NAME_USER (1)
>                sid                      : *
>                    sid                      : 
> S-1-5-21-3052942767-4183929206-737583365-1617
>                result                   : NT_STATUS_OK
> [2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
>    SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
> [2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), 
> real(0, 0)] 
> ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
>    Parsing value for key 
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>  value=[-1:N]
> [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), 
> real(0, 0)] 
> ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>    Parsing value for key 
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>  id=[4294967295], endptr=[:N]
> [2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid 
> S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
> [2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:796(wb_request_done)
>    wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
> [2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), 
> real(0, 0), class=winbind] 
> ../source3/winbindd/winbindd.c:734(process_request)
>    process_request: Handling async request 58217:PAM_AUTH_CRAP
> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt 
> integrity check failed (-1765328353)
> [2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Decrypt integrity check failed
> [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature: 
> Invalid argument
> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), 
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
>    Found account name from PAC: MB-RECEPTION-17$ []
> 
> I do not know if it is important or not but these machines 
> were just joined
> to the domain within the last week or so.
> 
> I see many of these for different machines.
> 
> Please let me know what you think.
> 
> Regards,
> 
> 
> -- 
> Tom			me at tdiehl.org
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list