[Samba] Samba 4.6.2 member server errors
me at tdiehl.org
me at tdiehl.org
Fri Oct 20 21:00:01 UTC 2017
On Mon, 16 Oct 2017, Rowland Penny via samba wrote:
> On Mon, 16 Oct 2017 10:40:44 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> Hi Rowland,
>>
>>
>> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
>>
>>> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
>>> me at tdiehl.org wrote:
>>>
>>>> Yes I understand, however, there are 2 things I am concerned about.
>>>>
>>>> When the errors are spewing, winbind never goes to sleep and the
>>>> load on the server runs somewhere between 6-8 constantly (as shown
>>>> by top.). Even when there is no one in the office and hence no
>>>> files being served I still see the high load.
>>>>
>>>> When the errors stop (This happens intermittently) winbind will
>>>> sleep and the load settles down to < 1.
>>>>
>>>> The other thing that concerns me is that I am wondering if this is
>>>> an indication that something more serious is about to break. It is
>>>> one thing for me to see things in the background and entirely
>>>> something else for it to impact the users. :-)
>>>>
>>>> Suggestions?
>>>>
>>>> Regards,
>>>>
>>>
>>> If nothing is connecting, then winbind shouldn't be doing much, so
>>> if it is, you need to find out why.
>>>
>>> Check the Samba logs on the DCs, is there anything relevant showing
>>> at the time that winbind is overloading on the domain member
>>> Raise the log levels on the DCs and domain members and see if
>>> anything pops out.
>>
>> I ran the logging up to level 10 on the DC's and the file server.
>> The DC's do not show anything significant, at least not that I can
>> tell. There is so much info there I might be missing something.
>>
>> On the file server I see the following at level 10:
>>
>> [2017/10/16 10:11:21.392833, 6, pid=1440, effective(0, 0), real(0,
>> 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
>> accepted socket 44 [2017/10/16 10:11:21.392850, 10, pid=1440,
>> effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
>> process_request: Handling async request 58214:GETPWNAM [2017/10/16
>> 10:11:21.392857, 3, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>> getpwnam kmg\mb-shop9-17$ [2017/10/16 10:11:21.392868, 1, pid=1440,
>> effective(0, 0), real(0,
>> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
>> domain : * domain : 'KMG'
>> name : * name :
>> 'MB-SHOP9-17$' flags : 0x00000008 (8) [2017/10/16
>> 10:11:21.392899, 1, pid=1440, effective(0, 0), real(0,
>> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName out: struct
>> wbint_LookupName type : *
>> type : SID_NAME_USER (1)
>> sid : * sid :
>> S-1-5-21-3052942767-4183929206-737583365-1617
>> result : NT_STATUS_OK [2017/10/16 10:11:21.392926,
>> 10, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
>> SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 [2017/10/16
>> 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0,
>> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
>> Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>> value=[-1:N] [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0,
>> 0), real(0,
>> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>> Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>> id=[4294967295], endptr=[:N] [2017/10/16 10:11:21.392955, 5,
>> pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>> Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617:
>> NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392963, 10, pid=1440,
>> effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
>> wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2017/10/16
>> 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
>> process_request: Handling async request 58217:PAM_AUTH_CRAP
>> [2017/10/16 10:11:21.912764, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912829, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912865, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912935, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912976, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913011, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913047, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913079, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913124, 2, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>> check_pac_checksum: PAC Verification failed: Decrypt integrity check
>> failed (-1765328353) [2017/10/16 10:11:21.913139, 5, pid=1440,
>> effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Decrypt integrity
>> check failed [2017/10/16 10:11:21.913203, 5, pid=1440, effective(0,
>> 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913243, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913281, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913316, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913353, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913392, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913431, 5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913475, 3, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found
>> account name from PAC: MB-RECEPTION-17$ []
>>
>> I do not know if it is important or not but these machines were just
>> joined to the domain within the last week or so.
>>
>> I see many of these for different machines.
>>
>> Please let me know what you think.
>>
>> Regards,
>>
>>
>
> It seems to be treating computers as users (I could be barking up the
> wrong tree here), can you post the contents
> of /etc/hosts, /etc/hostname, /etc/resolv.conf and /etc/nsswitch.conf
> from the domain member
Here you go:
(vfs1 pts6) # cat /etc/resolv.conf
search kmg.mydomain.com mydomain.com
nameserver 172.30.0.7
nameserver 10.224.135.7
(vfs1 pts6) #
The 2 name server ip addresses are the 2 dc's.
(vfs1 pts6) # cat /etc/hosts
127.0.0.1 localhost localhost.localdomain
172.30.0.8 vfs1.kmg.mydomain.com vfs1
(vfs1 pts6) #
(vfs1 pts6) # cat /etc/hostname
vfs1.kmg.mydomain.com
(vfs1 pts6) #
(vfs1 pts6) # cat /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
(vfs1 pts6) #
Sorry for the delay getting back to you. I was out for a few days.
Regards,
--
Tom me at tdiehl.org
More information about the samba
mailing list