[Samba] Samba 4.6.2 member server errors

me at tdiehl.org me at tdiehl.org
Fri Oct 20 21:00:01 UTC 2017 

On Mon, 16 Oct 2017, Rowland Penny via samba wrote:

> On Mon, 16 Oct 2017 10:40:44 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> Hi Rowland,
>>
>>
>> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
>>
>>> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
>>> me at tdiehl.org wrote:
>>>
>>>> Yes I understand, however, there are 2 things I am concerned about.
>>>>
>>>> When the errors are spewing, winbind never goes to sleep and the
>>>> load on the server runs somewhere between 6-8 constantly (as shown
>>>> by top.). Even when there is no one in the office and hence no
>>>> files being served I still see the high load.
>>>>
>>>> When the errors stop (This happens intermittently) winbind will
>>>> sleep and the load settles down to < 1.
>>>>
>>>> The other thing that concerns me is that I am wondering if this is
>>>> an indication that something more serious is about to break. It is
>>>> one thing for me to see things in the background and entirely
>>>> something else for it to impact the users. :-)
>>>>
>>>> Suggestions?
>>>>
>>>> Regards,
>>>>
>>>
>>> If nothing is connecting, then winbind shouldn't be doing much, so
>>> if it is, you need to find out why.
>>>
>>> Check the Samba logs on the DCs, is there anything relevant showing
>>> at the time that winbind is overloading on the domain member
>>> Raise the log levels on the DCs and domain members and see if
>>> anything pops out.
>>
>> I ran the logging up to level 10 on the DC's and the file server.
>> The DC's do not show anything significant, at least not that I can
>> tell. There is so much info there I might be missing something.
>>
>> On the file server I see the following at level 10:
>>
>> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0,
>> 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
>> accepted socket 44 [2017/10/16 10:11:21.392850, 10, pid=1440,
>> effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
>> process_request: Handling async request 58214:GETPWNAM [2017/10/16
>> 10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>> getpwnam kmg\mb-shop9-17$ [2017/10/16 10:11:21.392868,  1, pid=1440,
>> effective(0, 0), real(0,
>> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
>> domain                   : * domain                   : 'KMG'
>> name                     : * name                     :
>> 'MB-SHOP9-17$' flags                    : 0x00000008 (8) [2017/10/16
>> 10:11:21.392899,  1, pid=1440, effective(0, 0), real(0,
>> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName out: struct
>> wbint_LookupName type                     : *
>> type                     : SID_NAME_USER (1)
>> sid                      : * sid                      :
>> S-1-5-21-3052942767-4183929206-737583365-1617
>> result                   : NT_STATUS_OK [2017/10/16 10:11:21.392926,
>> 10, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
>> SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 [2017/10/16
>> 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0,
>> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
>> Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>> value=[-1:N] [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0,
>> 0), real(0,
>> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>> Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>> id=[4294967295], endptr=[:N] [2017/10/16 10:11:21.392955,  5,
>> pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>> Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617:
>> NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392963, 10, pid=1440,
>> effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
>> wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2017/10/16
>> 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
>> process_request: Handling async request 58217:PAM_AUTH_CRAP
>> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>> check_pac_checksum: PAC Verification failed: Decrypt integrity check
>> failed (-1765328353) [2017/10/16 10:11:21.913139,  5, pid=1440,
>> effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Decrypt integrity
>> check failed [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0,
>> 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found
>> account name from PAC: MB-RECEPTION-17$ []
>>
>> I do not know if it is important or not but these machines were just
>> joined to the domain within the last week or so.
>>
>> I see many of these for different machines.
>>
>> Please let me know what you think.
>>
>> Regards,
>>
>>
>
> It seems to be treating computers as users (I could be barking up the
> wrong tree here), can you post the contents
> of /etc/hosts, /etc/hostname, /etc/resolv.conf and /etc/nsswitch.conf
> from the domain member

Here you go:

(vfs1 pts6) # cat /etc/resolv.conf 
search kmg.mydomain.com mydomain.com
nameserver 172.30.0.7
nameserver 10.224.135.7
(vfs1 pts6) #

The 2 name server ip addresses are the 2 dc's.

(vfs1 pts6) # cat /etc/hosts

127.0.0.1    localhost localhost.localdomain 
172.30.0.8    vfs1.kmg.mydomain.com vfs1
(vfs1 pts6) #

(vfs1 pts6) # cat /etc/hostname
vfs1.kmg.mydomain.com
(vfs1 pts6) #

(vfs1 pts6) # cat /etc/nsswitch.conf
passwd:     files winbind
shadow:     files 
group:      files winbind

hosts:      files dns myhostname

bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

(vfs1 pts6) #

Sorry for the delay getting back to you. I was out for a few days.

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list