[Samba] Samba 4.6.2 member server errors

me at tdiehl.org me at tdiehl.org
Fri Oct 20 22:48:06 UTC 2017 

Hi Louis,

On Mon, 16 Oct 2017, L.P.H. van Belle via samba wrote:

> Hi Tom,
>
> Small update.
>
> I'am also still looking into this but im not getting much futher..
> I am just reading :
> https://blogs.msdn.microsoft.com/openspecification/2009/12/31/verifying-the-server-signature-in-kerberos-privilege-account-certificate/
> Bit older but, im trying to understand more what happens here.
>
> And the only "guess" i can make here is .
> A kerberos ticket, with the wrong encryption type tried to validate.
> Base on that, but again, this is what i would try.
>
> For all servers in krb5.conf.  (* do you have any xp/w2003 or older in you lan ? )

No, only win7 at this time.

> ; for Windows 2008 with AES

I do not have any Windows 2008.

> ;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
> Or at least make sure they are the same.

Are you saying I should insert the above into the krb5.conf files?

For the record, All of the krb5.conf files have the following in them:

(vfs1 pts6) # cat /etc/krb5.conf
[libdefaults]
     default_realm = KMG.MYDOMAIN.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true
(vfs1 pts6) #

> Run net cache flush on all server and reboot them.

We have done this a couple of times.

>
> Of a wrong verifcation is somewhere in cache or memory, then this could help.
>
> Now,
>
>> I do not know if it is important or not but these machines
>> were just joined to the domain within the last week or so.
> Yes, very important, because .. Whats the default time for a kerberos ticket.
> The default value for a TGT (also referred to as a user ticket) is 7 days, ...
>
> And a computer is a user..
> So we are imo getting in the right direction.
>
> .... Still reading things here

Still reading here also. Just not making much progress.

I found https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting article.
In there it says I need

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes

In the smb.conf. Is this still revelant?

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
does not say anything about setting up a keytab file in smb.conf.

Thank You for the help.

Regards,

-- 
Tom			me at tdiehl.org

>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
>> Diehl via samba
>> Verzonden: maandag 16 oktober 2017 16:41
>> Aan: Rowland Penny
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>>
>> Hi Rowland,
>>
>>
>> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
>>
>>> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
>>> me at tdiehl.org wrote:
>>>
>>>> Yes I understand, however, there are 2 things I am concerned about.
>>>>
>>>> When the errors are spewing, winbind never goes to sleep
>> and the load
>>>> on the server runs somewhere between 6-8 constantly (as shown by
>>>> top.). Even when there is no one in the office and hence no files
>>>> being served I still see the high load.
>>>>
>>>> When the errors stop (This happens intermittently) winbind
>> will sleep
>>>> and the load settles down to < 1.
>>>>
>>>> The other thing that concerns me is that I am wondering if
>> this is an
>>>> indication that something more serious is about to break. It is one
>>>> thing for me to see things in the background and entirely something
>>>> else for it to impact the users. :-)
>>>>
>>>> Suggestions?
>>>>
>>>> Regards,
>>>>
>>>
>>> If nothing is connecting, then winbind shouldn't be doing
>> much, so if
>>> it is, you need to find out why.
>>>
>>> Check the Samba logs on the DCs, is there anything relevant
>> showing at
>>> the time that winbind is overloading on the domain member
>>> Raise the log levels on the DCs and domain members and see
>> if anything
>>> pops out.
>>
>> I ran the logging up to level 10 on the DC's and the file server.
>> The DC's do not show anything significant, at least not that
>> I can tell.
>> There is so much info there I might be missing something.
>>
>> On the file server I see the following at level 10:
>>
>> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0),
>> real(0, 0), class=winbind]
>> ../source3/winbindd/winbindd.c:919(new_connection)
>>    accepted socket 44
>> [2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0),
>> real(0, 0), class=winbind]
>> ../source3/winbindd/winbindd.c:734(process_request)
>>    process_request: Handling async request 58214:GETPWNAM
>> [2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0),
>> real(0, 0), class=winbind]
>> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>>    getpwnam kmg\mb-shop9-17$
>> [2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0),
>> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>>         wbint_LookupName: struct wbint_LookupName
>>            in: struct wbint_LookupName
>>                domain                   : *
>>                    domain                   : 'KMG'
>>                name                     : *
>>                    name                     : 'MB-SHOP9-17$'
>>                flags                    : 0x00000008 (8)
>> [2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0),
>> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>>         wbint_LookupName: struct wbint_LookupName
>>            out: struct wbint_LookupName
>>                type                     : *
>>                    type                     : SID_NAME_USER (1)
>>                sid                      : *
>>                    sid                      :
>> S-1-5-21-3052942767-4183929206-737583365-1617
>>                result                   : NT_STATUS_OK
>> [2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0),
>> real(0, 0), class=winbind]
>> ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
>>    SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
>> [2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0),
>> real(0, 0)]
>> ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
>>    Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>>  value=[-1:N]
>> [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0),
>> real(0, 0)]
>> ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>>    Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>>  id=[4294967295], endptr=[:N]
>> [2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0),
>> real(0, 0), class=winbind]
>> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>>    Could not convert sid
>> S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
>> [2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0),
>> real(0, 0), class=winbind]
>> ../source3/winbindd/winbindd.c:796(wb_request_done)
>>    wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
>> [2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0),
>> real(0, 0), class=winbind]
>> ../source3/winbindd/winbindd.c:734(process_request)
>>    process_request: Handling async request 58217:PAM_AUTH_CRAP
>> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> [2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Decrypt integrity check failed
>> [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>>    PAC Decode: Failed to verify the service signature:
>> Invalid argument
>> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0),
>> real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
>>    Found account name from PAC: MB-RECEPTION-17$ []
>>
>> I do not know if it is important or not but these machines
>> were just joined
>> to the domain within the last week or so.
>>
>> I see many of these for different machines.
>>
>> Please let me know what you think.
>>

More information about the samba mailing list