[Samba] pad length mismatch error message
von Obernitz, Daniel
daniel.vonobernitz at uni-greifswald.de
Wed Apr 22 14:32:54 UTC 2020
Hi,
bind9_DLZ is enabled and running, DNS in general is working absolutely fine.
--dns-backend=BIND9_DLZ was used during provision and your collect script also says it's enabled.
Like I said in the other issue, the AC-DC in general is working fine... the posted error message is just something I can't explain, where it comes from...
Best regards
Daniel
-----------
Collected config --- 2020-04-22-15:15 -----------
Hostname: dc3
DNS Domain: ad.example.de
FQDN: dc3.ad.example.de
ipaddress: XX.XX.XX.53
-----------
Kerberos SRV _kerberos._tcp.ad.example.de record verified ok, sample output:
Server: XX.XX.XX.53
Address: XX.XX.XX.53#53
_kerberos._tcp.ad.example.de service = 0 100 88 dc2.ad.example.de.
_kerberos._tcp.ad.example.de service = 0 100 88 dc4.ad.example.de.
_kerberos._tcp.ad.example.de service = 0 100 88 dc3.ad.example.de.
_kerberos._tcp.ad.example.de service = 0 100 88 dc1.ad.example.de.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.3 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff
inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
XX.XX.XX.53 dc3.ad.example.de dc3
# The following lines are desirable for IPv6 capable hosts
#::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver XX.XX.XX.53
search ad.example.de
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = AD.EXAMPLE.DE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC3
realm = AD.EXAMPLE.DE
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = AD
interfaces = XX.XX.XX.53
bind interfaces only = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
ldap server require strong auth = no
tls verify peer = no_check
tls enabled = yes
tls keyfile = /path/key.pem
tls certfile = /path/fullcert.pem
tls cafile = /etc/ssl/certs/ca-certificates.crt
[sysvol]
path = /var/lib/samba/sysvol
read only = yes
[netlogon]
path = /var/lib/samba/sysvol/ad.example.de/scripts
read only = yes
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
YY.YY.YY.4; YY.YY.YY.5; // we use the AC-DC-DNS only for AD internal hosts
};
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 2 zone(s) found
pszZoneName : ad.example.de
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.ad.example.de
pszZoneName : _msdcs.ad.example.de
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.ad.example.de
Samba DNS zone list Automated check :
zone : ad.example.de ok, no Bind flat-files found
-----------
zone : _msdcs.ad.example.de ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list - utilities
ii bind9 1:9.11.5.P4+dfsg-5.1 amd64 Internet Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64 DNS lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1 amd64 Utilities for BIND
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library
ii libwbclient0:amd64 99:4.12.1-5 amd64 Glue package for sernet-samba-libs.
ii sernet-samba 99:4.12.1-5 amd64 SMB/CIFS file, print, and login server for Unix
ii sernet-samba-ad 99:4.12.1-5 amd64 Samba Active Directory Domain Controller
ii sernet-samba-client 99:4.12.1-5 amd64 a LanManager-like simple client for Unix
ii sernet-samba-common 99:4.12.1-5 all Samba common files used by both the server and the client
ii sernet-samba-keyring 1.9 all GnuPG archive keys of the SerNet Samba archive
ii sernet-samba-libs:amd64 99:4.12.1-5 amd64 Samba common library files used by both the server and the client
ii sernet-samba-libsmbclient0:amd64 99:4.12.1-5 amd64 Shared library that allows applications to talk to SMB servers
ii sernet-samba-winbind 99:4.12.1-5 amd64 Samba nameservice integration server
-----------
Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle via samba:
> Well,
>
> If you running with bind9_DLZ, you also should enable it.
>
> Based on what i see below, its not enable, you installed it your not done yet. ;-)
> Verify the settings ( debianize the paths )
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>
> Then then its all done, reboot the server.
> Run this script, anonimized it and post the content to the list.
>
> Then i know all i want to know.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: von Obernitz, Daniel
> > [mailto:daniel.vonobernitz at uni-greifswald.de]
> > Verzonden: woensdag 22 april 2020 14:50
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: Re: [Samba] pad length mismatch error message
> >
> > Hi Louis,
> >
> > it happens on the AC-DC nodes on Debian 10, running with
> > BIND9_DLZ backend...
> >
> > dpkg -l |grep bind9
> > ii bind9 1:9.11.5.P4+dfsg-5.1
> > amd64 Internet Domain Name Server
> > ii bind9-host 1:9.11.5.P4+dfsg-5.1
> > amd64 DNS lookup utility (deprecated)
> > ii bind9utils 1:9.11.5.P4+dfsg-5.1
> > amd64 Utilities for BIND
> > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1
> > amd64 BIND9 Shared Library used by BIND
> >
> >
> > smb.conf:
> >
> > # Global parameters
> > [global]
> > netbios name = DC3
> > realm = AD.EXAMPLE.NET
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = AD
> > interfaces = IP
> > bind interfaces only = yes
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
> > ldap server require strong auth = no
> > tls verify peer = no_check
> > tls enabled = yes
> > tls keyfile = /path/key.pem
> > tls certfile = /path/fullcert.pem
> > tls cafile = /etc/ssl/certs/ca-certificates.crt
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = yes
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/ad.example.net/scripts
> > read only = yes
> >
> >
> > Best regards
> > Daniel
> >
> >
> > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle
> > via samba:
> > > Hai,
> > >
> > > I might be handy to tell us a bit more.
> > >
> > > Like AD-DC or member.
> > > content smb.conf ?
> > > If AD-DC, are you running with or without bind.
> > > with bind? show : dpkg -l |grep bind9
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von
> > > > Obernitz, Daniel via samba
> > > > Verzonden: woensdag 22 april 2020 14:18
> > > > Aan: samba at lists.samba.org
> > > > Onderwerp: [Samba] pad length mismatch error message
> > > >
> > > > Hi,
> > > >
> > > > I found the following error message in the log.samba:
> > > >
> > > > [2020/04/20 16:32:33.168921, 1]
> > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer)
> > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length
> > > > mismatch. Calculated 44 got 0
> > > >
> > > > It happens on all nodes on different times, but unfortunately
> > > > I have no specific situation or action which causes this.
> > > >
> > > > We are currently using Samba version
> > 4.12.1-SerNet-Debian-5.buster.
> > > >
> > > > Do you have any idea what could cause this so I can try to
> > > > replicate it?
> > > >
> > > > Best regards
> > > > Daniel
> > > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6098 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20200422/855c68f1/smime.bin>
More information about the samba
mailing list