[Samba] pad length mismatch error message

von Obernitz, Daniel daniel.vonobernitz at uni-greifswald.de
Wed Apr 22 14:32:54 UTC 2020


Hi,

bind9_DLZ is enabled and running, DNS in general is working absolutely fine.

--dns-backend=BIND9_DLZ was used during provision and your collect script also says it's enabled.


Like I said in the other issue, the AC-DC in general is working fine... the posted error message is just something I can't explain, where it comes from...

Best regards
Daniel



-----------

Collected config  --- 2020-04-22-15:15 -----------

Hostname: dc3
DNS Domain: ad.example.de
FQDN: dc3.ad.example.de
ipaddress: XX.XX.XX.53 

-----------

Kerberos SRV _kerberos._tcp.ad.example.de record verified ok, sample output: 
Server:		XX.XX.XX.53
Address:	XX.XX.XX.53#53

_kerberos._tcp.ad.example.de	service = 0 100 88 dc2.ad.example.de.
_kerberos._tcp.ad.example.de	service = 0 100 88 dc4.ad.example.de.
_kerberos._tcp.ad.example.de	service = 0 100 88 dc3.ad.example.de.
_kerberos._tcp.ad.example.de	service = 0 100 88 dc1.ad.example.de.
Samba is running as an AD DC

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.3 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff
    inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18

-----------
       Checking file: /etc/hosts

127.0.0.1       localhost
XX.XX.XX.53    dc3.ad.example.de    dc3
 
# The following lines are desirable for IPv6 capable hosts
#::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver XX.XX.XX.53
search ad.example.de

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = AD.EXAMPLE.DE
	dns_lookup_realm = false
	dns_lookup_kdc = true

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files
group:          files
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

# Global parameters
[global]
	netbios name = DC3
	realm = AD.EXAMPLE.DE
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = AD
	interfaces = XX.XX.XX.53
	bind interfaces only = yes
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
	log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
	ldap server require strong auth = no
	tls verify peer = no_check
	tls enabled = yes
	tls keyfile = /path/key.pem
	tls certfile = /path/fullcert.pem
	tls cafile = /etc/ssl/certs/ca-certificates.crt

[sysvol]
	path = /var/lib/samba/sysvol
	read only = yes

[netlogon]
	path = /var/lib/samba/sysvol/ad.example.de/scripts
	read only = yes

-----------

Detected bind DLZ enabled..
       Checking file: /etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

-----------

       Checking file: /etc/bind/named.conf.options

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	forwarders {
	 	YY.YY.YY.4; YY.YY.YY.5;   // we use the AC-DC-DNS only for AD internal hosts
	 };
	tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation auto;

	listen-on-v6 { any; };
};

-----------

       Checking file: /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/bind-dns/named.conf";

-----------

       Checking file: /etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

-----------

Samba DNS zone list:   2 zone(s) found

  pszZoneName                 : ad.example.de
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.ad.example.de

  pszZoneName                 : _msdcs.ad.example.de
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : ForestDnsZones.ad.example.de

Samba DNS zone list Automated check : 
zone : ad.example.de ok, no Bind flat-files found
-----------
zone : _msdcs.ad.example.de ok, no Bind flat-files found
-----------

Installed packages:
ii  acl                              2.2.53-4                    amd64        access control list - utilities
ii  bind9                            1:9.11.5.P4+dfsg-5.1        amd64        Internet Domain Name Server
ii  bind9-host                       1:9.11.5.P4+dfsg-5.1        amd64        DNS lookup utility (deprecated)
ii  bind9utils                       1:9.11.5.P4+dfsg-5.1        amd64        Utilities for BIND
ii  krb5-config                      2.6                         all          Configuration files for Kerberos Version 5
ii  krb5-locales                     1.17-3                      all          internationalization support for MIT Kerberos
ii  libacl1:amd64                    2.2.53-4                    amd64        access control list - shared library
ii  libattr1:amd64                   1:2.4.48-4                  amd64        extended attribute handling - shared library
ii  libbind9-161:amd64               1:9.11.5.P4+dfsg-5.1        amd64        BIND9 Shared Library used by BIND
ii  libgssapi-krb5-2:amd64           1.17-3                      amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64         7.5.0+dfsg-3                amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                  1.17-3                      amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64            1.17-3                      amd64        MIT Kerberos runtime libraries - Support library
ii  libwbclient0:amd64               99:4.12.1-5                 amd64        Glue package for sernet-samba-libs.
ii  sernet-samba                     99:4.12.1-5                 amd64        SMB/CIFS file, print, and login server for Unix
ii  sernet-samba-ad                  99:4.12.1-5                 amd64        Samba Active Directory Domain Controller
ii  sernet-samba-client              99:4.12.1-5                 amd64        a LanManager-like simple client for Unix
ii  sernet-samba-common              99:4.12.1-5                 all          Samba common files used by both the server and the client
ii  sernet-samba-keyring             1.9                         all          GnuPG archive keys of the SerNet Samba archive
ii  sernet-samba-libs:amd64          99:4.12.1-5                 amd64        Samba common library files used by both the server and the client
ii  sernet-samba-libsmbclient0:amd64 99:4.12.1-5                 amd64        Shared library that allows applications to talk to SMB servers
ii  sernet-samba-winbind             99:4.12.1-5                 amd64        Samba nameservice integration server

-----------



Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle via samba:
> Well, 
> 
> If you running with bind9_DLZ, you also should enable it.  
> 
> Based on what i see below, its not enable, you installed it your not done yet. ;-) 
> Verify the settings ( debianize the paths ) 
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End 
> 
> Then then its all done, reboot the server.
> Run this script, anonimized it and post the content to the list. 
> 
> Then i know all i want to know.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: von Obernitz, Daniel 
> > [mailto:daniel.vonobernitz at uni-greifswald.de] 
> > Verzonden: woensdag 22 april 2020 14:50
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: Re: [Samba] pad length mismatch error message
> > 
> > Hi Louis,
> > 
> > it happens on the AC-DC nodes on Debian 10, running with 
> > BIND9_DLZ backend...
> > 
> > dpkg -l |grep bind9
> > ii  bind9                              1:9.11.5.P4+dfsg-5.1   
> >      amd64        Internet Domain Name Server
> > ii  bind9-host                      1:9.11.5.P4+dfsg-5.1      
> >   amd64        DNS lookup utility (deprecated)
> > ii  bind9utils                        1:9.11.5.P4+dfsg-5.1    
> >     amd64        Utilities for BIND
> > ii  libbind9-161:amd64       1:9.11.5.P4+dfsg-5.1        
> > amd64        BIND9 Shared Library used by BIND
> > 
> > 
> > smb.conf:
> > 
> > # Global parameters
> > [global]
> >         netbios name = DC3
> >         realm = AD.EXAMPLE.NET
> >         server role = active directory domain controller
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = AD
> >         interfaces = IP
> >         bind interfaces only = yes
> >         load printers = no
> >         printing = bsd
> >         printcap name = /dev/null
> >         disable spoolss = yes
> >         log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
> >         ldap server require strong auth = no
> >         tls verify peer = no_check
> >         tls enabled = yes
> >         tls keyfile = /path/key.pem
> >         tls certfile = /path/fullcert.pem
> >         tls cafile = /etc/ssl/certs/ca-certificates.crt
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = yes
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/ad.example.net/scripts
> >         read only = yes
> > 
> > 
> > Best regards
> > Daniel
> > 
> > 
> > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle 
> > via samba:
> > > Hai, 
> > > 
> > > I might be handy to tell us a bit more. 
> > > 
> > > Like AD-DC or member. 
> > > content smb.conf ?  
> > > If AD-DC, are you running with or without bind. 
> > > with bind? show : dpkg -l |grep bind9 
> > > 
> > > Greetz, 
> > > 
> > > Louis
> > > 
> > > 
> > > 
> > > > -----Oorspronkelijk bericht-----
> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von 
> > > > Obernitz, Daniel via samba
> > > > Verzonden: woensdag 22 april 2020 14:18
> > > > Aan: samba at lists.samba.org
> > > > Onderwerp: [Samba] pad length mismatch error message
> > > > 
> > > > Hi,
> > > > 
> > > > I found the following error message in the log.samba:
> > > > 
> > > > [2020/04/20 16:32:33.168921, 1] 
> > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer)
> > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length 
> > > > mismatch. Calculated 44 got 0
> > > > 
> > > > It happens on all nodes on different times, but unfortunately 
> > > > I have no specific situation or action which causes this.
> > > > 
> > > > We are currently using Samba version 
> > 4.12.1-SerNet-Debian-5.buster.
> > > > 
> > > > Do you have any idea what could cause this so I can try to 
> > > > replicate it?
> > > > 
> > > > Best regards
> > > > Daniel
> > > > 
> > > 
> > > 
> > > -- 
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6098 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20200422/855c68f1/smime.bin>


More information about the samba mailing list