[Samba] pad length mismatch error message
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 22 15:09:35 UTC 2020
I see multiple things that are off.. ( see Rowland message also and .. )
Dns https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
Now look at the example config here and change yours acording.
Smb.conf change that or add -dns
server services = -dns
As far i can see your dns is using samba internal dns.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: von Obernitz, Daniel
> [mailto:daniel.vonobernitz at uni-greifswald.de]
> Verzonden: woensdag 22 april 2020 16:33
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] pad length mismatch error message
>
> Hi,
>
> bind9_DLZ is enabled and running, DNS in general is working
> absolutely fine.
>
> --dns-backend=BIND9_DLZ was used during provision and your
> collect script also says it's enabled.
>
>
> Like I said in the other issue, the AC-DC in general is
> working fine... the posted error message is just something I
> can't explain, where it comes from...
>
> Best regards
> Daniel
>
>
>
> -----------
>
> Collected config --- 2020-04-22-15:15 -----------
>
> Hostname: dc3
> DNS Domain: ad.example.de
> FQDN: dc3.ad.example.de
> ipaddress: XX.XX.XX.53
>
> -----------
>
> Kerberos SRV _kerberos._tcp.ad.example.de record verified ok,
> sample output:
> Server: XX.XX.XX.53
> Address: XX.XX.XX.53#53
>
> _kerberos._tcp.ad.example.de service = 0 100 88 dc2.ad.example.de.
> _kerberos._tcp.ad.example.de service = 0 100 88 dc4.ad.example.de.
> _kerberos._tcp.ad.example.de service = 0 100 88 dc3.ad.example.de.
> _kerberos._tcp.ad.example.de service = 0 100 88 dc1.ad.example.de.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.3 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast state UP group default qlen 1000
> link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff
> inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> XX.XX.XX.53 dc3.ad.example.de dc3
>
> # The following lines are desirable for IPv6 capable hosts
> #::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting local
> clients directly to
> # all known uplink DNS servers. This file lists all
> configured search domains.
> #
> # Third party programs must not access this file directly,
> but only through the
> # symlink at /etc/resolv.conf. To manage man:resolv.conf(5)
> in a different way,
> # replace this symlink by a static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about the
> supported modes of
> # operation for /etc/resolv.conf.
>
> nameserver XX.XX.XX.53
> search ad.example.de
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = AD.EXAMPLE.DE
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files
> group: files
> shadow: files
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = DC3
> realm = AD.EXAMPLE.DE
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = AD
> interfaces = XX.XX.XX.53
> bind interfaces only = yes
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
> ldap server require strong auth = no
> tls verify peer = no_check
> tls enabled = yes
> tls keyfile = /path/key.pem
> tls certfile = /path/fullcert.pem
> tls cafile = /etc/ssl/certs/ca-certificates.crt
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.example.de/scripts
> read only = yes
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for
> information on the
> // structure of BIND configuration files in Debian, *BEFORE*
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to
> allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the
> addresses replacing
> // the all-0's placeholder.
>
> forwarders {
> YY.YY.YY.4; YY.YY.YY.5; // we use the
> AC-DC-DNS only for AD internal hosts
> };
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
>
> //============================================================
> ============
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //============================================================
> ============
> dnssec-validation auto;
>
> listen-on-v6 { any; };
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> include "/var/lib/samba/bind-dns/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/usr/share/dns/root.hints";
> };
>
> // be authoritative for the localhost forward and reverse
> zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list: 2 zone(s) found
>
> pszZoneName : ad.example.de
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.ad.example.de
>
> pszZoneName : _msdcs.ad.example.de
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.ad.example.de
>
> Samba DNS zone list Automated check :
> zone : ad.example.de ok, no Bind flat-files found
> -----------
> zone : _msdcs.ad.example.de ok, no Bind flat-files found
> -----------
>
> Installed packages:
> ii acl 2.2.53-4
> amd64 access control list - utilities
> ii bind9 1:9.11.5.P4+dfsg-5.1
> amd64 Internet Domain Name Server
> ii bind9-host 1:9.11.5.P4+dfsg-5.1
> amd64 DNS lookup utility (deprecated)
> ii bind9utils 1:9.11.5.P4+dfsg-5.1
> amd64 Utilities for BIND
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.17-3
> all internationalization support for MIT Kerberos
> ii libacl1:amd64 2.2.53-4
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-4
> amd64 extended attribute handling - shared library
> ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1
> amd64 BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64 1.17-3
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API
> Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.17-3
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3
> amd64 MIT Kerberos runtime libraries - Support library
> ii libwbclient0:amd64 99:4.12.1-5
> amd64 Glue package for sernet-samba-libs.
> ii sernet-samba 99:4.12.1-5
> amd64 SMB/CIFS file, print, and login server for Unix
> ii sernet-samba-ad 99:4.12.1-5
> amd64 Samba Active Directory Domain Controller
> ii sernet-samba-client 99:4.12.1-5
> amd64 a LanManager-like simple client for Unix
> ii sernet-samba-common 99:4.12.1-5
> all Samba common files used by both the server
> and the client
> ii sernet-samba-keyring 1.9
> all GnuPG archive keys of the SerNet Samba archive
> ii sernet-samba-libs:amd64 99:4.12.1-5
> amd64 Samba common library files used by both the
> server and the client
> ii sernet-samba-libsmbclient0:amd64 99:4.12.1-5
> amd64 Shared library that allows applications to
> talk to SMB servers
> ii sernet-samba-winbind 99:4.12.1-5
> amd64 Samba nameservice integration server
>
> -----------
>
>
>
> Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle
> via samba:
> > Well,
> >
> > If you running with bind9_DLZ, you also should enable it.
> >
> > Based on what i see below, its not enable, you installed it
> your not done yet. ;-)
> > Verify the settings ( debianize the paths )
> > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
> >
> > Then then its all done, reboot the server.
> > Run this script, anonimized it and post the content to the list.
> >
> > Then i know all i want to know.
> >
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: von Obernitz, Daniel
> > > [mailto:daniel.vonobernitz at uni-greifswald.de]
> > > Verzonden: woensdag 22 april 2020 14:50
> > > Aan: L.P.H. van Belle; samba at lists.samba.org
> > > Onderwerp: Re: [Samba] pad length mismatch error message
> > >
> > > Hi Louis,
> > >
> > > it happens on the AC-DC nodes on Debian 10, running with
> > > BIND9_DLZ backend...
> > >
> > > dpkg -l |grep bind9
> > > ii bind9 1:9.11.5.P4+dfsg-5.1
> > > amd64 Internet Domain Name Server
> > > ii bind9-host 1:9.11.5.P4+dfsg-5.1
> > > amd64 DNS lookup utility (deprecated)
> > > ii bind9utils 1:9.11.5.P4+dfsg-5.1
> > > amd64 Utilities for BIND
> > > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1
> > > amd64 BIND9 Shared Library used by BIND
> > >
> > >
> > > smb.conf:
> > >
> > > # Global parameters
> > > [global]
> > > netbios name = DC3
> > > realm = AD.EXAMPLE.NET
> > > server role = active directory domain controller
> > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> > > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > > workgroup = AD
> > > interfaces = IP
> > > bind interfaces only = yes
> > > load printers = no
> > > printing = bsd
> > > printcap name = /dev/null
> > > disable spoolss = yes
> > > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
> > > ldap server require strong auth = no
> > > tls verify peer = no_check
> > > tls enabled = yes
> > > tls keyfile = /path/key.pem
> > > tls certfile = /path/fullcert.pem
> > > tls cafile = /etc/ssl/certs/ca-certificates.crt
> > >
> > > [sysvol]
> > > path = /var/lib/samba/sysvol
> > > read only = yes
> > >
> > > [netlogon]
> > > path = /var/lib/samba/sysvol/ad.example.net/scripts
> > > read only = yes
> > >
> > >
> > > Best regards
> > > Daniel
> > >
> > >
> > > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle
> > > via samba:
> > > > Hai,
> > > >
> > > > I might be handy to tell us a bit more.
> > > >
> > > > Like AD-DC or member.
> > > > content smb.conf ?
> > > > If AD-DC, are you running with or without bind.
> > > > with bind? show : dpkg -l |grep bind9
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von
> > > > > Obernitz, Daniel via samba
> > > > > Verzonden: woensdag 22 april 2020 14:18
> > > > > Aan: samba at lists.samba.org
> > > > > Onderwerp: [Samba] pad length mismatch error message
> > > > >
> > > > > Hi,
> > > > >
> > > > > I found the following error message in the log.samba:
> > > > >
> > > > > [2020/04/20 16:32:33.168921, 1]
> > > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer)
> > > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length
> > > > > mismatch. Calculated 44 got 0
> > > > >
> > > > > It happens on all nodes on different times, but unfortunately
> > > > > I have no specific situation or action which causes this.
> > > > >
> > > > > We are currently using Samba version
> > > 4.12.1-SerNet-Debian-5.buster.
> > > > >
> > > > > Do you have any idea what could cause this so I can try to
> > > > > replicate it?
> > > > >
> > > > > Best regards
> > > > > Daniel
> > > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL
> and read the
> > > > instructions: https://lists.samba.org/mailman/options/samba
> > > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
More information about the samba
mailing list