[Samba] pad length mismatch error message

L.P.H. van Belle belle at bazuin.nl
Wed Apr 22 15:09:35 UTC 2020


I see multiple things that are off..  ( see Rowland message also and .. ) 

Dns https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server 
Now look at the example config here and change yours acording. 

Smb.conf change that or add -dns 

server services = -dns

As far i can see your dns is using samba internal dns. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: von Obernitz, Daniel 
> [mailto:daniel.vonobernitz at uni-greifswald.de] 
> Verzonden: woensdag 22 april 2020 16:33
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] pad length mismatch error message
> 
> Hi,
> 
> bind9_DLZ is enabled and running, DNS in general is working 
> absolutely fine.
> 
> --dns-backend=BIND9_DLZ was used during provision and your 
> collect script also says it's enabled.
> 
> 
> Like I said in the other issue, the AC-DC in general is 
> working fine... the posted error message is just something I 
> can't explain, where it comes from...
> 
> Best regards
> Daniel
> 
> 
> 
> -----------
> 
> Collected config  --- 2020-04-22-15:15 -----------
> 
> Hostname: dc3
> DNS Domain: ad.example.de
> FQDN: dc3.ad.example.de
> ipaddress: XX.XX.XX.53 
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.ad.example.de record verified ok, 
> sample output: 
> Server:		XX.XX.XX.53
> Address:	XX.XX.XX.53#53
> 
> _kerberos._tcp.ad.example.de	service = 0 100 88 dc2.ad.example.de.
> _kerberos._tcp.ad.example.de	service = 0 100 88 dc4.ad.example.de.
> _kerberos._tcp.ad.example.de	service = 0 100 88 dc3.ad.example.de.
> _kerberos._tcp.ad.example.de	service = 0 100 88 dc1.ad.example.de.
> Samba is running as an AD DC
> 
> -----------
>        Checking file: /etc/os-release
> 
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
> 
> -----------
> 
> 
> This computer is running Debian 10.3 x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state 
> UNKNOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> pfifo_fast state UP group default qlen 1000
>     link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff
>     inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18
> 
> -----------
>        Checking file: /etc/hosts
> 
> 127.0.0.1       localhost
> XX.XX.XX.53    dc3.ad.example.de    dc3
>  
> # The following lines are desirable for IPv6 capable hosts
> #::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
>        Checking file: /etc/resolv.conf
> 
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting local 
> clients directly to
> # all known uplink DNS servers. This file lists all 
> configured search domains.
> #
> # Third party programs must not access this file directly, 
> but only through the
> # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) 
> in a different way,
> # replace this symlink by a static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about the 
> supported modes of
> # operation for /etc/resolv.conf.
> 
> nameserver XX.XX.XX.53
> search ad.example.de
> 
> -----------
> 
>        Checking file: /etc/krb5.conf
> 
> [libdefaults]
> 	default_realm = AD.EXAMPLE.DE
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> -----------
> 
>        Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         files
> group:          files
> shadow:         files
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> 
>        Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
> 	netbios name = DC3
> 	realm = AD.EXAMPLE.DE
> 	server role = active directory domain controller
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> 	workgroup = AD
> 	interfaces = XX.XX.XX.53
> 	bind interfaces only = yes
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 	log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
> 	ldap server require strong auth = no
> 	tls verify peer = no_check
> 	tls enabled = yes
> 	tls keyfile = /path/key.pem
> 	tls certfile = /path/fullcert.pem
> 	tls cafile = /etc/ssl/certs/ca-certificates.crt
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = yes
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/ad.example.de/scripts
> 	read only = yes
> 
> -----------
> 
> Detected bind DLZ enabled..
>        Checking file: /etc/bind/named.conf
> 
> // This is the primary configuration file for the BIND DNS 
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information on the 
> // structure of BIND configuration files in Debian, *BEFORE* 
> you customize 
> // this configuration file.
> //
> // If you are just adding zones, please do that in 
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> -----------
> 
>        Checking file: /etc/bind/named.conf.options
> 
> options {
> 	directory "/var/cache/bind";
> 
> 	// If there is a firewall between you and nameservers you want
> 	// to talk to, you may need to fix the firewall to 
> allow multiple
> 	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> 
> 	// If your ISP provided one or more IP addresses for stable 
> 	// nameservers, you probably want to use them as forwarders.  
> 	// Uncomment the following block, and insert the 
> addresses replacing 
> 	// the all-0's placeholder.
> 
> 	forwarders {
> 	 	YY.YY.YY.4; YY.YY.YY.5;   // we use the 
> AC-DC-DNS only for AD internal hosts
> 	 };
> 	tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> 
> 	
> //============================================================
> ============
> 	// If BIND logs error messages about the root key being expired,
> 	// you will need to update your keys.  See 
> https://www.isc.org/bind-keys
> 	
> //============================================================
> ============
> 	dnssec-validation auto;
> 
> 	listen-on-v6 { any; };
> };
> 
> -----------
> 
>        Checking file: /etc/bind/named.conf.local
> 
> //
> // Do any local configuration here
> //
> 
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> include "/var/lib/samba/bind-dns/named.conf";
> 
> -----------
> 
>        Checking file: /etc/bind/named.conf.default-zones
> 
> // prime the server with knowledge of the root servers
> zone "." {
> 	type hint;
> 	file "/usr/share/dns/root.hints";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
> 	type master;
> 	file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.255";
> };
> 
> -----------
> 
> Samba DNS zone list:   2 zone(s) found
> 
>   pszZoneName                 : ad.example.de
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE 
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
>   pszDpFqdn                   : DomainDnsZones.ad.example.de
> 
>   pszZoneName                 : _msdcs.ad.example.de
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE 
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
>   pszDpFqdn                   : ForestDnsZones.ad.example.de
> 
> Samba DNS zone list Automated check : 
> zone : ad.example.de ok, no Bind flat-files found
> -----------
> zone : _msdcs.ad.example.de ok, no Bind flat-files found
> -----------
> 
> Installed packages:
> ii  acl                              2.2.53-4                 
>    amd64        access control list - utilities
> ii  bind9                            1:9.11.5.P4+dfsg-5.1     
>    amd64        Internet Domain Name Server
> ii  bind9-host                       1:9.11.5.P4+dfsg-5.1     
>    amd64        DNS lookup utility (deprecated)
> ii  bind9utils                       1:9.11.5.P4+dfsg-5.1     
>    amd64        Utilities for BIND
> ii  krb5-config                      2.6                      
>    all          Configuration files for Kerberos Version 5
> ii  krb5-locales                     1.17-3                   
>    all          internationalization support for MIT Kerberos
> ii  libacl1:amd64                    2.2.53-4                 
>    amd64        access control list - shared library
> ii  libattr1:amd64                   1:2.4.48-4               
>    amd64        extended attribute handling - shared library
> ii  libbind9-161:amd64               1:9.11.5.P4+dfsg-5.1     
>    amd64        BIND9 Shared Library used by BIND
> ii  libgssapi-krb5-2:amd64           1.17-3                   
>    amd64        MIT Kerberos runtime libraries - krb5 GSS-API 
> Mechanism
> ii  libkrb5-26-heimdal:amd64         7.5.0+dfsg-3             
>    amd64        Heimdal Kerberos - libraries
> ii  libkrb5-3:amd64                  1.17-3                   
>    amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64            1.17-3                   
>    amd64        MIT Kerberos runtime libraries - Support library
> ii  libwbclient0:amd64               99:4.12.1-5              
>    amd64        Glue package for sernet-samba-libs.
> ii  sernet-samba                     99:4.12.1-5              
>    amd64        SMB/CIFS file, print, and login server for Unix
> ii  sernet-samba-ad                  99:4.12.1-5              
>    amd64        Samba Active Directory Domain Controller
> ii  sernet-samba-client              99:4.12.1-5              
>    amd64        a LanManager-like simple client for Unix
> ii  sernet-samba-common              99:4.12.1-5              
>    all          Samba common files used by both the server 
> and the client
> ii  sernet-samba-keyring             1.9                      
>    all          GnuPG archive keys of the SerNet Samba archive
> ii  sernet-samba-libs:amd64          99:4.12.1-5              
>    amd64        Samba common library files used by both the 
> server and the client
> ii  sernet-samba-libsmbclient0:amd64 99:4.12.1-5              
>    amd64        Shared library that allows applications to 
> talk to SMB servers
> ii  sernet-samba-winbind             99:4.12.1-5              
>    amd64        Samba nameservice integration server
> 
> -----------
> 
> 
> 
> Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle 
> via samba:
> > Well, 
> > 
> > If you running with bind9_DLZ, you also should enable it.  
> > 
> > Based on what i see below, its not enable, you installed it 
> your not done yet. ;-) 
> > Verify the settings ( debianize the paths ) 
> > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End 
> > 
> > Then then its all done, reboot the server.
> > Run this script, anonimized it and post the content to the list. 
> > 
> > Then i know all i want to know.
> > 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh 
> > 
> > Greetz, 
> > 
> > Louis
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: von Obernitz, Daniel 
> > > [mailto:daniel.vonobernitz at uni-greifswald.de] 
> > > Verzonden: woensdag 22 april 2020 14:50
> > > Aan: L.P.H. van Belle; samba at lists.samba.org
> > > Onderwerp: Re: [Samba] pad length mismatch error message
> > > 
> > > Hi Louis,
> > > 
> > > it happens on the AC-DC nodes on Debian 10, running with 
> > > BIND9_DLZ backend...
> > > 
> > > dpkg -l |grep bind9
> > > ii  bind9                              1:9.11.5.P4+dfsg-5.1   
> > >      amd64        Internet Domain Name Server
> > > ii  bind9-host                      1:9.11.5.P4+dfsg-5.1      
> > >   amd64        DNS lookup utility (deprecated)
> > > ii  bind9utils                        1:9.11.5.P4+dfsg-5.1    
> > >     amd64        Utilities for BIND
> > > ii  libbind9-161:amd64       1:9.11.5.P4+dfsg-5.1        
> > > amd64        BIND9 Shared Library used by BIND
> > > 
> > > 
> > > smb.conf:
> > > 
> > > # Global parameters
> > > [global]
> > >         netbios name = DC3
> > >         realm = AD.EXAMPLE.NET
> > >         server role = active directory domain controller
> > >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> > > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >         workgroup = AD
> > >         interfaces = IP
> > >         bind interfaces only = yes
> > >         load printers = no
> > >         printing = bsd
> > >         printcap name = /dev/null
> > >         disable spoolss = yes
> > >         log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
> > >         ldap server require strong auth = no
> > >         tls verify peer = no_check
> > >         tls enabled = yes
> > >         tls keyfile = /path/key.pem
> > >         tls certfile = /path/fullcert.pem
> > >         tls cafile = /etc/ssl/certs/ca-certificates.crt
> > > 
> > > [sysvol]
> > >         path = /var/lib/samba/sysvol
> > >         read only = yes
> > > 
> > > [netlogon]
> > >         path = /var/lib/samba/sysvol/ad.example.net/scripts
> > >         read only = yes
> > > 
> > > 
> > > Best regards
> > > Daniel
> > > 
> > > 
> > > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle 
> > > via samba:
> > > > Hai, 
> > > > 
> > > > I might be handy to tell us a bit more. 
> > > > 
> > > > Like AD-DC or member. 
> > > > content smb.conf ?  
> > > > If AD-DC, are you running with or without bind. 
> > > > with bind? show : dpkg -l |grep bind9 
> > > > 
> > > > Greetz, 
> > > > 
> > > > Louis
> > > > 
> > > > 
> > > > 
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von 
> > > > > Obernitz, Daniel via samba
> > > > > Verzonden: woensdag 22 april 2020 14:18
> > > > > Aan: samba at lists.samba.org
> > > > > Onderwerp: [Samba] pad length mismatch error message
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > I found the following error message in the log.samba:
> > > > > 
> > > > > [2020/04/20 16:32:33.168921, 1] 
> > > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer)
> > > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length 
> > > > > mismatch. Calculated 44 got 0
> > > > > 
> > > > > It happens on all nodes on different times, but unfortunately 
> > > > > I have no specific situation or action which causes this.
> > > > > 
> > > > > We are currently using Samba version 
> > > 4.12.1-SerNet-Debian-5.buster.
> > > > > 
> > > > > Do you have any idea what could cause this so I can try to 
> > > > > replicate it?
> > > > > 
> > > > > Best regards
> > > > > Daniel
> > > > > 
> > > > 
> > > > 
> > > > -- 
> > > > To unsubscribe from this list go to the following URL 
> and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > 
> > > 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 




More information about the samba mailing list