[Samba] problem accessing shares after upgrading member server to 4.17.3 (debian bullseye-backports)
Michael Tokarev
mjt at tls.msk.ru
Mon Nov 21 07:10:57 UTC 2022
Ok, this is another report of an issue with issue, now from me.
After seeing the other two reports about issues with 4.17 upgrade, I tried to reproduce
it locally. And succeeded - sort of.
I have a testbed member server which was running 4.16.6. After upgrading that one
to 4.17.3+dfsg-1~bpo11-1, I can't connect to any share on it from windows 10.
But in my case, it looks like windows can't *find* the *server* to begin with
(before the samba upgrade it worked just fine; DNS hasn't changed, it has static
A record, there's no dynamic DNS for these hosts).
When entering \\servername\share in windows explorer, I can see a very long pause
first (the windows client does not have access to the 'net - it looks like windows
is trying to find an "alternative" servername somehow, maybe), and after this long
pause, it says (translating to English):
Windows can not access to \\servername\share
check if the name is specified correctly...
details: Error code 0x80004005 Unspecified error
It does try to connect to this servername though, but apparently does not like it.
Smbclient works in my case - using server name too. I haven't tried kerberos tickets
yet (actually I never tried kerberos auth yet, to begin with).
The server logs these:
[2022/11/21 09:35:01.800542, 1] ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
And, when starting samba, this:
[2022/11/21 09:33:34.740172, 1] ../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)
../../source3/rpc_client/cli_pipe.c:550: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR received from host servername!
(yes, it is samba accessing itself).
After increasing verbosity level it logs this:
wh:/var/log/samba# cat log.winbindd-idmap
[2022/11/21 10:01:17.065052, 1] ../../source3/winbindd/idmap_ad.c:289(idmap_ad_tldap_debug)
idmap_ad_tldap: tldap_context_disconnect: TLDAP_SERVER_DOWN at ../../source3/lib/tldap.c:762
wh:/var/log/samba# cat log.
[2022/11/21 10:01:17.044866, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2022/11/21 10:01:17.063451, 2] ../../auth/kerberos/kerberos_pac.c:101(check_pac_checksum)
check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2022/11/21 10:01:17.063569, 2] ../../auth/kerberos/kerberos_pac.c:101(check_pac_checksum)
check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2022/11/21 10:01:17.287116, 1] ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory
"PAC Verification failed: Decrypt integrity check failed" message seems familiar.
After re-joining this server to the domain, it works. But it is still quite a bit too noizy
in the logs:
There are LOTS of messages
[2022/11/21 10:05:35.954637, 1] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
repeated in various log files, and some errors during startup:
[2022/11/21 10:05:35.809707, 1] ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory
So in my case, it looks like a re-join of the domain fixes the issue, whichever it was.
But apparently not in other cases..
BTW, can't samba-tool domain join create private_directory? It fails if /var/lib/samba/private
doesn't exist (after removing whole thing from previous domain join), -- cosmetic, but is very
annoying.
Thanks,
/mjt
More information about the samba
mailing list