[Samba] problem accessing shares after upgrading member server to 4.17.3 (debian bullseye-backports)

Michael Tokarev mjt at tls.msk.ru
Mon Nov 21 07:10:57 UTC 2022 

Ok, this is another report of an issue with issue, now from me.

After seeing the other two reports about issues with 4.17 upgrade, I tried to reproduce
it locally. And succeeded - sort of.

I have a testbed member server which was running 4.16.6.  After upgrading that one
to 4.17.3+dfsg-1~bpo11-1, I can't connect to any share on it from windows 10.

But in my case, it looks like windows can't *find* the *server* to begin with
(before the samba upgrade it worked just fine; DNS hasn't changed, it has static
A record, there's no dynamic DNS for these hosts).

When entering \\servername\share in windows explorer, I can see a very long pause
first (the windows client does not have access to the 'net - it looks like windows
is trying to find an "alternative" servername somehow, maybe), and after this long
pause, it says (translating to English):

  Windows can not access to \\servername\share
  check if the name is specified correctly...
  details: Error code 0x80004005 Unspecified error

It does try to connect to this servername though, but apparently does not like it.

Smbclient works in my case - using server name too.  I haven't tried kerberos tickets
yet (actually I never tried kerberos auth yet, to begin with).

The server logs these:

[2022/11/21 09:35:01.800542,  1] ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

And, when starting samba, this:
[2022/11/21 09:33:34.740172,  1] ../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)
   ../../source3/rpc_client/cli_pipe.c:550: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR received from host servername!
(yes, it is samba accessing itself).

After increasing verbosity level it logs this:

wh:/var/log/samba# cat log.winbindd-idmap
[2022/11/21 10:01:17.065052,  1] ../../source3/winbindd/idmap_ad.c:289(idmap_ad_tldap_debug)
   idmap_ad_tldap: tldap_context_disconnect: TLDAP_SERVER_DOWN at ../../source3/lib/tldap.c:762
wh:/var/log/samba# cat log.
[2022/11/21 10:01:17.044866,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
   Registered MSG_REQ_POOL_USAGE
[2022/11/21 10:01:17.063451,  2] ../../auth/kerberos/kerberos_pac.c:101(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2022/11/21 10:01:17.063569,  2] ../../auth/kerberos/kerberos_pac.c:101(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2022/11/21 10:01:17.287116,  1] ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
   rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory


"PAC Verification failed: Decrypt integrity check failed" message seems familiar.

After re-joining this server to the domain, it works.  But it is still quite a bit too noizy
in the logs:

There are LOTS of messages

[2022/11/21 10:05:35.954637,  1] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
   ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory

repeated in various log files,  and some errors during startup:

[2022/11/21 10:05:35.809707,  1] ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
   rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory


So in my case, it looks like a re-join of the domain fixes the issue, whichever it was.
But apparently not in other cases..


BTW, can't samba-tool domain join create private_directory? It fails if /var/lib/samba/private
doesn't exist (after removing whole thing from previous domain join), -- cosmetic, but is very
annoying.


Thanks,

/mjt

More information about the samba mailing list