[Samba] accidentally upgraded DC to 4.17.3 ... didn't work

Michael Tokarev mjt at tls.msk.ru
Thu Nov 24 11:14:17 UTC 2022 

[Stefan, I was afk for quite some time, now back just briefly]

24.11.2022 12:32, Stefan G. Weichinger wrote:
> now the processes are there:
> 
> # ps axf | egrep "winbindd"
>     6516 pts/0    S+     0:00      |   \_ grep -E winbindd
>     5960 ?        S      0:00  |   \_ samba: task[winbindd] pre-fork master
>     5967 ?        Ss     0:03  |           \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
>     5986 ?        S      0:00  |               \_ winbindd: domain child [ARBEITSGRUPPE]
>     6311 ?        S      0:00  |               \_ winbindd: domain child [BUILTIN]
>     6312 ?        S      0:00  |               \_ winbindd: idmap child

Okay, that looks good.

> # tail log.samba
> [2022/11/24 10:30:01.604138,  2] ../../source4/dns_server/dns_update.c:824(dns_server_process_update)
>    Got a dns update request.
> [2022/11/24 10:30:01.604970,  2] ../../source4/dns_server/dns_update.c:781(dns_update_allowed)
>    Update not allowed for unsigned packet.
> [2022/11/24 10:30:01.629463,  1] ../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
>    GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, 
> key type aes256-cts-hmac-sha1-96
> [2022/11/24 10:30:01.629577,  1] ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
>    gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2022/11/24 10:30:01.629641,  1] ../../source4/dns_server/dns_query.c:888(handle_tkey)
>    GSS key negotiation returned NT_STATUS_LOGON_FAILURE

That *smalls* like a keytab issue, but I'm not sure yet.

..
> # wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

Wow.

See lsof /run/samba/winbindd/pipe - this will show which
process is listening there.

See  strace -e connect wbinfo -t  - this will show what
wbinfo gets when trying to connect there.

See lsof -p for the winbindd processes above
(eg lsof -p 6312) for the files open by these processes.

It is some very basic stuff..  it's weird.

Has this been restarted after upgrade? (it should, but I
haven't looked at this part in the debian package yet).
Did you restart it manually before?

/mjt

More information about the samba mailing list