[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently

Bharath Bheemarasetti bharath.bheemarasetti at gmail.com
Sun Jul 2 19:40:26 UTC 2023 

On further investigation, the error that shows up in packet capture is that
the DC is returning [Fault: nca_s_fault_sec_pkg_error] for the
NetrLogonSamLogonEx call. There are no error logs (or any logs) regarding
the netlogon call failure in the netlogon logs even after enabling debug
logs in the DC. One more interesting thing is restarting the netlogon.exe
service on the DC also fixes the issue temporarily similar to restarting
the smb service

Is it possible that something is going stale in the winbindd memory/cache
that is getting fixed on these restarts? If yes, how do I go about
debugging that as it is not apparent from the logs?

P.S: We have different setups and the frequency of this error is
different in all of them. Also, there is another setup with Samba 4.7 on
Ubuntu 18.04 and everything works fine there.

On Fri, Jun 16, 2023 at 1:26 PM Bharath Bheemarasetti <
bharath.bheemarasetti at gmail.com> wrote:

> First 'winbind enum' lines, they can and do slow things down in large
> domains and aren't required at all, getent etc will work without them.
> there are some old programs that will not work without them, but when
> was the last time you ran 'finger' for instance ?
>
> I made this change and it makes some difference but doesn't fix the issue entirely. Earlier the auth calls used to fail in around a day which has increased to 2 days now after which the auth calls fail with NT_STATUS_RPC_SEC_PKG_ERROR and winbind needs to be restarted for it to work. We use NTLMv2 for authentication and using the ntlm_auth tool (https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html) returns the same NT_STATUS_RPC_SEC_PKG_ERROR error as well while wbinfo -i returns the correct user info.
>
> Is there anything else that can be done to fix this permanently?
>
> You might also want to read the smb.conf manpage, you have lots of lines
> that I would never set.
>
> Thanks, I removed some lines which are not used anymore and will be cleaning up others shortly.
>
>
> On Sat, Jun 3, 2023 at 1:09 PM Bharath Bheemarasetti <
> bharath.bheemarasetti at gmail.com> wrote:
>
>> A couple of things possible, from 4.8.0 winbind must be running and your
>> smb.conf is, to be blunt, rubbish. You need to set the workgroup, you
>> need to have idmap config lines for the workgroup, the 'winbind enum'
>> lines only slow things down and 'map untrusted to domain' has been removed.
>>
>> Winbind is running and the workgroup was set as well. I omitted some lines from the smb.conf shared previously as I wasn't sure if they were relevant or not. I've added the full content below. Also share is being accessed by a windows client which is part of the domain and it does work fine for a few hours after restarting the smbd and winbind services. Does 'winbind enum' have any relation to that?
>>
>> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS mentions turning off 'winbind enum' can cause some problems
>>
>> *Configuration:*
>>
>> netbios name = clustF994DF
>> realm = <domain>
>>
>> bind interfaces only = yes
>> interfaces = 127.0.0.138 lo:138
>>
>> workgroup = <workgroup>
>> security = ads
>> server role = member server
>>
>> auth methods = winbind
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 10000-24999999
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> usershare allow guests = no
>>
>> map untrusted to domain = Yes
>> allow trusted domains = no
>> server string = %h
>> dns proxy = no
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> panic action = /usr/share/samba/panic-action %d
>> smb ports = 1445
>> pid directory = /var/run/samba
>>
>> server min protocol = SMB2
>> strict sync = yes
>> sync always = no
>>
>> smb encrypt = auto
>>
>> aio read size = 1
>> aio write size = 1
>>
>> smb2 max read = 1048576
>> smb2 max write = 1048576
>> smb2 max trans = 1048576
>>
>> socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760
>>
>> usershare owner only = no
>>
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> machine password timeout = 0
>>
>> nt acl support = yes
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>>
>> log level = 5
>> max log size = 1000
>>
>> *Share configuration:*
>>
>>   path = <path>
>>
>>   guest ok = no
>>
>>   writeable = no
>>
>>   browseable = no
>>
>>   valid users = "<domain>\<user>","+<domain>\<user group>"
>>
>>   force user = root
>>
>> On Fri, Jun 2, 2023 at 3:21 AM Bharath Bheemarasetti <
>> bharath.bheemarasetti at gmail.com> wrote:
>>
>>> Hi,
>>> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
>>> required the Samba version to be upgraded from 4.7.6 to 4.15.13.
>>> Post the upgrade, winbind authentication fails
>>> with  NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
>>> restarting the smb service but comes back after some time. There were no
>>> isses with the setup before the upgrade.
>>> Tried clearing the cached tdb files as well but the issue still come
>>> back after some time.
>>> <trimmed the log lines>
>>>
>>
>>> Below is the configuration:
>>> security = ads
>>> server role = member server
>>> auth methods = winbind
>>> idmap config * : backend = tdb
>>> idmap config * : range = 10000-24999999
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> usershare allow guests = no
>>> map untrusted to domain = Yes
>>> allow trusted domains = no
>>>
>>

More information about the samba mailing list