Winbindd DCERPC requests to DC are intermittently failing with NT_STATUS_RPC_SEC_PKG_ERROR.
Hemanth Thummala
hemanth.thummala at nutanix.com
Wed Jan 16 22:41:41 UTC 2019
Hello All,
We are running Samba 4.3.11 stack. We are witnessing that DCERPC(NetrLogon*) requests( as part of establishing the secure channel from winbindd) frequently failing with RPC_SEC_PKG_ERRORs. Sometimes, next retry would be successful or the error would be persistent till we restart winbind.
[2019/01/16 12:12:14.669030, 1, pid=57612, effective(0, 0), real(0, 0), class=rpc_cli] ../source3/rpc_client/cli_pipe.c:568(cli_pipe_validate_current_pdu)
../source3/rpc_client/cli_pipe.c:568: RPC fault code DCERPC_FAULT_SEC_PKG_ERROR received from host DCDC-1.DRMAFS.LAB!
[2019/01/16 12:12:14.669044, 10, pid=57612, effective(0, 0), real(0, 0), class=rpc_cli] ../source3/rpc_client/cli_pipe.c:975(rpc_api_pipe_got_pdu)
rpc_api_pipe: got frag len of 32 at offset 0: NT_STATUS_RPC_SEC_PKG_ERROR
And the very next request succeeded.
[2019/01/16 12:12:19.280066, 10, pid=57612, effective(0, 0), real(0, 0), class=rpc_cli] ../source3/rpc_client/cli_pipe.c:3341(cli_rpc_pipe_open_schannel_with_creds)
cli_rpc_pipe_open_schannel_with_creds: opened pipe netlogon to machine DCDC-1.DRMAFS.LAB for domain DRMAFS and bound using schannel.
[2019/01/16 12:12:19.280076, 3, pid=57612, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:677(_wbint_CheckMachineAccount)
domain DRMAFS secret is good
Capture on DC shows that request failing with with FAULT PKG error.
1133 17.712152 x.x.x.x y.y.y.y RPC_NETLOGON 454 NetrLogonDummyRoutine1 request
1134 17.712402 y.y.y.y x.x.x.x DCERPC 214 Fault: call_id: 17866, Fragment: Single, Ctx: 0, status: nca_s_fault_sec_pkg_error
This is causing all the LookupName DCERPCs to fail which inturn affecting the user authentication. Any inputs to debug this issue?
Thanks,
Hemanth.
More information about the samba-technical
mailing list