Samba 4.6.2 member server errors

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba 4.6.2 member server errors

Samba - General mailing list
Hi,

I have 2 samba AD DC's running 4.7.0 and 2 member servers running 4.6.2.

Everything seems to be working OK except that I see the following errors
over and over again in the winbind log on one of the member servers:

[2017/10/12 00:53:52.351095,  2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2017/10/12 00:53:52.871160,  2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2017/10/12 00:53:54.588468,  2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)

Can someone tell me what this means and if I should troubleshoot this further?

My Google foo has not been helpful.

Regards,

--
Tom [hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
Hai,

You googled with the wrong words i think.

1 search, 6 words. 4e link and 5e link, for explanation and solution.  ;-)
Based on your question, what i experianced and what i found with google.

https://support.oneidentity.com/authentication-services/kb/92515 
Dont look at the product here, but its an exact match on the error code.
They say, source of the problem is AD out of sync.

And now im thinking, i had such a problem also due to an out of sync AD database.
Here/how the out of sync happend i never found out.
Can you check if you DC's are in sync?

The other i found
https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU 
Is a problem in the keytab files, and, i did replace my keytab file, which solved 90% of my problem.
The 10% left over problem, a nfs keytab caching related thing, only involved my user account, so low prio for me.
Here the solution is to replace all keytab files. I did only the member server.
And that verifies it to me.

So i dont have an exact solution, only one big advice,
if you upgrade make sure you db replication is in sync and you checked all ADDC Db's.


Greetz,

Louis



 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Tom
> Diehl via samba
> Verzonden: donderdag 12 oktober 2017 7:01
> Aan: [hidden email]
> Onderwerp: [Samba] Samba 4.6.2 member server errors
>
> Hi,
>
> I have 2 samba AD DC's running 4.7.0 and 2 member servers
> running 4.6.2.
>
> Everything seems to be working OK except that I see the
> following errors
> over and over again in the winbind log on one of the member servers:
>
> [2017/10/12 00:53:52.351095,  2]
> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt
> integrity check failed (-1765328353)
> [2017/10/12 00:53:52.871160,  2]
> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt
> integrity check failed (-1765328353)
> [2017/10/12 00:53:54.588468,  2]
> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt
> integrity check failed (-1765328353)
>
> Can someone tell me what this means and if I should
> troubleshoot this further?
>
> My Google foo has not been helpful.
>
> Regards,
>
> --
> Tom [hidden email]
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
Hi Louis,

On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:

> Hai,
>
> You googled with the wrong words i think.

I have no problem believing that. :-)

> 1 search, 6 words. 4e link and 5e link, for explanation and solution.  ;-)
> Based on your question, what i experianced and what i found with google.
>
> https://support.oneidentity.com/authentication-services/kb/92515
> Dont look at the product here, but its an exact match on the error code.
> They say, source of the problem is AD out of sync.
>
> And now im thinking, i had such a problem also due to an out of sync AD database.
> Here/how the out of sync happend i never found out.
> Can you check if you DC's are in sync?
>
> The other i found
> https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU
> Is a problem in the keytab files, and, i did replace my keytab file, which solved 90% of my problem.
> The 10% left over problem, a nfs keytab caching related thing, only involved my user account, so low prio for me.
> Here the solution is to replace all keytab files. I did only the member server.
> And that verifies it to me.

I appreciate the information but I am confused. The above articles talk about this
being a krb5.keytab issue. This is confusing to me because the errors occur on a
Samba AD member server not either of the DC's.

There is no keytab on the member servers.

I do not know if it matters but all of the machines are Centos 7.4. The DC's are
compiled from source using the 4.7.0 tarball but the member servers are using the
4.6.2-11 rpms supplied with Centos 7.4.

> So i dont have an exact solution, only one big advice,
> if you upgrade make sure you db replication is in sync and you checked all ADDC Db's.

So are you saying this is a DC problem even though the errors only occur on a
member server?

Regards,

--
Tom [hidden email]

>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens Tom
>> Diehl via samba
>> Verzonden: donderdag 12 oktober 2017 7:01
>> Aan: [hidden email]
>> Onderwerp: [Samba] Samba 4.6.2 member server errors
>>
>> Hi,
>>
>> I have 2 samba AD DC's running 4.7.0 and 2 member servers
>> running 4.6.2.
>>
>> Everything seems to be working OK except that I see the
>> following errors
>> over and over again in the winbind log on one of the member servers:
>>
>> [2017/10/12 00:53:52.351095,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> [2017/10/12 00:53:52.871160,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> [2017/10/12 00:53:54.588468,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>>
>> Can someone tell me what this means and if I should
>> troubleshoot this further?
>>
>> My Google foo has not been helpful.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
Hai,

I'll explain a bit.

> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]]
> Verzonden: donderdag 12 oktober 2017 19:15
> Aan: L.P.H. van Belle
> CC: [hidden email]
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>
> Hi Louis,
>
> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
>
> > Hai,
> >
> > You googled with the wrong words i think.
>
> I have no problem believing that. :-)
>
> > 1 search, 6 words. 4e link and 5e link, for explanation and
> solution.  ;-)
> > Based on your question, what i experianced and what i found
> with google.
> >
> > https://support.oneidentity.com/authentication-services/kb/92515
> > Dont look at the product here, but its an exact match on
> the error code.
> > They say, source of the problem is AD out of sync.
> >
> > And now im thinking, i had such a problem also due to an
> out of sync AD database.
> > Here/how the out of sync happend i never found out.
> > Can you check if you DC's are in sync?
> >
> > The other i found
> >
> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
> s/g-s76WeWyUU
> > Is a problem in the keytab files, and, i did replace my
> keytab file, which solved 90% of my problem.
> > The 10% left over problem, a nfs keytab caching related
> thing, only involved my user account, so low prio for me.
> > Here the solution is to replace all keytab files. I did
> only the member server.
> > And that verifies it to me.
>
> I appreciate the information but I am confused. The above
> articles talk about this
> being a krb5.keytab issue. This is confusing to me because
> the errors occur on a
> Samba AD member server not either of the DC's.
Ok, im not a star in explaining in english.  

Look at this picture. That shows how kerberos tickets works.
https://i-technet.sec.s-msft.com/dynimg/IC195542.gif 
( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx )


Now look at this one
https://i-technet.sec.s-msft.com/dynimg/IC195551.gif 
Thats the user/computer login.
And if im correct, you problem is the systemkey on the member.
Due to somehow, an out of sync password in AD and the member server.

>
> There is no keytab on the member servers.
Ok, can you post your smb.conf
Because without it is a guessing game as of this point.

>
> I do not know if it matters but all of the machines are
> Centos 7.4. The DC's are
> compiled from source using the 4.7.0 tarball but the member
> servers are using the
> 4.6.2-11 rpms supplied with Centos 7.4.
>
> > So i dont have an exact solution, only one big advice,
> > if you upgrade make sure you db replication is in sync and
> you checked all ADDC Db's.
>
> So are you saying this is a DC problem even though the errors
> only occur on a  member server?

Yes, that is possible, but i cannot determin that yet.
And Centos is not really my things.
But there are multiple Centos users on the list, so lets hope they are reading this also.

>
> Regards,
>
> --
> Tom [hidden email]
>
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:[hidden email]] Namens Tom
> >> Diehl via samba
> >> Verzonden: donderdag 12 oktober 2017 7:01
> >> Aan: [hidden email]
> >> Onderwerp: [Samba] Samba 4.6.2 member server errors
> >>
> >> Hi,
> >>
> >> I have 2 samba AD DC's running 4.7.0 and 2 member servers
> >> running 4.6.2.
> >>
> >> Everything seems to be working OK except that I see the
> >> following errors
> >> over and over again in the winbind log on one of the
> member servers:
> >>
> >> [2017/10/12 00:53:52.351095,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:52.871160,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:54.588468,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >>
> >> Can someone tell me what this means and if I should
> >> troubleshoot this further?
> >>
> >> My Google foo has not been helpful.
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
On Fri, 13 Oct 2017 11:45:43 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai,
>
> I'll explain a bit.
>
> > There is no keytab on the member servers.

Oh yes there is ;-)
You only need an explicit keytab if something else requires it e.g.
squid, Samba uses a keytab in memory.
 
> Ok, can you post your smb.conf
> Because without it is a guessing game as of this point.

It always helps if the smb.conf is posted.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

On Fri, 13 Oct 2017, L.P.H. van Belle via samba wrote:

> Hai,
>
> I'll explain a bit.
>
>> -----Oorspronkelijk bericht-----
>> Van: [hidden email] [mailto:[hidden email]]
>> Verzonden: donderdag 12 oktober 2017 19:15
>> Aan: L.P.H. van Belle
>> CC: [hidden email]
>> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>>
>> Hi Louis,
>>
>> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
>>
>>> Hai,
>>>
>>> You googled with the wrong words i think.
>>
>> I have no problem believing that. :-)
>>
>>> 1 search, 6 words. 4e link and 5e link, for explanation and
>> solution.  ;-)
>>> Based on your question, what i experienced and what i found
>> with google.
>>>
>>> https://support.oneidentity.com/authentication-services/kb/92515
>>> Dont look at the product here, but its an exact match on
>> the error code.
>>> They say, source of the problem is AD out of sync.
>>>
>>> And now im thinking, i had such a problem also due to an
>> out of sync AD database.
>>> Here/how the out of sync happend i never found out.
>>> Can you check if you DC's are in sync?
>>>
>>> The other i found
>>>
>> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
>> s/g-s76WeWyUU
>>> Is a problem in the keytab files, and, i did replace my
>> keytab file, which solved 90% of my problem.
>>> The 10% left over problem, a nfs keytab caching related
>> thing, only involved my user account, so low prio for me.
>>> Here the solution is to replace all keytab files. I did
>> only the member server.
>>> And that verifies it to me.
>>
>> I appreciate the information but I am confused. The above
>> articles talk about this
>> being a krb5.keytab issue. This is confusing to me because
>> the errors occur on a
>> Samba AD member server not either of the DC's.
> Ok, im not a star in explaining in english.

You do OK with English, I just do not understand Kerberos. :-)

> Look at this picture. That shows how kerberos tickets works.
> https://i-technet.sec.s-msft.com/dynimg/IC195542.gif
> ( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx )
>
>
> Now look at this one
> https://i-technet.sec.s-msft.com/dynimg/IC195551.gif
> Thats the user/computer login.
> And if im correct, you problem is the systemkey on the member.
> Due to somehow, an out of sync password in AD and the member server.

You might be correct. I just noticed that the AD administrator's password had
expired. I went into AD and set it to never expire so I was able to
login again. I am wondering if that has anything to do with this problem?

If you are correct, how do I get the systemkey on the member server back
in sync with AD?

>> There is no keytab on the member servers.
> Ok, can you post your smb.conf
> Because without it is a guessing game as of this point.

Sorry for not doing that from the beginning. Here it is:

[global]
     security = ADS
     workgroup = SAMDOM
     realm = SAMDOM.MYDOMAIN.com.COM

     winbind use default domain = yes
     winbind expand groups = 4
     winbind refresh tickets = Yes
     winbind offline logon = yes

     idmap config * : backend = tdb
     idmap config * : range = 3000-7999

     idmap config SAMDOM:backend = ad
     idmap config SAMDOM:schema_mode = rfc2307
     idmap config SAMDOM:unix_nss_info = yes
     idmap config SAMDOM:range = 10000-999999
     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no
     username map = /etc/samba/user.map
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes
     log file = /var/log/samba/%m.log
     log level = 2
     deadtime = 5

[accounting]
     comment = Accounting Share
     path = /home/samba/accounting
     readonly = no

There are other shares but they are all configured the same way as above.

Regards,

--
Tom [hidden email]


>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:[hidden email]] Namens Tom
>>>> Diehl via samba
>>>> Verzonden: donderdag 12 oktober 2017 7:01
>>>> Aan: [hidden email]
>>>> Onderwerp: [Samba] Samba 4.6.2 member server errors
>>>>
>>>> Hi,
>>>>
>>>> I have 2 samba AD DC's running 4.7.0 and 2 member servers
>>>> running 4.6.2.
>>>>
>>>> Everything seems to be working OK except that I see the
>>>> following errors
>>>> over and over again in the winbind log on one of the
>> member servers:
>>>>
>>>> [2017/10/12 00:53:52.351095,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:52.871160,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:54.588468,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>>
>>>> Can someone tell me what this means and if I should
>>>> troubleshoot this further?
>>>>
>>>> My Google foo has not been helpful.
>>
>>
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 13 Oct 2017, Rowland Penny via samba wrote:

> On Fri, 13 Oct 2017 11:45:43 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
>> Hai,
>>
>> I'll explain a bit.
>>
>>> There is no keytab on the member servers.
>
> Oh yes there is ;-)

Seems reasonable. :-)

> You only need an explicit keytab if something else requires it e.g.
> squid, Samba uses a keytab in memory.

OK, please educate me, how do I reset it?

I tried restarting everything and even re-joining the member server to
the domain. No joy. I am obviously missing something.

>
>> Ok, can you post your smb.conf
>> Because without it is a guessing game as of this point.
>
> It always helps if the smb.conf is posted.

I already sent it in reply to Louis's request. If you need it again
let me know.

Also in case it is useful below is what I have in /etc/krb5.conf:

[libdefaults]
     default_realm = SAMDOM.MYDOMAIN.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

The weird thing about all of this is everything is working. Other than
the log messages, the only thing not normal is that winbind is constantly
running which has the machine's load higher than normal.

Regards,

--
Tom [hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
On Sat, 14 Oct 2017 05:33:31 -0400 (EDT)
[hidden email] wrote:

> On Fri, 13 Oct 2017, Rowland Penny via samba wrote:
>
> > On Fri, 13 Oct 2017 11:45:43 +0200
> > "L.P.H. van Belle via samba" <[hidden email]> wrote:
> >
> >> Hai,
> >>
> >> I'll explain a bit.
> >>
> >>> There is no keytab on the member servers.
> >
> > Oh yes there is ;-)
>
> Seems reasonable. :-)
>
> > You only need an explicit keytab if something else requires it e.g.
> > squid, Samba uses a keytab in memory.
>
> OK, please educate me, how do I reset it?
>
> I tried restarting everything and even re-joining the member server to
> the domain. No joy. I am obviously missing something.
>
> >
> >> Ok, can you post your smb.conf
> >> Because without it is a guessing game as of this point.
> >
> > It always helps if the smb.conf is posted.
>
> I already sent it in reply to Louis's request. If you need it again
> let me know.
>
> Also in case it is useful below is what I have in /etc/krb5.conf:
>
> [libdefaults]
>      default_realm = SAMDOM.MYDOMAIN.COM
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>
> The weird thing about all of this is everything is working. Other than
> the log messages, the only thing not normal is that winbind is
> constantly running which has the machine's load higher than normal.
>
> Regards,
>

There doesn't seem to be anything wrong with your smb.conf and if
everything is working okay and all that is worrying you is the log
messages, change 'log level = 2' to 'log level = 1'. The messages will
stop ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
On Sat, 14 Oct 2017, Rowland Penny via samba wrote:

> On Sat, 14 Oct 2017 05:33:31 -0400 (EDT)
> [hidden email] wrote:
>
>> On Fri, 13 Oct 2017, Rowland Penny via samba wrote:
>>
>>> On Fri, 13 Oct 2017 11:45:43 +0200
>>> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>>>
>>>> Hai,
>>>>
>>>> I'll explain a bit.
>>>>
>>>>> There is no keytab on the member servers.
>>>
>>> Oh yes there is ;-)
>>
>> Seems reasonable. :-)
>>
>>> You only need an explicit keytab if something else requires it e.g.
>>> squid, Samba uses a keytab in memory.
>>
>> OK, please educate me, how do I reset it?
>>
>> I tried restarting everything and even re-joining the member server to
>> the domain. No joy. I am obviously missing something.
>>
>>>
>>>> Ok, can you post your smb.conf
>>>> Because without it is a guessing game as of this point.
>>>
>>> It always helps if the smb.conf is posted.
>>
>> I already sent it in reply to Louis's request. If you need it again
>> let me know.
>>
>> Also in case it is useful below is what I have in /etc/krb5.conf:
>>
>> [libdefaults]
>>      default_realm = SAMDOM.MYDOMAIN.COM
>>      dns_lookup_realm = false
>>      dns_lookup_kdc = true
>>
>> The weird thing about all of this is everything is working. Other than
>> the log messages, the only thing not normal is that winbind is
>> constantly running which has the machine's load higher than normal.
>>
>> Regards,
>>
>
> There doesn't seem to be anything wrong with your smb.conf and if
> everything is working okay and all that is worrying you is the log
> messages, change 'log level = 2' to 'log level = 1'. The messages will
> stop ;-)

Yes I understand, however, there are 2 things I am concerned about.

When the errors are spewing, winbind never goes to sleep and the load on the
server runs somewhere between 6-8 constantly (as shown by top.). Even when
there is no one in the office and hence no files being served I still see the
high load.

When the errors stop (This happens intermittently) winbind will sleep and the
load settles down to < 1.

The other thing that concerns me is that I am wondering if this is an
indication that something more serious is about to break. It is one thing
for me to see things in the background and entirely something else for it
to impact the users. :-)

Suggestions?

Regards,

--
Tom [hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
[hidden email] wrote:

> Yes I understand, however, there are 2 things I am concerned about.
>
> When the errors are spewing, winbind never goes to sleep and the load
> on the server runs somewhere between 6-8 constantly (as shown by
> top.). Even when there is no one in the office and hence no files
> being served I still see the high load.
>
> When the errors stop (This happens intermittently) winbind will sleep
> and the load settles down to < 1.
>
> The other thing that concerns me is that I am wondering if this is an
> indication that something more serious is about to break. It is one
> thing for me to see things in the background and entirely something
> else for it to impact the users. :-)
>
> Suggestions?
>
> Regards,
>

If nothing is connecting, then winbind shouldn't be doing much, so if
it is, you need to find out why.

Try running 'samba-tool dbcheck' on the DCs
Check replication between the DCs
Check the Samba logs on the DCs, is there anything relevant showing at
the time that winbind is overloading on the domain member
Raise the log levels on the DCs and domain members and see if anything
pops out.

One thing I noticed when I looked it your smb.conf again was this:

realm = SAMDOM.MYDOMAIN.com.COM

I take it this was just a typo when you sanitised it.

If this is only happening on one domain member, try comparing the
various files on one with the other (/etc/hosts, /etc/krb5.conf and so
on).

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
On Sun, 15 Oct 2017, Rowland Penny via samba wrote:

> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> [hidden email] wrote:
>
>> Yes I understand, however, there are 2 things I am concerned about.
>>
>> When the errors are spewing, winbind never goes to sleep and the load
>> on the server runs somewhere between 6-8 constantly (as shown by
>> top.). Even when there is no one in the office and hence no files
>> being served I still see the high load.
>>
>> When the errors stop (This happens intermittently) winbind will sleep
>> and the load settles down to < 1.
>>
>> The other thing that concerns me is that I am wondering if this is an
>> indication that something more serious is about to break. It is one
>> thing for me to see things in the background and entirely something
>> else for it to impact the users. :-)
>>
>> Suggestions?
>>
>> Regards,
>>
>
> If nothing is connecting, then winbind shouldn't be doing much, so if
> it is, you need to find out why.
>
> Try running 'samba-tool dbcheck' on the DCs

dbcheck has the following output:

(vdc2 pts2) # samba-tool dbcheck
Checking 490 objects
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=User\0ADEL:5f387be0-63de-4486-b22a-bfff6bc2cbcb,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=bf3dbdad-516d-4ebc-beb9-2b9e3a1fa02b>;CN={A492ADAB-B0BE-4038-B6C7-B831D0C77359},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=Machine\0ADEL:bc407cd8-3035-4a40-8171-f91616bd798f,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=bf3dbdad-516d-4ebc-beb9-2b9e3a1fa02b>;CN={A492ADAB-B0BE-4038-B6C7-B831D0C77359},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=User\0ADEL:49f21be1-fe11-44fc-b483-28e06112084e,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=ab72e6be-b24a-4945-808c-1e1a366a1332>;CN={C8B52BEA-44ED-4A17-9B2D-0DAD8858286B},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=Machine\0ADEL:772380e7-e1e5-4614-81c2-ba7a40efa27e,CN=Deleted Objects,DC=samdom,DC=mydomain,DC=com - <GUID=ab72e6be-b24a-4945-808c-1e1a366a1332>;CN={C8B52BEA-44ED-4A17-9B2D-0DAD8858286B},CN=Policies,CN=System,DC=samdom,DC=mydomain,DC=com
Not fixing old string component
Checked 490 objects (0 errors)

Both dc's have the same output. The above says 0 errors but I am not sure if the
above is relevant to this discussion or not.


> Check replication between the DCs

sysvol replication seems to be working. Is there something else I need to check?

> Check the Samba logs on the DCs, is there anything relevant showing at
> the time that winbind is overloading on the domain member

No, but I have not looked with logging turned up.

> Raise the log levels on the DCs and domain members and see if anything
> pops out.

At the moment winbind is quiet. I will turn logging up on the dc's and the
file servers and see what pops up.

What is a good log level for troubleshooting something like this?

>
> One thing I noticed when I looked it your smb.conf again was this:
>
> realm = SAMDOM.MYDOMAIN.com.COM
>
> I take it this was just a typo when you sanitized it.

Yep!! You made me look to be sure though. :-)

> If this is only happening on one domain member, try comparing the
> various files on one with the other (/etc/hosts, /etc/krb5.conf and so
> on).

They are identical modulo things like host names, etc.. I use ansible to manage
them and set variables where appropriate.

Regards,

--
Tom [hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Rowland,


On Sun, 15 Oct 2017, Rowland Penny via samba wrote:

> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> [hidden email] wrote:
>
>> Yes I understand, however, there are 2 things I am concerned about.
>>
>> When the errors are spewing, winbind never goes to sleep and the load
>> on the server runs somewhere between 6-8 constantly (as shown by
>> top.). Even when there is no one in the office and hence no files
>> being served I still see the high load.
>>
>> When the errors stop (This happens intermittently) winbind will sleep
>> and the load settles down to < 1.
>>
>> The other thing that concerns me is that I am wondering if this is an
>> indication that something more serious is about to break. It is one
>> thing for me to see things in the background and entirely something
>> else for it to impact the users. :-)
>>
>> Suggestions?
>>
>> Regards,
>>
>
> If nothing is connecting, then winbind shouldn't be doing much, so if
> it is, you need to find out why.
>
> Check the Samba logs on the DCs, is there anything relevant showing at
> the time that winbind is overloading on the domain member
> Raise the log levels on the DCs and domain members and see if anything
> pops out.

I ran the logging up to level 10 on the DC's and the file server.
The DC's do not show anything significant, at least not that I can tell.
There is so much info there I might be missing something.

On the file server I see the following at level 10:

[2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
   accepted socket 44
[2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
   process_request: Handling async request 58214:GETPWNAM
[2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam kmg\mb-shop9-17$
[2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
        wbint_LookupName: struct wbint_LookupName
           in: struct wbint_LookupName
               domain                   : *
                   domain                   : 'KMG'
               name                     : *
                   name                     : 'MB-SHOP9-17$'
               flags                    : 0x00000008 (8)
[2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
        wbint_LookupName: struct wbint_LookupName
           out: struct wbint_LookupName
               type                     : *
                   type                     : SID_NAME_USER (1)
               sid                      : *
                   sid                      : S-1-5-21-3052942767-4183929206-737583365-1617
               result                   : NT_STATUS_OK
[2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
   SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
[2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
   Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: value=[-1:N]
[2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
   Parsing value for key [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]: id=[4294967295], endptr=[:N]
[2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
   Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
   wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
   process_request: Handling async request 58217:PAM_AUTH_CRAP
[2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353)
[2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Decrypt integrity check failed
[2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
   PAC Decode: Failed to verify the service signature: Invalid argument
[2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
   Found account name from PAC: MB-RECEPTION-17$ []

I do not know if it is important or not but these machines were just joined
to the domain within the last week or so.

I see many of these for different machines.

Please let me know what you think.

Regards,


--
Tom [hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
Hi Tom,

Small update.

I'am also still looking into this but im not getting much futher..  
I am just reading :
https://blogs.msdn.microsoft.com/openspecification/2009/12/31/verifying-the-server-signature-in-kerberos-privilege-account-certificate/ 
Bit older but, im trying to understand more what happens here.

And the only "guess" i can make here is .
A kerberos ticket, with the wrong encryption type tried to validate.
Base on that, but again, this is what i would try.

For all servers in krb5.conf.  (* do you have any xp/w2003 or older in you lan ? )
; for Windows 2008 with AES
;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Or at least make sure they are the same.
Run net cache flush on all server and reboot them.

Of a wrong verifcation is somewhere in cache or memory, then this could help.

Now,

> I do not know if it is important or not but these machines
> were just joined to the domain within the last week or so.
Yes, very important, because .. Whats the default time for a kerberos ticket.
The default value for a TGT (also referred to as a user ticket) is 7 days, ...

And a computer is a user..  
So we are imo getting in the right direction.

.... Still reading things here

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Tom
> Diehl via samba
> Verzonden: maandag 16 oktober 2017 16:41
> Aan: Rowland Penny
> CC: [hidden email]
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>
> Hi Rowland,
>
>
> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
>
> > On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> > [hidden email] wrote:
> >
> >> Yes I understand, however, there are 2 things I am concerned about.
> >>
> >> When the errors are spewing, winbind never goes to sleep
> and the load
> >> on the server runs somewhere between 6-8 constantly (as shown by
> >> top.). Even when there is no one in the office and hence no files
> >> being served I still see the high load.
> >>
> >> When the errors stop (This happens intermittently) winbind
> will sleep
> >> and the load settles down to < 1.
> >>
> >> The other thing that concerns me is that I am wondering if
> this is an
> >> indication that something more serious is about to break. It is one
> >> thing for me to see things in the background and entirely something
> >> else for it to impact the users. :-)
> >>
> >> Suggestions?
> >>
> >> Regards,
> >>
> >
> > If nothing is connecting, then winbind shouldn't be doing
> much, so if
> > it is, you need to find out why.
> >
> > Check the Samba logs on the DCs, is there anything relevant
> showing at
> > the time that winbind is overloading on the domain member
> > Raise the log levels on the DCs and domain members and see
> if anything
> > pops out.
>
> I ran the logging up to level 10 on the DC's and the file server.
> The DC's do not show anything significant, at least not that
> I can tell.
> There is so much info there I might be missing something.
>
> On the file server I see the following at level 10:
>
> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0),
> real(0, 0), class=winbind]
> ../source3/winbindd/winbindd.c:919(new_connection)
>    accepted socket 44
> [2017/10/16 10:11:21.392850, 10, pid=1440, effective(0, 0),
> real(0, 0), class=winbind]
> ../source3/winbindd/winbindd.c:734(process_request)
>    process_request: Handling async request 58214:GETPWNAM
> [2017/10/16 10:11:21.392857,  3, pid=1440, effective(0, 0),
> real(0, 0), class=winbind]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam kmg\mb-shop9-17$
> [2017/10/16 10:11:21.392868,  1, pid=1440, effective(0, 0),
> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>         wbint_LookupName: struct wbint_LookupName
>            in: struct wbint_LookupName
>                domain                   : *
>                    domain                   : 'KMG'
>                name                     : *
>                    name                     : 'MB-SHOP9-17$'
>                flags                    : 0x00000008 (8)
> [2017/10/16 10:11:21.392899,  1, pid=1440, effective(0, 0),
> real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>         wbint_LookupName: struct wbint_LookupName
>            out: struct wbint_LookupName
>                type                     : *
>                    type                     : SID_NAME_USER (1)
>                sid                      : *
>                    sid                      :
> S-1-5-21-3052942767-4183929206-737583365-1617
>                result                   : NT_STATUS_OK
> [2017/10/16 10:11:21.392926, 10, pid=1440, effective(0, 0),
> real(0, 0), class=winbind]
> ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
>    SID 0: S-1-5-21-3052942767-4183929206-737583365-1617
> [2017/10/16 10:11:21.392939, 10, pid=1440, effective(0, 0),
> real(0, 0)]
> ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
>    Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>  value=[-1:N]
> [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0, 0),
> real(0, 0)]
> ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>    Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>  id=[4294967295], endptr=[:N]
> [2017/10/16 10:11:21.392955,  5, pid=1440, effective(0, 0),
> real(0, 0), class=winbind]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid
> S-1-5-21-3052942767-4183929206-737583365-1617: NT_STATUS_NO_SUCH_USER
> [2017/10/16 10:11:21.392963, 10, pid=1440, effective(0, 0),
> real(0, 0), class=winbind]
> ../source3/winbindd/winbindd.c:796(wb_request_done)
>    wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER
> [2017/10/16 10:11:21.392982, 10, pid=1440, effective(0, 0),
> real(0, 0), class=winbind]
> ../source3/winbindd/winbindd.c:734(process_request)
>    process_request: Handling async request 58217:PAM_AUTH_CRAP
> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt
> integrity check failed (-1765328353)
> [2017/10/16 10:11:21.913139,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Decrypt integrity check failed
> [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac)
>    PAC Decode: Failed to verify the service signature:
> Invalid argument
> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0),
> real(0, 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
>    Found account name from PAC: MB-RECEPTION-17$ []
>
> I do not know if it is important or not but these machines
> were just joined
> to the domain within the last week or so.
>
> I see many of these for different machines.
>
> Please let me know what you think.
>
> Regards,
>
>
> --
> Tom [hidden email]
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.2 member server errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 16 Oct 2017 10:40:44 -0400 (EDT)
[hidden email] wrote:

> Hi Rowland,
>
>
> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
>
> > On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
> > [hidden email] wrote:
> >
> >> Yes I understand, however, there are 2 things I am concerned about.
> >>
> >> When the errors are spewing, winbind never goes to sleep and the
> >> load on the server runs somewhere between 6-8 constantly (as shown
> >> by top.). Even when there is no one in the office and hence no
> >> files being served I still see the high load.
> >>
> >> When the errors stop (This happens intermittently) winbind will
> >> sleep and the load settles down to < 1.
> >>
> >> The other thing that concerns me is that I am wondering if this is
> >> an indication that something more serious is about to break. It is
> >> one thing for me to see things in the background and entirely
> >> something else for it to impact the users. :-)
> >>
> >> Suggestions?
> >>
> >> Regards,
> >>
> >
> > If nothing is connecting, then winbind shouldn't be doing much, so
> > if it is, you need to find out why.
> >
> > Check the Samba logs on the DCs, is there anything relevant showing
> > at the time that winbind is overloading on the domain member
> > Raise the log levels on the DCs and domain members and see if
> > anything pops out.
>
> I ran the logging up to level 10 on the DC's and the file server.
> The DC's do not show anything significant, at least not that I can
> tell. There is so much info there I might be missing something.
>
> On the file server I see the following at level 10:
>
> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0,
> 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
> accepted socket 44 [2017/10/16 10:11:21.392850, 10, pid=1440,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
> process_request: Handling async request 58214:GETPWNAM [2017/10/16
> 10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam kmg\mb-shop9-17$ [2017/10/16 10:11:21.392868,  1, pid=1440,
> effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
> domain                   : * domain                   : 'KMG'
> name                     : * name                     :
> 'MB-SHOP9-17$' flags                    : 0x00000008 (8) [2017/10/16
> 10:11:21.392899,  1, pid=1440, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName out: struct
> wbint_LookupName type                     : *
> type                     : SID_NAME_USER (1)
> sid                      : * sid                      :
> S-1-5-21-3052942767-4183929206-737583365-1617
> result                   : NT_STATUS_OK [2017/10/16 10:11:21.392926,
> 10, pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 [2017/10/16
> 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
> value=[-1:N] [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0,
> 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
> id=[4294967295], endptr=[:N] [2017/10/16 10:11:21.392955,  5,
> pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617:
> NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392963, 10, pid=1440,
> effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
> wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2017/10/16
> 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
> process_request: Handling async request 58217:PAM_AUTH_CRAP
> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> check_pac_checksum: PAC Verification failed: Decrypt integrity check
> failed (-1765328353) [2017/10/16 10:11:21.913139,  5, pid=1440,
> effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Decrypt integrity
> check failed [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0,
> 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
> Decode: Failed to verify the service signature: Invalid argument
> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0,
> 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found
> account name from PAC: MB-RECEPTION-17$ []
>
> I do not know if it is important or not but these machines were just
> joined to the domain within the last week or so.
>
> I see many of these for different machines.
>
> Please let me know what you think.
>
> Regards,
>
>

It seems to be treating computers as users (I could be barking up the
wrong tree here), can you post the contents
of /etc/hosts, /etc/hostname, /etc/resolv.conf and /etc/nsswitch.conf
from the domain member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba