L.P.H. van Belle
2016-Oct-19 07:02 UTC
[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
Hai, I had some users today that couldnt login. Windows stopped at the “Welcome” screen. Now, i checked the logs and i noticed a change in winbind. i noticed 2 logs files with increase a 1000% in size. log.winbindd-idmap and log.wb-NTDOM Before ( samba 4.4.5 ) log.winbindd-idmap [2016/09/30 11:32:37.040567, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/09/30 11:33:17.967227, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/05 16:18:58.799428, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/12 13:31:55.689930, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/18 15:35:41.931491, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/19 01:39:57.249786, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The caontext has expired: Success] ( the last line was and restart of winbind.) after ( 4.4.6 ) log.winbindd-idmap [2016/10/18 15:35:41.931491, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/19 01:39:57.249786, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The context has expired: Success] [2016/10/19 01:39:57.255431, 0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. [2016/10/19 01:44:56.909360, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The context has expired: Success] Before ( samba 4.4.5 ) log.wb-NTDOM gss_init_sec_context failed with [ The context has expired: Success] [2016/10/12 13:31:55.689792, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/12 13:32:05.276839, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/13 00:32:19.370114, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The context has expired: Success] [2016/10/18 15:35:41.931396, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/18 15:35:54.299672, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2016/10/19 01:36:08.441464, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The context has expired: Success] after ( 4.4.6 ) log.wb-NTDOM [2016/10/19 01:36:08.441464, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The context has expired: Success] [2016/10/19 01:36:08.446288, 0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. [2016/10/19 01:36:08.510460, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The context has expired: Success] [2016/10/19 01:36:08.510540, 0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. [2016/10/19 01:36:39.285046, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ The context has expired: Success] [2016/10/19 01:36:39.285142, 0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. fix was very simple. turned of the pc. restarted winbind on this server and these users could login again. I did not update my DC’s, since i’ve seen more about this on the mailing list. The server in question is a samba member server, and this server contains the profiles and users home folders. Debian Jessie, samba/winbind 4.4.6 The strange thing here. About 60 users logged in ok and 3 not. This is the first time this happend since im running 4.2 and up. so im very sure this is a bug. Anyone, is this a known bug and if so any patch i can test? Or anything i can do else to help debug this if there is no patch? Greetz, Louis
L.P.H. van Belle
2016-Oct-19 07:23 UTC
[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
I review a few other servers, all 4.4.5 works fine.
The few i test now with 4.4.6 all the same errors in the logs.
The smb.conf of this setup.
P.S.
This server is accessed only by windows clients so this is why all the shares
have : acl_xattr:ignore system acl = yes
[global]
workgroup = NTDOM
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = MEMBER1
# Prio member server1. LVL-1/4 (user homes and profiles)
# set master browser for the network.
# preffered + domain master = guarantee master browser ( man smb.conf )
preferred master = yes
domain master = yes
host msdfs = no
interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
dns proxy = yes
server signing = mandatory
ntlm auth = no
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/keyfile.key.pem
tls certfile = /etc/ssl/local/certs/certfile.cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem
## map id's outside to domain to tdb files.
idmap config * :backend = tdb
idmap config * :range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config NTDOM : backend = ad
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
# Global, defaults No.
# show users with id/getent
winbind enum users = yes
winbind enum groups = yes
# enable offline logins
winbind offline logon = yes
# check depth of nested groups,
# ! slows down you samba, if to much groups depth ( min 4 )
winbind expand groups = 4
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
######## SHARE DEFINITIONS ################
[profiles]
# windows profiles
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
[users]
# Users homes
browseable = yes
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes
[public]
# Distribtion share
browseable = yes
path = /home/samba/public
read only = no
acl_xattr:ignore system acl = yes
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
> via samba
> Verzonden: woensdag 19 oktober 2016 9:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected
> bug)
>
> Hai,
>
>
>
> I had some users today that couldnt login.
>
> Windows stopped at the ?Welcome? screen.
>
>
>
> Now, i checked the logs and i noticed a change in winbind.
>
> i noticed 2 logs files with increase a 1000% in size. log.winbindd-idmap
> and log.wb-NTDOM
>
>
>
>
>
> Before ( samba 4.4.5 ) log.winbindd-idmap
>
> [2016/09/30 11:32:37.040567, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/09/30 11:33:17.967227, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/05 16:18:58.799428, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/12 13:31:55.689930, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/18 15:35:41.931491, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:39:57.249786, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The caontext has expired: Success]
>
> ( the last line was and restart of winbind.)
>
>
>
> after ( 4.4.6 ) log.winbindd-idmap
>
> [2016/10/18 15:35:41.931491, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:39:57.249786, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:39:57.255431, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:44:56.909360, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
>
>
> Before ( samba 4.4.5 ) log.wb-NTDOM
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/12 13:31:55.689792, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/12 13:32:05.276839, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/13 00:32:19.370114, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/18 15:35:41.931396, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/18 15:35:54.299672, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:36:08.441464, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
>
>
> after ( 4.4.6 ) log.wb-NTDOM
>
> [2016/10/19 01:36:08.441464, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:08.446288, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:36:08.510460, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:08.510540, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:36:39.285046, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:39.285142, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
>
>
>
>
> fix was very simple.
>
>
>
> turned of the pc.
>
> restarted winbind on this server and these users could login again.
>
> I did not update my DC?s, since i?ve seen more about this on the mailing
> list.
>
>
>
> The server in question is a samba member server, and this server contains
> the profiles and users home folders.
>
> Debian Jessie, samba/winbind 4.4.6
>
>
>
> The strange thing here.
>
> About 60 users logged in ok and 3 not.
>
> This is the first time this happend since im running 4.2 and up.
>
> so im very sure this is a bug.
>
>
>
> Anyone, is this a known bug
>
> and if so any patch i can test?
>
> Or anything i can do else to help debug this if there is no patch?
>
>
>
>
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-Oct-19 11:19 UTC
[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
Fixed by reverting to 4.4.5. If you have to do this also, make sure ALL samba related packages are downgraded. (tevent talloc ldb tdb samba winbind etc.. ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > via samba > Verzonden: woensdag 19 oktober 2016 9:23 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] auth problems with samba 4.4.6 (winbind) > *(suppected bug) > > I review a few other servers, all 4.4.5 works fine. > The few i test now with 4.4.6 all the same errors in the logs. > > The smb.conf of this setup. > P.S. > This server is accessed only by windows clients so this is why all the > shares have : acl_xattr:ignore system acl = yes > > > [global] > workgroup = NTDOM > security = ADS > realm = INTERNAL.DOMAIN.TLD > netbios name = MEMBER1 > > # Prio member server1. LVL-1/4 (user homes and profiles) > # set master browser for the network. > # preffered + domain master = guarantee master browser ( man smb.conf > ) > preferred master = yes > domain master = yes > host msdfs = no > > interfaces = 192.168.0.1 127.0.0.1 > bind interfaces only = yes > dns proxy = yes > > server signing = mandatory > ntlm auth = no > > # Add and Update TLS Key > tls enabled = yes > tls keyfile = /etc/ssl/local/private/keyfile.key.pem > tls certfile = /etc/ssl/local/certs/certfile.cert.pem > tls cafile = /etc/ssl/certs/company-ca.pem > > ## map id's outside to domain to tdb files. > idmap config * :backend = tdb > idmap config * :range = 2000-9999 > > ## map ids from the domain the range may not overlap ! > idmap config NTDOM : backend = ad > idmap config NTDOM : schema_mode = rfc2307 > idmap config NTDOM : range = 10000-3999999 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > # renew the kerberos ticket > winbind refresh tickets = yes > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > winbind trusted domains only = no > winbind use default domain = yes > > # Global, defaults No. > # show users with id/getent > winbind enum users = yes > winbind enum groups = yes > > # enable offline logins > winbind offline logon = yes > > # check depth of nested groups, > # ! slows down you samba, if to much groups depth ( min 4 ) > winbind expand groups = 4 > > # user Administrator workaround, without it you are unable to set > privileges > username map = /etc/samba/samba_usermapping > > # disable usershares creating, when set empty no error log messages. > usershare path > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # For Windows ACL support on member file server, enabled globaly, > OBLIGATED > # For a mixed setup of rights, put this per share! > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Share Setting Globally > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > ######## SHARE DEFINITIONS ################ > [profiles] > # windows profiles > browseable = yes > path = /home/samba/profiles > read only = no > acl_xattr:ignore system acl = yes > > [users] > # Users homes > browseable = yes > path = /home/samba/users > read only = no > acl_xattr:ignore system acl = yes > > [public] > # Distribtion share > browseable = yes > path = /home/samba/public > read only = no > acl_xattr:ignore system acl = yes > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > Belle > > via samba > > Verzonden: woensdag 19 oktober 2016 9:02 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected > > bug) > > > > Hai, > > > > > > > > I had some users today that couldnt login. > > > > Windows stopped at the ?Welcome? screen. > > > > > > > > Now, i checked the logs and i noticed a change in winbind. > > > > i noticed 2 logs files with increase a 1000% in size. log.winbindd- > idmap > > and log.wb-NTDOM > > > > > > > > > > > > Before ( samba 4.4.5 ) log.winbindd-idmap > > > > [2016/09/30 11:32:37.040567, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/09/30 11:33:17.967227, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/05 16:18:58.799428, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/12 13:31:55.689930, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/18 15:35:41.931491, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/19 01:39:57.249786, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The caontext has expired: Success] > > > > ( the last line was and restart of winbind.) > > > > > > > > after ( 4.4.6 ) log.winbindd-idmap > > > > [2016/10/18 15:35:41.931491, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/19 01:39:57.249786, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > [2016/10/19 01:39:57.255431, 0] > > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) > > > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > > internal error occurred. > > > > [2016/10/19 01:44:56.909360, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > > > > > Before ( samba 4.4.5 ) log.wb-NTDOM > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > [2016/10/12 13:31:55.689792, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/12 13:32:05.276839, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/13 00:32:19.370114, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > [2016/10/18 15:35:41.931396, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/18 15:35:54.299672, 0] > > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > > > > Got sig[15] terminate (is_parent=0) > > > > [2016/10/19 01:36:08.441464, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > > > > > after ( 4.4.6 ) log.wb-NTDOM > > > > [2016/10/19 01:36:08.441464, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > [2016/10/19 01:36:08.446288, 0] > > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) > > > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > > internal error occurred. > > > > [2016/10/19 01:36:08.510460, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > [2016/10/19 01:36:08.510540, 0] > > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) > > > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > > internal error occurred. > > > > [2016/10/19 01:36:39.285046, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > > > gss_init_sec_context failed with [ The context has expired: Success] > > > > [2016/10/19 01:36:39.285142, 0] > > ../source3/libads/sasl.c:785(ads_sasl_spnego_bind) > > > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > > internal error occurred. > > > > > > > > > > > > fix was very simple. > > > > > > > > turned of the pc. > > > > restarted winbind on this server and these users could login again. > > > > I did not update my DC?s, since i?ve seen more about this on the mailing > > list. > > > > > > > > The server in question is a samba member server, and this server > contains > > the profiles and users home folders. > > > > Debian Jessie, samba/winbind 4.4.6 > > > > > > > > The strange thing here. > > > > About 60 users logged in ok and 3 not. > > > > This is the first time this happend since im running 4.2 and up. > > > > so im very sure this is a bug. > > > > > > > > Anyone, is this a known bug > > > > and if so any patch i can test? > > > > Or anything i can do else to help debug this if there is no patch? > > > > > > > > > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
MORILLO Jordi
2016-Oct-20 06:53 UTC
[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
Yes I have also the same bug:
https://bugzilla.samba.org/show_bug.cgi?id=12369
I downgrade to 4.4.5
-----Message d'origine-----
De : samba [mailto:samba-bounces at lists.samba.org] De la part de L.P.H. van
Belle via samba
Envoyé : mercredi 19 octobre 2016 09:23
À : samba at lists.samba.org
Objet : Re: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
I review a few other servers, all 4.4.5 works fine.
The few i test now with 4.4.6 all the same errors in the logs.
The smb.conf of this setup.
P.S.
This server is accessed only by windows clients so this is why all the shares
have : acl_xattr:ignore system acl = yes
[global]
workgroup = NTDOM
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = MEMBER1
# Prio member server1. LVL-1/4 (user homes and profiles)
# set master browser for the network.
# preffered + domain master = guarantee master browser ( man smb.conf )
preferred master = yes
domain master = yes
host msdfs = no
interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
dns proxy = yes
server signing = mandatory
ntlm auth = no
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/keyfile.key.pem
tls certfile = /etc/ssl/local/certs/certfile.cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem
## map id's outside to domain to tdb files.
idmap config * :backend = tdb
idmap config * :range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config NTDOM : backend = ad
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
# Global, defaults No.
# show users with id/getent
winbind enum users = yes
winbind enum groups = yes
# enable offline logins
winbind offline logon = yes
# check depth of nested groups,
# ! slows down you samba, if to much groups depth ( min 4 )
winbind expand groups = 4
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
######## SHARE DEFINITIONS ################ [profiles]
# windows profiles
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
[users]
# Users homes
browseable = yes
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes
[public]
# Distribtion share
browseable = yes
path = /home/samba/public
read only = no
acl_xattr:ignore system acl = yes
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle via samba
> Verzonden: woensdag 19 oktober 2016 9:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] auth problems with samba 4.4.6 (winbind)
> *(suppected
> bug)
>
> Hai,
>
>
>
> I had some users today that couldnt login.
>
> Windows stopped at the ?Welcome? screen.
>
>
>
> Now, i checked the logs and i noticed a change in winbind.
>
> i noticed 2 logs files with increase a 1000% in size.
> log.winbindd-idmap and log.wb-NTDOM
>
>
>
>
>
> Before ( samba 4.4.5 ) log.winbindd-idmap
>
> [2016/09/30 11:32:37.040567, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/09/30 11:33:17.967227, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/05 16:18:58.799428, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/12 13:31:55.689930, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/18 15:35:41.931491, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:39:57.249786, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The caontext has expired:
> Success]
>
> ( the last line was and restart of winbind.)
>
>
>
> after ( 4.4.6 ) log.winbindd-idmap
>
> [2016/10/18 15:35:41.931491, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:39:57.249786, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:39:57.255431, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:44:56.909360, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
>
>
> Before ( samba 4.4.5 ) log.wb-NTDOM
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/12 13:31:55.689792, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/12 13:32:05.276839, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/13 00:32:19.370114, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/18 15:35:41.931396, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/18 15:35:54.299672, 0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>
> Got sig[15] terminate (is_parent=0)
>
> [2016/10/19 01:36:08.441464, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
>
>
> after ( 4.4.6 ) log.wb-NTDOM
>
> [2016/10/19 01:36:08.441464, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:08.446288, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:36:08.510460, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:08.510540, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
> [2016/10/19 01:36:39.285046, 0]
> ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
>
> gss_init_sec_context failed with [ The context has expired: Success]
>
> [2016/10/19 01:36:39.285142, 0]
> ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> internal error occurred.
>
>
>
>
>
> fix was very simple.
>
>
>
> turned of the pc.
>
> restarted winbind on this server and these users could login again.
>
> I did not update my DC?s, since i?ve seen more about this on the
> mailing list.
>
>
>
> The server in question is a samba member server, and this server
> contains the profiles and users home folders.
>
> Debian Jessie, samba/winbind 4.4.6
>
>
>
> The strange thing here.
>
> About 60 users logged in ok and 3 not.
>
> This is the first time this happend since im running 4.2 and up.
>
> so im very sure this is a bug.
>
>
>
> Anyone, is this a known bug
>
> and if so any patch i can test?
>
> Or anything i can do else to help debug this if there is no patch?
>
>
>
>
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba