Bharath Bheemarasetti
2023-Jun-03 07:39 UTC
[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
A couple of things possible, from 4.8.0 winbind must be running and your smb.conf is, to be blunt, rubbish. You need to set the workgroup, you need to have idmap config lines for the workgroup, the 'winbind enum' lines only slow things down and 'map untrusted to domain' has been removed. Winbind is running and the workgroup was set as well. I omitted some lines from the smb.conf shared previously as I wasn't sure if they were relevant or not. I've added the full content below. Also share is being accessed by a windows client which is part of the domain and it does work fine for a few hours after restarting the smbd and winbind services. Does 'winbind enum' have any relation to that? https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS mentions turning off 'winbind enum' can cause some problems *Configuration:* netbios name = clustF994DF realm = <domain> bind interfaces only = yes interfaces = 127.0.0.138 lo:138 workgroup = <workgroup> security = ads server role = member server auth methods = winbind idmap config * : backend = tdb idmap config * : range = 10000-24999999 winbind enum users = yes winbind enum groups = yes usershare allow guests = no map untrusted to domain = Yes allow trusted domains = no server string = %h dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d smb ports = 1445 pid directory = /var/run/samba server min protocol = SMB2 strict sync = yes sync always = no smb encrypt = auto aio read size = 1 aio write size = 1 smb2 max read = 1048576 smb2 max write = 1048576 smb2 max trans = 1048576 socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760 usershare owner only = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes machine password timeout = 0 nt acl support = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes log level = 5 max log size = 1000 *Share configuration:* path = <path> guest ok = no writeable = no browseable = no valid users = "<domain>\<user>","+<domain>\<user group>" force user = root On Fri, Jun 2, 2023 at 3:21?AM Bharath Bheemarasetti < bharath.bheemarasetti at gmail.com> wrote:> Hi, > I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which > required the Samba version to be upgraded from 4.7.6 to 4.15.13. > Post the upgrade, winbind authentication fails > with NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on > restarting the smb service but comes back after some time. There were no > isses with the setup before the upgrade. > Tried clearing the cached tdb files as well but the issue still come back > after some time. > <trimmed the log lines> >> Below is the configuration: > security = ads > server role = member server > auth methods = winbind > idmap config * : backend = tdb > idmap config * : range = 10000-24999999 > winbind enum users = yes > winbind enum groups = yes > usershare allow guests = no > map untrusted to domain = Yes > allow trusted domains = no >
Rowland Penny
2023-Jun-03 08:43 UTC
[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
On 03/06/2023 08:39, Bharath Bheemarasetti via samba wrote:>> > Winbind is running and the workgroup was set as well. I omitted some > lines from the smb.conf shared previously as I wasn't sure if they > were relevant or not.Can I ask that if anyone is going to post their smb.conf, they post it in its entirety, fragments are useless. I've added the full content below. Also share is> being accessed by a windows client which is part of the domain and it > does work fine for a few hours after restarting the smbd and winbind > services. Does 'winbind enum' have any relation to that?First 'winbind enum' lines, they can and do slow things down in large domains and aren't required at all, getent etc will work without them. there are some old programs that will not work without them, but when was the last time you ran 'finger' for instance ? From your smb.conf below, it looks like you are putting everything into the default '*' domain, because you haven't got any 'idmap config' lines for the 'workgroup' domain. Have you read the wiki pages I pointed you to ? You might also want to read the smb.conf manpage, you have lots of lines that I would never set. You also have 'smb ports = 1445'. Is this a typo ? Rowland> > https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS > mentions turning off 'winbind enum' can cause some problems > > *Configuration:* > > netbios name = clustF994DF > realm = <domain> > > bind interfaces only = yes > interfaces = 127.0.0.138 lo:138 > > workgroup = <workgroup> > security = ads > server role = member server > > auth methods = winbind > > idmap config * : backend = tdb > idmap config * : range = 10000-24999999 > > winbind enum users = yes > winbind enum groups = yes > usershare allow guests = no > > map untrusted to domain = Yes > allow trusted domains = no > server string = %h > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > panic action = /usr/share/samba/panic-action %d > smb ports = 1445 > pid directory = /var/run/samba > > server min protocol = SMB2 > strict sync = yes > sync always = no > > smb encrypt = auto > > aio read size = 1 > aio write size = 1 > > smb2 max read = 1048576 > smb2 max write = 1048576 > smb2 max trans = 1048576 > > socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760 > > usershare owner only = no > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > machine password timeout = 0 > > nt acl support = yes > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > log level = 5 > max log size = 1000 > > *Share configuration:* > > path = <path> > > guest ok = no > > writeable = no > > browseable = no > > valid users = "<domain>\<user>","+<domain>\<user group>" > > force user = root > > On Fri, Jun 2, 2023 at 3:21?AM Bharath Bheemarasetti < > bharath.bheemarasetti at gmail.com> wrote: > >> Hi, >> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which >> required the Samba version to be upgraded from 4.7.6 to 4.15.13. >> Post the upgrade, winbind authentication fails >> with NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on >> restarting the smb service but comes back after some time. There were no >> isses with the setup before the upgrade. >> Tried clearing the cached tdb files as well but the issue still come back >> after some time. >> <trimmed the log lines> >> > >> Below is the configuration: >> security = ads >> server role = member server >> auth methods = winbind >> idmap config * : backend = tdb >> idmap config * : range = 10000-24999999 >> winbind enum users = yes >> winbind enum groups = yes >> usershare allow guests = no >> map untrusted to domain = Yes >> allow trusted domains = no >>
Bharath Bheemarasetti
2023-Jun-16 07:56 UTC
[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
First 'winbind enum' lines, they can and do slow things down in large domains and aren't required at all, getent etc will work without them. there are some old programs that will not work without them, but when was the last time you ran 'finger' for instance ? I made this change and it makes some difference but doesn't fix the issue entirely. Earlier the auth calls used to fail in around a day which has increased to 2 days now after which the auth calls fail with NT_STATUS_RPC_SEC_PKG_ERROR and winbind needs to be restarted for it to work. We use NTLMv2 for authentication and using the ntlm_auth tool (https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html) returns the same NT_STATUS_RPC_SEC_PKG_ERROR error as well while wbinfo -i returns the correct user info. Is there anything else that can be done to fix this permanently? You might also want to read the smb.conf manpage, you have lots of lines that I would never set. Thanks, I removed some lines which are not used anymore and will be cleaning up others shortly. On Sat, Jun 3, 2023 at 1:09?PM Bharath Bheemarasetti < bharath.bheemarasetti at gmail.com> wrote:> A couple of things possible, from 4.8.0 winbind must be running and your > smb.conf is, to be blunt, rubbish. You need to set the workgroup, you > need to have idmap config lines for the workgroup, the 'winbind enum' > lines only slow things down and 'map untrusted to domain' has been removed. > > Winbind is running and the workgroup was set as well. I omitted some lines from the smb.conf shared previously as I wasn't sure if they were relevant or not. I've added the full content below. Also share is being accessed by a windows client which is part of the domain and it does work fine for a few hours after restarting the smbd and winbind services. Does 'winbind enum' have any relation to that? > > https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS mentions turning off 'winbind enum' can cause some problems > > *Configuration:* > > netbios name = clustF994DF > realm = <domain> > > bind interfaces only = yes > interfaces = 127.0.0.138 lo:138 > > workgroup = <workgroup> > security = ads > server role = member server > > auth methods = winbind > > idmap config * : backend = tdb > idmap config * : range = 10000-24999999 > > winbind enum users = yes > winbind enum groups = yes > usershare allow guests = no > > map untrusted to domain = Yes > allow trusted domains = no > server string = %h > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > panic action = /usr/share/samba/panic-action %d > smb ports = 1445 > pid directory = /var/run/samba > > server min protocol = SMB2 > strict sync = yes > sync always = no > > smb encrypt = auto > > aio read size = 1 > aio write size = 1 > > smb2 max read = 1048576 > smb2 max write = 1048576 > smb2 max trans = 1048576 > > socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760 > > usershare owner only = no > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > machine password timeout = 0 > > nt acl support = yes > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > log level = 5 > max log size = 1000 > > *Share configuration:* > > path = <path> > > guest ok = no > > writeable = no > > browseable = no > > valid users = "<domain>\<user>","+<domain>\<user group>" > > force user = root > > On Fri, Jun 2, 2023 at 3:21?AM Bharath Bheemarasetti < > bharath.bheemarasetti at gmail.com> wrote: > >> Hi, >> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which >> required the Samba version to be upgraded from 4.7.6 to 4.15.13. >> Post the upgrade, winbind authentication fails >> with NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on >> restarting the smb service but comes back after some time. There were no >> isses with the setup before the upgrade. >> Tried clearing the cached tdb files as well but the issue still come back >> after some time. >> <trimmed the log lines> >> > >> Below is the configuration: >> security = ads >> server role = member server >> auth methods = winbind >> idmap config * : backend = tdb >> idmap config * : range = 10000-24999999 >> winbind enum users = yes >> winbind enum groups = yes >> usershare allow guests = no >> map untrusted to domain = Yes >> allow trusted domains = no >> >
Apparently Analagous Threads
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently