Rodrigo Antunes
2024-Oct-18 16:13 UTC
[Samba] net ads extremely slow when dns server configured in resolv.conf
Yes, it is?Samba 4.2.10 and Debian Jessie. Is this a know bug of that version? Em sexta-feira, 18 de outubro de 2024 ?s 12:15:26 BRT, Rowland Penny via samba <samba at lists.samba.org> escreveu: On Fri, 18 Oct 2024 15:00:38 +0000 (UTC) Rodrigo Antunes via samba <samba at lists.samba.org> wrote:> Hi,? > > > First of all, my problem is a lot similar to this: > https://lists.samba.org/archive/samba/2017-February/206248.html > > I have a freeradius server (10.1.0.13) that authenticate wifi users > against AD?(10.1.0.3). 10.1.0.13 is domain joined and has 10.1.0.3 as > it's DNS server. > > The problem:? > When 10.1.0.3 has no internet connection, users most of the time > can't authenticate. When it has, everything works as it should. > > The "fix": > If I use no DNS servers at all and put a fixed entry (10.1.0.3 > mydomain.com) in 10.1.0.13's /etc/hosts everything works as it > should. Although this solves the main problem this creates other > unrelated problems, so the freeradius server needs to work with the > right DNS server configured. > > > > When the problem happens all the domain related commands (wbinfo, net > ads, nltm_auth) are extremely slow and sometimes succeds and > sometimes don't. I have run 'net ads info' in debug and found this: > > -- > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5? > > (hangs for a lot of time) > > gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were > supplied, or the credentials were unavailable or inaccessible.: > unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may > retry after a kinit. Failed to start GENSEC client mech gse_krb5: > NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: > NT_STATUS_INTERNAL_ERROR ads_sasl_spnego_gensec_bind(KRB5) failed > with: An internal error occurred., calling kinit > kerberos_kinit_password: as MYFRSERVER$@MYDOMAIN.COM using > [MEMORY:net_ads] as ccache and config > [/var/run/samba/smb_krb5/krb5.conf.ADM] > > (then tries again) > > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > -- > > But I have noticed that the same messages appears when everything is > working, except that there is no hangs. > > Any ideas? > > > Samba Version 4.2.10-Debian >Please tell me that is typo before we go anywhere, tell me that you are not still using Samba 4.2.10 and presumably Debian Jessie. Rowland -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
Luis Peromarta
2024-Oct-18 16:29 UTC
[Samba] net ads extremely slow when dns server configured in resolv.conf
You *really really* want to upgrade to a supported samba version, 4.20. Your version was deemed obsolete 10 ago. Try to join a new DC, you will probably need to do in 2-3 steps as you upgrade. This guide may help. http://samba.bigbird.es/doku.php?id=samba:aditional-dc All the best. On 18 Oct 2024 at 18:14 +0200, Rodrigo Antunes via samba <samba at lists.samba.org>, wrote:> Yes, it is?Samba 4.2.10 and Debian Jessie. > > Is this a know bug of that version? > > > > Em sexta-feira, 18 de outubro de 2024 ?s 12:15:26 BRT, Rowland Penny via samba <samba at lists.samba.org> escreveu: > > > > > > On Fri, 18 Oct 2024 15:00:38 +0000 (UTC) > Rodrigo Antunes via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > > > First of all, my problem is a lot similar to this: > > https://lists.samba.org/archive/samba/2017-February/206248.html > > > > I have a freeradius server (10.1.0.13) that authenticate wifi users > > against AD?(10.1.0.3). 10.1.0.13 is domain joined and has 10.1.0.3 as > > it's DNS server. > > > > The problem: > > When 10.1.0.3 has no internet connection, users most of the time > > can't authenticate. When it has, everything works as it should. > > > > The "fix": > > If I use no DNS servers at all and put a fixed entry (10.1.0.3 > > mydomain.com) in 10.1.0.13's /etc/hosts everything works as it > > should. Although this solves the main problem this creates other > > unrelated problems, so the freeradius server needs to work with the > > right DNS server configured. > > > > > > > > When the problem happens all the domain related commands (wbinfo, net > > ads, nltm_auth) are extremely slow and sometimes succeds and > > sometimes don't. I have run 'net ads info' in debug and found this: > > > > -- > > Starting GENSEC mechanism spnego > > Starting GENSEC submechanism gse_krb5 > > > > (hangs for a lot of time) > > > > gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were > > supplied, or the credentials were unavailable or inaccessible.: > > unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may > > retry after a kinit. Failed to start GENSEC client mech gse_krb5: > > NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: > > NT_STATUS_INTERNAL_ERROR ads_sasl_spnego_gensec_bind(KRB5) failed > > with: An internal error occurred., calling kinit > > kerberos_kinit_password: as MYFRSERVER$@MYDOMAIN.COM using > > [MEMORY:net_ads] as ccache and config > > [/var/run/samba/smb_krb5/krb5.conf.ADM] > > > > (then tries again) > > > > Starting GENSEC mechanism spnego > > Starting GENSEC submechanism gse_krb5 > > -- > > > > But I have noticed that the same messages appears when everything is > > working, except that there is no hangs. > > > > Any ideas? > > > > > > Samba Version 4.2.10-Debian > > > > Please tell me that is typo before we go anywhere, tell me that you are > not still using Samba 4.2.10 and presumably Debian Jessie. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2024-Oct-18 16:44 UTC
[Samba] net ads extremely slow when dns server configured in resolv.conf
On Fri, 18 Oct 2024 16:13:50 +0000 (UTC) Rodrigo Antunes <rodrigoaantunes at yahoo.com.br> wrote:> Yes, it is?Samba 4.2.10 and Debian Jessie. > > Is this a know bug of that version? >I cannot remember, it has been so long since I last used it (over 8 years). If you have found a bug then you have zero chance of getting it fixed, your distro version is dead, never mind EOL, your version of Samba is EOL. if your have found a bug, it may already have been fixed in a later version. You should upgrade everything before some blackhat realises you are walking around with a big target on your back saying 'please hack me'. Rowland