We have a service on our windows system that drops files onto a samba share
every 10 minutes. This has worked fine, except after one week, the system will
fail. We usually restart samba and winbind on the linux side, and then restart
the service on the windows box to resolve the issue.
This week we decieded to let it fail, and after an hour it seemed to allow
connections to the samba share. Here is the log file of the failures:
172.19.6.60 (172.19.6.60) closed connection to service lorian
[2010/06/21 09:40:03, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
This repeats every minute until 10:33 am, when the service was able to reconnect
to the share.
Is there a reason why this would fail every week at the same time? Do these
settings have anything to do with the issue?
Default: idmap cache time = 604800 (one week)
Default: machine password timeout = 604800
For the machine password timeout, is it necessary for it to update this often.
Can it be set to only attempt once per year, longer?
One other question, is it possible to see the data contained in secrets.tdb?
The modified time of this file always lets us know that the share failure is
imminent. For example, file date was 6/21/10 9:36 am, first connection after
that time was 9:40 am and it failed.
Any assistance would be appreciated.
PDC: windows 2008 R2
Samba: 3.4.7 on ubuntu 10.4
Testparm:
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = test
realm = TEST.LOCAL
server string = %h server (Samba, Ubuntu)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
password server = pdc21.test.local
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
domain master = No
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 500-10000000
idmap gid = 500-10000000
template shell = /bin/bash
winbind refresh tickets = Yes
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
On Mon, Jun 21, 2010 at 12:39:09PM -0400, Hong K Phooey wrote:> We have a service on our windows system that drops files onto a samba share every 10 minutes. This has worked fine, except after one week, the system will fail. We usually restart samba and winbind on the linux side, and then restart the service on the windows box to resolve the issue. > > This week we decieded to let it fail, and after an hour it seemed to allow connections to the samba share. Here is the log file of the failures: > > 172.19.6.60 (172.19.6.60) closed connection to service lorian > [2010/06/21 09:40:03, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) > Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! > > This repeats every minute until 10:33 am, when the service was able to reconnect to the share. > > Is there a reason why this would fail every week at the same time? Do these settings have anything to do with the issue? > > Default: idmap cache time = 604800 (one week) > Default: machine password timeout = 604800 > > For the machine password timeout, is it necessary for it to update this often. Can it be set to only attempt once per year, longer?You can stop it updating the machine password by setting "machine password timeout = 0". This looks like an issue with the machine account password being changed. Jeremy
On 06/21/2010 02:43 PM, Jeremy Allison wrote:> On Mon, Jun 21, 2010 at 12:39:09PM -0400, Hong K Phooey wrote: >> We have a service on our windows system that drops files onto a samba share every 10 minutes. This has worked fine, except after one week, the system will fail. We usually restart samba and winbind on the linux side, and then restart the service on the windows box to resolve the issue. >> >> This week we decieded to let it fail, and after an hour it seemed to allow connections to the samba share. Here is the log file of the failures: >> >> 172.19.6.60 (172.19.6.60) closed connection to service lorian >> [2010/06/21 09:40:03, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) >> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! >> >> This repeats every minute until 10:33 am, when the service was able to reconnect to the share. >> >> Is there a reason why this would fail every week at the same time? Do these settings have anything to do with the issue? >> >> Default: idmap cache time = 604800 (one week) >> Default: machine password timeout = 604800 >> >> For the machine password timeout, is it necessary for it to update this often. Can it be set to only attempt once per year, longer? > > You can stop it updating the machine password by setting > "machine password timeout = 0". > > This looks like an issue with the machine account > password being changed. > > JeremyWhat version of samba are you using? I believe that a machine password renewal bug was fixed in 3.5.3. - John T.
----- Original Message ----- From: John H Terpstra <jht at samba.org> Date: Monday, June 21, 2010 16:05 Subject: Re: [Samba] weekly samba kerberos failure To: Hong K Phooey <hkp at insightbb.com> Cc: Jeremy Allison <jra at samba.org>, samba at lists.samba.org> On 06/21/2010 02:43 PM, Jeremy Allison wrote: > > On Mon, Jun 21, 2010 at 12:39:09PM -0400, Hong K Phooey wrote: > >> We have a service on our windows system that drops files onto > a samba share every 10 minutes.? This has worked fine, > except after one week, the system will fail.? We usually > restart samba and winbind on the linux side, and then restart > the service on the windows box to resolve the issue. > >> > >> This week we decieded to let it fail, and after an hour it > seemed to allow connections to the samba share.? Here is > the log file of the failures: > >> > >>?? 172.19.6.60 (172.19.6.60) closed connection to > service lorian > >> [2010/06/21 09:40:03,? 1] > smbd/sesssetup.c:342(reply_spnego_kerberos)>>?? Failed > to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! > >> > >> This repeats every minute until 10:33 am, when the service > was able to reconnect to the share. > >> > >> Is there a reason why this would fail every week at the same > time?? Do these settings have anything to do with the > issue?? > >> > >> Default: idmap cache time = 604800 (one week) > >> Default: machine password timeout = 604800 > >> > >> For the machine password timeout, is it necessary for it to > update this often.? Can it be set to only attempt once per > year, longer? > > > > You can stop it updating the machine password by setting > > "machine password timeout = 0". > > > > This looks like an issue with the machine account > > password being changed. > > > > Jeremy > > What version of samba are you using?? I believe that a > machine password > renewal bug was fixed in 3.5.3. > > - John T.John, We are using 3.4.7, so we are affected by the bug. Jeremy, Thanks very much for the update, after I sent the message this morning we dug into this a little further and did narrow it down to the "machine password timeout" setting. Thanks for confirming we can disable that setting by setting it to 0.