Dario Lesca
2016-Feb-05 10:59 UTC
[Samba] Samba 4 Domain Members stop autenticate with Samba 3 PDC after seven (7) days
On a server Centos 7 with samba-4.2.3-11.el7_2.x86_64, joined to a server samba-3.6.23-24.el6_7.x86_64 PDC on Centos 6.7 up to date, after 7 days I want restart winbind service because the users are not autenticate anymore. This is the error into log file:> Feb 4 10:15:26 s-graph smbd[28960]: [2016/02/04 10:15:26.529467, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > Feb 4 10:15:26 s-graph smbd[28960]: NTLMSSP NTLM2 packet check > failed due to invalid signature! > Feb 4 10:15:26 s-graph smbd[28960]: [2016/02/04 10:15:26.539866, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > Feb 4 10:15:26 s-graph smbd[28960]: NTLMSSP NTLM2 packet check > failed due to invalid signature! > Feb 4 10:15:47 s-graph smbd[28963]: [2016/02/04 10:15:47.992997, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > Feb 4 10:15:47 s-graph smbd[28963]: NTLMSSP NTLM2 packet check > failed due to invalid signature! > Feb 4 10:15:48 s-graph smbd[28963]: [2016/02/04 10:15:48.003989, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > Feb 4 10:15:48 s-graph smbd[28963]: NTLMSSP NTLM2 packet check > failed due to invalid signature! > Feb 4 10:16:01 s-graph smbd[28963]: [2016/02/04 10:16:01.075622, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > Feb 4 10:16:01 s-graph smbd[28963]: NTLMSSP NTLM2 packet check > failed due to invalid signature! > Feb 4 10:17:16 s-graph smbd[28969]: [2016/02/04 10:17:16.574940, 0] > ../libcli/smb/smb_signing.c:138(smb_signing_good) > Feb 4 10:17:16 s-graph smbd[28969]: smb_signing_good: BAD SIG: seq > 2 > Feb 4 10:17:16 s-graph smbd[28969]: [2016/02/04 10:17:16.579065, 0] > ../source3/smbd/process.c:571(receive_smb_talloc) > Feb 4 10:17:16 s-graph smbd[28969]: receive_smb: SMB Signature > verification failed on incoming packet!Into the file log of PDC I see this message:> Feb 4 09:56:36 s-domino smbd[26114]: [2016/02/04 > 09:56:36.010299, 0] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > Feb 4 09:56:36 s-domino smbd[26114]: _netr_ServerAuthenticate3: > netlogon_creds_server_check failed. Rejecting auth request from > client S-GRAPH machine account S-GRAPH$ > Feb 4 10:19:32 s-domino smbd[25808]: [2016/02/04 > 10:19:32.599553, 0] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > Feb 4 10:19:32 s-domino smbd[25808]: _netr_ServerAuthenticate3: > netlogon_creds_server_check failed. Rejecting auth request from > client S-GRAPH machine account S-GRAPH$After restart winbind on Centos7 everything starts to work properly. This problem also occur on another network with the same scenario and same configuration, in that case, without useful suggestion[1], I have resolve to put a "systemctl restart winbind.service" into cron.daily/ Someone can suggest to me how to resolve this problem without restart the service? Follow the "testparm -s" of two server [2] Many thanks Dario [1] - https://lists.samba.org/archive/samba/2015-September/194284.html [2] - testparm -s Centos 7 - Domain member:> # Global parameters > [global] > workgroup = DOM > interfaces = lo ens32 > security = DOMAIN > passdb backend = tdbsam:/etc/samba/account.tdb > log file = /var/log/samba/log.%m > max log size = 50 > unix extensions = No > server signing = required > load printers = No > printcap name = /dev/null > preferred master = No > local master = No > domain master = No > wins server = 192.168.0.10 > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind refresh tickets = Yes > winbind offline logon = Yes > idmap config graphimedia : backend = rid > idmap config graphimedia : range = 1000000-9999999 > idmap config * : range = 2000-9999 > idmap config * : backend = tdb > printing = bsd > cups options = raw > store dos attributes = YesCentos 6 - PDC> [global] > workgroup = DOM > netbios aliases = s-afp1, s-printer > server string = %L > interfaces = lo, eth0 > passdb backend = tdbsam:/etc/samba/account.tdb > log file = /var/log/samba/log.%m > max log size = 50 > smb ports = 139 > unix extensions = No > show add printer wizard = No > add user script = /usr/sbin/useradd -m -c "Utente Samba (%u)" > -g smbusers -d "/u/samba/home/%u" -s /sbin/nologin "%u" > delete user script = test 0$(id -u "%u" 2>/dev/null) -gt > 100 && /usr/sbin/userdel "%u" > add group script = /usr/sbin/groupadd "%g" > delete group script = test 0$(id -g "%g" 2>/dev/null) -gt > 100 && /usr/sbin/groupdel "%g" > add user to group script = /usr/bin/gpasswd -a "%u" "%g" > delete user from group script = /usr/bin/gpasswd -d "%u" "%g" > set primary group script = /usr/sbin/usermod -g "%g" "%u" > add machine script = /usr/sbin/useradd -M -c "Computer di > dominio (%u)" -g smbhosts -d /tmp/smbpc -s /sbin/nologin "%u" > logon script = netlogon.bat > logon path = > logon drive = X: > logon home = \\%L\%U > domain logons = Yes > os level = 83 > preferred master = Yes > domain master = Yes > wins support = Yes > utmp directory = /var/log/samba/utmp > wtmp directory = /var/log/samba/wtmp > utmp = Yes > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind trusted domains only = Yes > idmap config * : range = 16777216-33554431 > idmap config * : backend = tdb > cups options = raw > map archive = No > map readonly = no > store dos attributes = Yes-- Dario Lesca (inviato dal mio Linux Fedora 23 Workstation)
Dario Lesca
2016-Feb-10 09:23 UTC
[Samba] Samba 4 Domain Members stop autenticate with Samba 3 PDC after seven (7) days
Il giorno ven, 05/02/2016 alle 11.59 +0100, Dario Lesca ha scritto:> On a server Centos 7 with samba-4.2.3-11.el7_2.x86_64, joined to a > server samba-3.6.23-24.el6_7.x86_64 PDC on Centos 6.7 up to date, > after 7 days I want restart winbind service because the users are not > autenticate anymore.Since I have no answer to the problem described above, it means that the only solution is: $ echo /bin/systemctl restart winbind |sudo dd of=/etc/cron.daily/restart-wbind $ sudo chmod 755 /etc/cron.daily/restart-wbind Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 23 Workstation)
Rowland penny
2016-Feb-10 09:43 UTC
[Samba] Samba 4 Domain Members stop autenticate with Samba 3 PDC after seven (7) days
On 10/02/16 09:23, Dario Lesca wrote:> Il giorno ven, 05/02/2016 alle 11.59 +0100, Dario Lesca ha scritto: >> On a server Centos 7 with samba-4.2.3-11.el7_2.x86_64, joined to a >> server samba-3.6.23-24.el6_7.x86_64 PDC on Centos 6.7 up to date, >> after 7 days I want restart winbind service because the users are not >> autenticate anymore. > Since I have no answer to the problem described above, it means that > the only solution is: > > $ echo /bin/systemctl restart winbind |sudo dd of=/etc/cron.daily/restart-wbind > $ sudo chmod 755 /etc/cron.daily/restart-wbind > > Many thanks >That is a bandaid over a problem. Can you explain why your PDC smb.conf seems to be a mixture of a PDC one and an ADS domain member one ? You do not actually need winbind on an NT-4 style PDC and this could be a part of your problem. Have a look here for a bare PDC setup: http://xmodulo.com/samba-primary-domain-controller.html Rowland
Dario Lesca
2016-Feb-11 11:52 UTC
[Samba] Samba 4 Domain Members stop autenticate with Samba 3 PDC after seven (7) days
Il giorno mer, 10/02/2016 alle 10.23 +0100, Dario Lesca ha scritto:> Il giorno ven, 05/02/2016 alle 11.59 +0100, Dario Lesca ha scritto: > > On a server Centos 7 with samba-4.2.3-11.el7_2.x86_64, joined to a > > server samba-3.6.23-24.el6_7.x86_64 PDC on Centos 6.7 up to date, > > after 7 days I want restart winbind service because the users are > > not > > autenticate anymore. > > Since I have no answer to the problem described above, it means that > the only solution is: > > $ echo /bin/systemctl restart winbind |sudo dd > of=/etc/cron.daily/restart-wbind > $ sudo chmod 755 /etc/cron.daily/restart-wbindNote: I have add this work around on my member server samba 4.x, not on PDC or the other member server with samba 3.x. Thanks> > -- > Dario Lesca > (inviato dal mio Linux Fedora 23 Workstation) > >-- Dario Lesca (inviato dal mio Linux Fedora 23 Workstation)