Hi Rowland,> You have real trouble if you don't have the last three :-D > > They are well known SIDs > > 501 is Guest > 502 is krbtgt > 517 is Cert Publishers > > Try opening a terminal on the DC and run this: > > ldbsearch -H /usr/local/samba/private/sam.ldb > '(objectsid=S-1-5-21-90839350-987482234-868425949-501)'I searched with ldbsearch, and that confirmed that we DO have those records. So at least we don't seem to have REAL trouble. :-D Looking at ADUC, I realise that these 'problem' acounts are the (few) accounts with no UID assigned to them. So the 'error' makes sense: they are mailinglists, or groups not used for file access permissions. So it seems this is logical, and does not explain the problems we had yesterday evening with winbind crashing, as I wrote in my second email yesterday:> [2016/04/11 20:39:01.330173, 0] ../lib/util/fault.c:79(fault_report) > INTERNAL ERROR: Signal 11 in pid 4899 (4.2.9-SerNet-Debian-8.wheezy) > Please read the Trouble-Shooting section of the Samba HOWTO > [2016/04/11 20:39:01.330199, 0] ../lib/util/fault.c:81(fault_report) > ==============================================================> [2016/04/11 20:39:01.330217, 0] ../source3/lib/util.c:788(smb_panic_s3) > PANIC (pid 4899): internal error > [2016/04/11 20:39:01.330733, 0] ../source3/lib/util.c:899(log_stack_trace) > BACKTRACE: 29 stack frames: > #0 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f64c5f6699b] > #1 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(smb_panic_s3+0x55) [0x7f64c5f66a99] > #2 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(smb_panic+0x2d) [0x7f64c9883ed3] > #3 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(+0x231ec) [0x7f64c98841ec] > #4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf0a0) [0x7f64cb2520a0] > #5 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x4) [0x7f64c7f0ae4f] > #6 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x3c7cd) [0x7f64c7ef67cd] > #7 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x2a) [0x7f64c7ef5eac] > #8 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(+0xa981) [0x7f64c4aaf981] > #9 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(gse_krb5_get_server_keytab+0x3db) [0x7f64c4aafdaa] > #10 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(+0xc644) [0x7f64c4ab1644] > #11 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0x197) [0x7f64c4ce3eaf] > #12 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0xd9) [0x7f64c4ce4194] > #13 /usr/sbin/winbindd(kerberos_return_pac+0x5b2) [0x7f64cb6a8248] > #14 /usr/sbin/winbindd(winbindd_dual_pam_auth+0x792) [0x7f64cb6c6be5] > #15 /usr/sbin/winbindd(+0x5aa44) [0x7f64cb6dba44] > #16 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x9771) [0x7f64c9001771] > #17 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x7a2b) [0x7f64c8fffa2b] > #18 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x92) [0x7f64c8ffc3b1] > #19 /usr/sbin/winbindd(+0x5daef) [0x7f64cb6deaef] > #20 /usr/sbin/winbindd(+0x5dc57) [0x7f64cb6dec57] > #21 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x4d68) [0x7f64c8ffcd68] > #22 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(tevent_common_loop_immediate+0x128) [0x7f64c8ffcc15] > #23 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x94ba) [0x7f64c90014ba] > #24 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x7a2b) [0x7f64c8fffa2b] > #25 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x92) [0x7f64c8ffc3b1] > #26 /usr/sbin/winbindd(main+0x11d5) [0x7f64cb6b7319] > #27 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f64c3879ead] > #28 /usr/sbin/winbindd(+0x26a09) [0x7f64cb6a7a09]Any ideas where to look next..? One line that struck me in the loglines above is: > INTERNAL ERROR: Signal 11 in pid 4899 (4.2.9-SerNet-Debian-8.wheezy) Debian 8, wheezy.... strange to see those two (8, wheezy) in one line. We're on wheezy, and my sources.list line is also for wheezy. Suggestions? MJ
On 12/04/16 09:24, lists wrote:> Hi Rowland, > >> You have real trouble if you don't have the last three :-D >> >> They are well known SIDs >> >> 501 is Guest >> 502 is krbtgt >> 517 is Cert Publishers >> >> Try opening a terminal on the DC and run this: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb >> '(objectsid=S-1-5-21-90839350-987482234-868425949-501)' > > I searched with ldbsearch, and that confirmed that we DO have those > records. So at least we don't seem to have REAL trouble. :-D > > Looking at ADUC, I realise that these 'problem' acounts are the (few) > accounts with no UID assigned to them. So the 'error' makes sense: > they are mailinglists, or groups not used for file access permissions. > > So it seems this is logical, and does not explain the problems we had > yesterday evening with winbind crashing, as I wrote in my second email > yesterday: > >> [2016/04/11 20:39:01.330173, 0] ../lib/util/fault.c:79(fault_report) >> INTERNAL ERROR: Signal 11 in pid 4899 (4.2.9-SerNet-Debian-8.wheezy) >> Please read the Trouble-Shooting section of the Samba HOWTO >> [2016/04/11 20:39:01.330199, 0] ../lib/util/fault.c:81(fault_report) >> ==============================================================>> [2016/04/11 20:39:01.330217, 0] ../source3/lib/util.c:788(smb_panic_s3) >> PANIC (pid 4899): internal error >> [2016/04/11 20:39:01.330733, 0] >> ../source3/lib/util.c:899(log_stack_trace) >> BACKTRACE: 29 stack frames: >> #0 >> /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(log_stack_trace+0x1a) >> [0x7f64c5f6699b] >> #1 >> /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(smb_panic_s3+0x55) >> [0x7f64c5f66a99] >> #2 >> /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(smb_panic+0x2d) >> [0x7f64c9883ed3] >> #3 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(+0x231ec) >> [0x7f64c98841ec] >> #4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf0a0) [0x7f64cb2520a0] >> #5 >> /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x4) >> [0x7f64c7f0ae4f] >> #6 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x3c7cd) >> [0x7f64c7ef67cd] >> #7 >> /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x2a) >> [0x7f64c7ef5eac] >> #8 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(+0xa981) >> [0x7f64c4aaf981] >> #9 >> /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(gse_krb5_get_server_keytab+0x3db) >> [0x7f64c4aafdaa] >> #10 /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so(+0xc644) >> [0x7f64c4ab1644] >> #11 >> /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0x197) >> [0x7f64c4ce3eaf] >> #12 >> /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0xd9) >> [0x7f64c4ce4194] >> #13 /usr/sbin/winbindd(kerberos_return_pac+0x5b2) [0x7f64cb6a8248] >> #14 /usr/sbin/winbindd(winbindd_dual_pam_auth+0x792) [0x7f64cb6c6be5] >> #15 /usr/sbin/winbindd(+0x5aa44) [0x7f64cb6dba44] >> #16 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x9771) >> [0x7f64c9001771] >> #17 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x7a2b) >> [0x7f64c8fffa2b] >> #18 >> /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x92) [0x7f64c8ffc3b1] >> >> #19 /usr/sbin/winbindd(+0x5daef) [0x7f64cb6deaef] >> #20 /usr/sbin/winbindd(+0x5dc57) [0x7f64cb6dec57] >> #21 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x4d68) >> [0x7f64c8ffcd68] >> #22 >> /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(tevent_common_loop_immediate+0x128) >> [0x7f64c8ffcc15] >> #23 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x94ba) >> [0x7f64c90014ba] >> #24 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x7a2b) >> [0x7f64c8fffa2b] >> #25 >> /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x92) [0x7f64c8ffc3b1] >> >> #26 /usr/sbin/winbindd(main+0x11d5) [0x7f64cb6b7319] >> #27 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) >> [0x7f64c3879ead] >> #28 /usr/sbin/winbindd(+0x26a09) [0x7f64cb6a7a09] > > Any ideas where to look next..? > > One line that struck me in the loglines above is: > > INTERNAL ERROR: Signal 11 in pid 4899 (4.2.9-SerNet-Debian-8.wheezy) > Debian 8, wheezy.... strange to see those two (8, wheezy) in one line. > > We're on wheezy, and my sources.list line is also for wheezy. > > Suggestions? > > MJ >apt-get install libpam-krb5 Rowland If I login to a domain member via ssh I get this in /var/log/auth.log: Apr 12 09:21:21 member1 sshd[6502]: pam_krb5(sshd:auth): user rowland authenticated as rowland at SAMDOM.EXAMPLE.COM Apr 12 09:21:22 member1 sshd[6500]: Accepted keyboard-interactive/pam for rowland from 192.168.0.128 port 41609 ssh2 Apr 12 09:21:22 member1 sshd[6500]: pam_unix(sshd:session): session opened for user rowland by (uid=0) Rowland
On 12-4-2016 10:24, lists wrote: From log.wb-DOMAIN:> > [2016/04/11 20:39:01.330173, 0] ../lib/util/fault.c:79(fault_report) > INTERNAL ERROR: Signal 11 in pid 4899 (4.2.9-SerNet-Debian-8.wheezy) > Please read the Trouble-Shooting section of the Samba HOWTO > [2016/04/11 20:39:01.330199, 0] ../lib/util/fault.c:81(fault_report) > ==============================================================> [2016/04/11 20:39:01.330217, 0] ../source3/lib/util.c:788(smb_panic_s3) > PANIC (pid 4899): internal error > [2016/04/11 20:39:01.330733, 0] > ../source3/lib/util.c:899(log_stack_trace) > BACKTRACE: 29 stack frames:I am trying to trigger the above panic: wbinfo -u (lists all users) wbinfo -g (lists all groups) wbinfo -t (checking trust succeeds) wbinfo --list-status (all three reported online) wbinfo --authenticate=user%password (authentication succeeds) wbinfo --dc-info=DOMAIN (lists only ONE of our three DCs, but no panic) The above panic happened yesterday while nsswitch.conf contained > passwd: compat winbind > group: compat winbind > shadow: compat winbind Currently nsswitch.conf has > passwd: compat sss > group: compat sss > shadow: compat sss and winbind is running without crashes. Since this is production, I'd rather not put back winbind in nsswitch.conf, because the winbind panic will break fileserving from this member server. Any ideas how to approach this..? BTW: wheezy 7.10, x64, sernet-samba 4.2.9-8. MJ
On 12/04/16 12:55, lists wrote:> On 12-4-2016 10:24, lists wrote: > > From log.wb-DOMAIN: >> >> [2016/04/11 20:39:01.330173, 0] ../lib/util/fault.c:79(fault_report) >> INTERNAL ERROR: Signal 11 in pid 4899 (4.2.9-SerNet-Debian-8.wheezy) >> Please read the Trouble-Shooting section of the Samba HOWTO >> [2016/04/11 20:39:01.330199, 0] ../lib/util/fault.c:81(fault_report) >> ==============================================================>> [2016/04/11 20:39:01.330217, 0] ../source3/lib/util.c:788(smb_panic_s3) >> PANIC (pid 4899): internal error >> [2016/04/11 20:39:01.330733, 0] >> ../source3/lib/util.c:899(log_stack_trace) >> BACKTRACE: 29 stack frames: > > I am trying to trigger the above panic: > > wbinfo -u (lists all users) > wbinfo -g (lists all groups) > wbinfo -t (checking trust succeeds) > wbinfo --list-status (all three reported online) > wbinfo --authenticate=user%password (authentication succeeds) > wbinfo --dc-info=DOMAIN (lists only ONE of our three DCs, but no panic) > > The above panic happened yesterday while nsswitch.conf contained > > passwd: compat winbind > > group: compat winbind > > shadow: compat winbind > > Currently nsswitch.conf has > > passwd: compat sss > > group: compat sss > > shadow: compat sss > and winbind is running without crashes. > > Since this is production, I'd rather not put back winbind in > nsswitch.conf, because the winbind panic will break fileserving from > this member server. > > Any ideas how to approach this..? > > BTW: wheezy 7.10, x64, sernet-samba 4.2.9-8. > > MJ >I never alter 'shadow' and winbind doesn't crash for me i.e. relevant part of /etc/nsswitch.conf: passwd: compat winbind group: compat winbind shadow: compat wheezy 7.10, x64, sernet-samba 4.2.4-7 I will upgrade sernet samba and see what happens. Rowland