Hi, I have 2 samba AD DC's running 4.7.0 and 2 member servers running 4.6.2. Everything seems to be working OK except that I see the following errors over and over again in the winbind log on one of the member servers: [2017/10/12 00:53:52.351095, 2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) [2017/10/12 00:53:52.871160, 2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) [2017/10/12 00:53:54.588468, 2] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) Can someone tell me what this means and if I should troubleshoot this further? My Google foo has not been helpful. Regards, -- Tom me at tdiehl.org
Hai, You googled with the wrong words i think. 1 search, 6 words. 4e link and 5e link, for explanation and solution. ;-) Based on your question, what i experianced and what i found with google. https://support.oneidentity.com/authentication-services/kb/92515 Dont look at the product here, but its an exact match on the error code. They say, source of the problem is AD out of sync. And now im thinking, i had such a problem also due to an out of sync AD database. Here/how the out of sync happend i never found out. Can you check if you DC's are in sync? The other i found https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU Is a problem in the keytab files, and, i did replace my keytab file, which solved 90% of my problem. The 10% left over problem, a nfs keytab caching related thing, only involved my user account, so low prio for me. Here the solution is to replace all keytab files. I did only the member server. And that verifies it to me. So i dont have an exact solution, only one big advice, if you upgrade make sure you db replication is in sync and you checked all ADDC Db's. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom > Diehl via samba > Verzonden: donderdag 12 oktober 2017 7:01 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba 4.6.2 member server errors > > Hi, > > I have 2 samba AD DC's running 4.7.0 and 2 member servers > running 4.6.2. > > Everything seems to be working OK except that I see the > following errors > over and over again in the winbind log on one of the member servers: > > [2017/10/12 00:53:52.351095, 2] > ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) > check_pac_checksum: PAC Verification failed: Decrypt > integrity check failed (-1765328353) > [2017/10/12 00:53:52.871160, 2] > ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) > check_pac_checksum: PAC Verification failed: Decrypt > integrity check failed (-1765328353) > [2017/10/12 00:53:54.588468, 2] > ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) > check_pac_checksum: PAC Verification failed: Decrypt > integrity check failed (-1765328353) > > Can someone tell me what this means and if I should > troubleshoot this further? > > My Google foo has not been helpful. > > Regards, > > -- > Tom me at tdiehl.org > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Louis, On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:> Hai, > > You googled with the wrong words i think.I have no problem believing that. :-)> 1 search, 6 words. 4e link and 5e link, for explanation and solution. ;-) > Based on your question, what i experianced and what i found with google. > > https://support.oneidentity.com/authentication-services/kb/92515 > Dont look at the product here, but its an exact match on the error code. > They say, source of the problem is AD out of sync. > > And now im thinking, i had such a problem also due to an out of sync AD database. > Here/how the out of sync happend i never found out. > Can you check if you DC's are in sync? > > The other i found > https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU > Is a problem in the keytab files, and, i did replace my keytab file, which solved 90% of my problem. > The 10% left over problem, a nfs keytab caching related thing, only involved my user account, so low prio for me. > Here the solution is to replace all keytab files. I did only the member server. > And that verifies it to me.I appreciate the information but I am confused. The above articles talk about this being a krb5.keytab issue. This is confusing to me because the errors occur on a Samba AD member server not either of the DC's. There is no keytab on the member servers. I do not know if it matters but all of the machines are Centos 7.4. The DC's are compiled from source using the 4.7.0 tarball but the member servers are using the 4.6.2-11 rpms supplied with Centos 7.4.> So i dont have an exact solution, only one big advice, > if you upgrade make sure you db replication is in sync and you checked all ADDC Db's.So are you saying this is a DC problem even though the errors only occur on a member server? Regards, -- Tom me at tdiehl.org> >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom >> Diehl via samba >> Verzonden: donderdag 12 oktober 2017 7:01 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Samba 4.6.2 member server errors >> >> Hi, >> >> I have 2 samba AD DC's running 4.7.0 and 2 member servers >> running 4.6.2. >> >> Everything seems to be working OK except that I see the >> following errors >> over and over again in the winbind log on one of the member servers: >> >> [2017/10/12 00:53:52.351095, 2] >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) >> check_pac_checksum: PAC Verification failed: Decrypt >> integrity check failed (-1765328353) >> [2017/10/12 00:53:52.871160, 2] >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) >> check_pac_checksum: PAC Verification failed: Decrypt >> integrity check failed (-1765328353) >> [2017/10/12 00:53:54.588468, 2] >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) >> check_pac_checksum: PAC Verification failed: Decrypt >> integrity check failed (-1765328353) >> >> Can someone tell me what this means and if I should >> troubleshoot this further? >> >> My Google foo has not been helpful.
Hai, I'll explain a bit.> -----Oorspronkelijk bericht----- > Van: me at tdiehl.org [mailto:me at tdiehl.org] > Verzonden: donderdag 12 oktober 2017 19:15 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.6.2 member server errors > > Hi Louis, > > On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote: > > > Hai, > > > > You googled with the wrong words i think. > > I have no problem believing that. :-) > > > 1 search, 6 words. 4e link and 5e link, for explanation and > solution. ;-) > > Based on your question, what i experianced and what i found > with google. > > > > https://support.oneidentity.com/authentication-services/kb/92515 > > Dont look at the product here, but its an exact match on > the error code. > > They say, source of the problem is AD out of sync. > > > > And now im thinking, i had such a problem also due to an > out of sync AD database. > > Here/how the out of sync happend i never found out. > > Can you check if you DC's are in sync? > > > > The other i found > > > https://groups.google.com/forum/#!topic/comp.protocols.kerbero > s/g-s76WeWyUU > > Is a problem in the keytab files, and, i did replace my > keytab file, which solved 90% of my problem. > > The 10% left over problem, a nfs keytab caching related > thing, only involved my user account, so low prio for me. > > Here the solution is to replace all keytab files. I did > only the member server. > > And that verifies it to me. > > I appreciate the information but I am confused. The above > articles talk about this > being a krb5.keytab issue. This is confusing to me because > the errors occur on a > Samba AD member server not either of the DC's.Ok, im not a star in explaining in english. Look at this picture. That shows how kerberos tickets works. https://i-technet.sec.s-msft.com/dynimg/IC195542.gif ( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx ) Now look at this one https://i-technet.sec.s-msft.com/dynimg/IC195551.gif Thats the user/computer login. And if im correct, you problem is the systemkey on the member. Due to somehow, an out of sync password in AD and the member server.> > There is no keytab on the member servers.Ok, can you post your smb.conf Because without it is a guessing game as of this point.> > I do not know if it matters but all of the machines are > Centos 7.4. The DC's are > compiled from source using the 4.7.0 tarball but the member > servers are using the > 4.6.2-11 rpms supplied with Centos 7.4. > > > So i dont have an exact solution, only one big advice, > > if you upgrade make sure you db replication is in sync and > you checked all ADDC Db's. > > So are you saying this is a DC problem even though the errors > only occur on a member server?Yes, that is possible, but i cannot determin that yet. And Centos is not really my things. But there are multiple Centos users on the list, so lets hope they are reading this also.> > Regards, > > -- > Tom me at tdiehl.org > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom > >> Diehl via samba > >> Verzonden: donderdag 12 oktober 2017 7:01 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] Samba 4.6.2 member server errors > >> > >> Hi, > >> > >> I have 2 samba AD DC's running 4.7.0 and 2 member servers > >> running 4.6.2. > >> > >> Everything seems to be working OK except that I see the > >> following errors > >> over and over again in the winbind log on one of the > member servers: > >> > >> [2017/10/12 00:53:52.351095, 2] > >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) > >> check_pac_checksum: PAC Verification failed: Decrypt > >> integrity check failed (-1765328353) > >> [2017/10/12 00:53:52.871160, 2] > >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) > >> check_pac_checksum: PAC Verification failed: Decrypt > >> integrity check failed (-1765328353) > >> [2017/10/12 00:53:54.588468, 2] > >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum) > >> check_pac_checksum: PAC Verification failed: Decrypt > >> integrity check failed (-1765328353) > >> > >> Can someone tell me what this means and if I should > >> troubleshoot this further? > >> > >> My Google foo has not been helpful. > >