thr3ads.net - samba - [Samba] Samba 4.6.2 member server errors [Oct 2017]

If this information is useful, please help other people find it:
Share via:

me at tdiehl.org

2017-Oct-12 05:00 UTC

[Samba] Samba 4.6.2 member server errors

Hi,

I have 2 samba AD DC's running 4.7.0 and 2 member servers running 4.6.2.

Everything seems to be working OK except that I see the following errors
over and over again in the winbind log on one of the member servers:

[2017/10/12 00:53:52.351095,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed
(-1765328353)
[2017/10/12 00:53:52.871160,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed
(-1765328353)
[2017/10/12 00:53:54.588468,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
   check_pac_checksum: PAC Verification failed: Decrypt integrity check failed
(-1765328353)

Can someone tell me what this means and if I should troubleshoot this further?

My Google foo has not been helpful.

Regards,

-- 
Tom			me at tdiehl.org

L.P.H. van Belle

2017-Oct-12 07:24 UTC

head link

[Samba] Samba 4.6.2 member server errors

Hai, 

You googled with the wrong words i think. 

1 search, 6 words. 4e link and 5e link, for explanation and solution.  ;-) 
Based on your question, what i experianced and what i found with google. 

https://support.oneidentity.com/authentication-services/kb/92515 
Dont look at the product here, but its an exact match on the error code. 
They say, source of the problem is AD out of sync. 

And now im thinking, i had such a problem also due to an out of sync AD
database.
Here/how the out of sync happend i never found out. 
Can you check if you DC's are in sync? 

The other i found 
https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU 
Is a problem in the keytab files, and, i did replace my keytab file, which
solved 90% of my problem.
The 10% left over problem, a nfs keytab caching related thing, only involved my
user account, so low prio for me.
Here the solution is to replace all keytab files. I did only the member server.
And that verifies it to me.

So i dont have an exact solution, only one big advice, 
if you upgrade make sure you db replication is in sync and you checked all ADDC
Db's.


Greetz, 

Louis



 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom 
> Diehl via samba
> Verzonden: donderdag 12 oktober 2017 7:01
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba 4.6.2 member server errors
> 
> Hi,
> 
> I have 2 samba AD DC's running 4.7.0 and 2 member servers 
> running 4.6.2.
> 
> Everything seems to be working OK except that I see the 
> following errors
> over and over again in the winbind log on one of the member servers:
> 
> [2017/10/12 00:53:52.351095,  2] 
> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt 
> integrity check failed (-1765328353)
> [2017/10/12 00:53:52.871160,  2] 
> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt 
> integrity check failed (-1765328353)
> [2017/10/12 00:53:54.588468,  2] 
> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>    check_pac_checksum: PAC Verification failed: Decrypt 
> integrity check failed (-1765328353)
> 
> Can someone tell me what this means and if I should 
> troubleshoot this further?
> 
> My Google foo has not been helpful.
> 
> Regards,
> 
> -- 
> Tom			me at tdiehl.org
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

me at tdiehl.org

2017-Oct-12 17:15 UTC

head link

[Samba] Samba 4.6.2 member server errors

Hi Louis,

On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
> Hai,
>
> You googled with the wrong words i think.
I have no problem believing that. :-)
> 1 search, 6 words. 4e link and 5e link, for explanation and solution.  ;-)
> Based on your question, what i experianced and what i found with google.
>
> https://support.oneidentity.com/authentication-services/kb/92515
> Dont look at the product here, but its an exact match on the error code.
> They say, source of the problem is AD out of sync.
>
> And now im thinking, i had such a problem also due to an out of sync AD
database.
> Here/how the out of sync happend i never found out.
> Can you check if you DC's are in sync?
>
> The other i found
> https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU
> Is a problem in the keytab files, and, i did replace my keytab file, which
solved 90% of my problem.
> The 10% left over problem, a nfs keytab caching related thing, only
involved my user account, so low prio for me.
> Here the solution is to replace all keytab files. I did only the member
server.
> And that verifies it to me.
I appreciate the information but I am confused. The above articles talk about
this
being a krb5.keytab issue. This is confusing to me because the errors occur on a
Samba AD member server not either of the DC's.

There is no keytab on the member servers.

I do not know if it matters but all of the machines are Centos 7.4. The DC's
are
compiled from source using the 4.7.0 tarball but the member servers are using
the
4.6.2-11 rpms supplied with Centos 7.4.
> So i dont have an exact solution, only one big advice,
> if you upgrade make sure you db replication is in sync and you checked all
ADDC Db's.
So are you saying this is a DC problem even though the errors only occur on a
member server?

Regards,

-- 
Tom			me at tdiehl.org
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
>> Diehl via samba
>> Verzonden: donderdag 12 oktober 2017 7:01
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Samba 4.6.2 member server errors
>>
>> Hi,
>>
>> I have 2 samba AD DC's running 4.7.0 and 2 member servers
>> running 4.6.2.
>>
>> Everything seems to be working OK except that I see the
>> following errors
>> over and over again in the winbind log on one of the member servers:
>>
>> [2017/10/12 00:53:52.351095,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> [2017/10/12 00:53:52.871160,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>> [2017/10/12 00:53:54.588468,  2]
>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>    check_pac_checksum: PAC Verification failed: Decrypt
>> integrity check failed (-1765328353)
>>
>> Can someone tell me what this means and if I should
>> troubleshoot this further?
>>
>> My Google foo has not been helpful.

L.P.H. van Belle

2017-Oct-13 09:45 UTC

head link

[Samba] Samba 4.6.2 member server errors

Hai, 

I'll explain a bit. 
> -----Oorspronkelijk bericht-----
> Van: me at tdiehl.org [mailto:me at tdiehl.org] 
> Verzonden: donderdag 12 oktober 2017 19:15
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
> 
> Hi Louis,
> 
> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
> 
> > Hai,
> >
> > You googled with the wrong words i think.
> 
> I have no problem believing that. :-)
> 
> > 1 search, 6 words. 4e link and 5e link, for explanation and 
> solution.  ;-)
> > Based on your question, what i experianced and what i found 
> with google.
> >
> > https://support.oneidentity.com/authentication-services/kb/92515
> > Dont look at the product here, but its an exact match on 
> the error code.
> > They say, source of the problem is AD out of sync.
> >
> > And now im thinking, i had such a problem also due to an 
> out of sync AD database.
> > Here/how the out of sync happend i never found out.
> > Can you check if you DC's are in sync?
> >
> > The other i found
> > 
> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
> s/g-s76WeWyUU
> > Is a problem in the keytab files, and, i did replace my 
> keytab file, which solved 90% of my problem.
> > The 10% left over problem, a nfs keytab caching related 
> thing, only involved my user account, so low prio for me.
> > Here the solution is to replace all keytab files. I did 
> only the member server.
> > And that verifies it to me.
> 
> I appreciate the information but I am confused. The above 
> articles talk about this
> being a krb5.keytab issue. This is confusing to me because 
> the errors occur on a
> Samba AD member server not either of the DC's.Ok, im not a star in explaining in english.  

Look at this picture. That shows how kerberos tickets works. 
https://i-technet.sec.s-msft.com/dynimg/IC195542.gif 
( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx ) 


Now look at this one
https://i-technet.sec.s-msft.com/dynimg/IC195551.gif 
Thats the user/computer login. 
And if im correct, you problem is the systemkey on the member. 
Due to somehow, an out of sync password in AD and the member server.
> 
> There is no keytab on the member servers.Ok, can you post your smb.conf 
Because without it is a guessing game as of this point. 
> 
> I do not know if it matters but all of the machines are 
> Centos 7.4. The DC's are
> compiled from source using the 4.7.0 tarball but the member 
> servers are using the
> 4.6.2-11 rpms supplied with Centos 7.4.
> 
> > So i dont have an exact solution, only one big advice,
> > if you upgrade make sure you db replication is in sync and 
> you checked all ADDC Db's.
> 
> So are you saying this is a DC problem even though the errors 
> only occur on a  member server?
Yes, that is possible, but i cannot determin that yet. 
And Centos is not really my things. 
But there are multiple Centos users on the list, so lets hope they are reading
this also.
> 
> Regards,
> 
> -- 
> Tom			me at tdiehl.org
> 
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
> >> Diehl via samba
> >> Verzonden: donderdag 12 oktober 2017 7:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Samba 4.6.2 member server errors
> >>
> >> Hi,
> >>
> >> I have 2 samba AD DC's running 4.7.0 and 2 member servers
> >> running 4.6.2.
> >>
> >> Everything seems to be working OK except that I see the
> >> following errors
> >> over and over again in the winbind log on one of the 
> member servers:
> >>
> >> [2017/10/12 00:53:52.351095,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:52.871160,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:54.588468,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >>
> >> Can someone tell me what this means and if I should
> >> troubleshoot this further?
> >>
> >> My Google foo has not been helpful.
> 
>

Apparently Analagous Threads

Search for more possibly parallel threads

samba - Oct 2017 - Samba 4.6.2 member server errors

[Samba] Samba 4.6.2 member server errors

[Samba] Samba 4.6.2 member server errors

[Samba] Samba 4.6.2 member server errors

[Samba] Samba 4.6.2 member server errors

Apparently Analagous Threads