samba - Oct 2017 - Samba 4.6.2 member server errors

Hai, 

I'll explain a bit. 
> -----Oorspronkelijk bericht-----
> Van: me at tdiehl.org [mailto:me at tdiehl.org] 
> Verzonden: donderdag 12 oktober 2017 19:15
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
> 
> Hi Louis,
> 
> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
> 
> > Hai,
> >
> > You googled with the wrong words i think.
> 
> I have no problem believing that. :-)
> 
> > 1 search, 6 words. 4e link and 5e link, for explanation and 
> solution.  ;-)
> > Based on your question, what i experianced and what i found 
> with google.
> >
> > https://support.oneidentity.com/authentication-services/kb/92515
> > Dont look at the product here, but its an exact match on 
> the error code.
> > They say, source of the problem is AD out of sync.
> >
> > And now im thinking, i had such a problem also due to an 
> out of sync AD database.
> > Here/how the out of sync happend i never found out.
> > Can you check if you DC's are in sync?
> >
> > The other i found
> > 
> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
> s/g-s76WeWyUU
> > Is a problem in the keytab files, and, i did replace my 
> keytab file, which solved 90% of my problem.
> > The 10% left over problem, a nfs keytab caching related 
> thing, only involved my user account, so low prio for me.
> > Here the solution is to replace all keytab files. I did 
> only the member server.
> > And that verifies it to me.
> 
> I appreciate the information but I am confused. The above 
> articles talk about this
> being a krb5.keytab issue. This is confusing to me because 
> the errors occur on a
> Samba AD member server not either of the DC's.
Ok, im not a star in explaining in english.  

Look at this picture. That shows how kerberos tickets works. 
https://i-technet.sec.s-msft.com/dynimg/IC195542.gif 
( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx ) 


Now look at this one
https://i-technet.sec.s-msft.com/dynimg/IC195551.gif 
Thats the user/computer login. 
And if im correct, you problem is the systemkey on the member. 
Due to somehow, an out of sync password in AD and the member server.
> 
> There is no keytab on the member servers.
Ok, can you post your smb.conf 
Because without it is a guessing game as of this point. 
> 
> I do not know if it matters but all of the machines are 
> Centos 7.4. The DC's are
> compiled from source using the 4.7.0 tarball but the member 
> servers are using the
> 4.6.2-11 rpms supplied with Centos 7.4.
> 
> > So i dont have an exact solution, only one big advice,
> > if you upgrade make sure you db replication is in sync and 
> you checked all ADDC Db's.
> 
> So are you saying this is a DC problem even though the errors 
> only occur on a  member server?
Yes, that is possible, but i cannot determin that yet. 
And Centos is not really my things. 
But there are multiple Centos users on the list, so lets hope they are reading
this also.
> 
> Regards,
> 
> -- 
> Tom			me at tdiehl.org
> 
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
> >> Diehl via samba
> >> Verzonden: donderdag 12 oktober 2017 7:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Samba 4.6.2 member server errors
> >>
> >> Hi,
> >>
> >> I have 2 samba AD DC's running 4.7.0 and 2 member servers
> >> running 4.6.2.
> >>
> >> Everything seems to be working OK except that I see the
> >> following errors
> >> over and over again in the winbind log on one of the 
> member servers:
> >>
> >> [2017/10/12 00:53:52.351095,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:52.871160,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >> [2017/10/12 00:53:54.588468,  2]
> >> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
> >>    check_pac_checksum: PAC Verification failed: Decrypt
> >> integrity check failed (-1765328353)
> >>
> >> Can someone tell me what this means and if I should
> >> troubleshoot this further?
> >>
> >> My Google foo has not been helpful.
> 
>

On Fri, 13 Oct 2017 11:45:43 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> I'll explain a bit. 
> 
> > There is no keytab on the member servers.
Oh yes there is ;-)
You only need an explicit keytab if something else requires it e.g.
squid, Samba uses a keytab in memory.
 
> Ok, can you post your smb.conf 
> Because without it is a guessing game as of this point. 
It always helps if the smb.conf is posted.

Rowland

Hi,

On Fri, 13 Oct 2017, L.P.H. van Belle via samba wrote:
> Hai,
>
> I'll explain a bit.
>
>> -----Oorspronkelijk bericht-----
>> Van: me at tdiehl.org [mailto:me at tdiehl.org]
>> Verzonden: donderdag 12 oktober 2017 19:15
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.6.2 member server errors
>>
>> Hi Louis,
>>
>> On Thu, 12 Oct 2017, L.P.H. van Belle via samba wrote:
>>
>>> Hai,
>>>
>>> You googled with the wrong words i think.
>>
>> I have no problem believing that. :-)
>>
>>> 1 search, 6 words. 4e link and 5e link, for explanation and
>> solution.  ;-)
>>> Based on your question, what i experienced and what i found
>> with google.
>>>
>>> https://support.oneidentity.com/authentication-services/kb/92515
>>> Dont look at the product here, but its an exact match on
>> the error code.
>>> They say, source of the problem is AD out of sync.
>>>
>>> And now im thinking, i had such a problem also due to an
>> out of sync AD database.
>>> Here/how the out of sync happend i never found out.
>>> Can you check if you DC's are in sync?
>>>
>>> The other i found
>>>
>> https://groups.google.com/forum/#!topic/comp.protocols.kerbero
>> s/g-s76WeWyUU
>>> Is a problem in the keytab files, and, i did replace my
>> keytab file, which solved 90% of my problem.
>>> The 10% left over problem, a nfs keytab caching related
>> thing, only involved my user account, so low prio for me.
>>> Here the solution is to replace all keytab files. I did
>> only the member server.
>>> And that verifies it to me.
>>
>> I appreciate the information but I am confused. The above
>> articles talk about this
>> being a krb5.keytab issue. This is confusing to me because
>> the errors occur on a
>> Samba AD member server not either of the DC's.
> Ok, im not a star in explaining in english.
You do OK with English, I just do not understand Kerberos. :-)
> Look at this picture. That shows how kerberos tickets works.
> https://i-technet.sec.s-msft.com/dynimg/IC195542.gif
> ( from https://technet.microsoft.com/nl-nl/library/cc772815(v=ws.10).aspx )
>
>
> Now look at this one
> https://i-technet.sec.s-msft.com/dynimg/IC195551.gif
> Thats the user/computer login.
> And if im correct, you problem is the systemkey on the member.
> Due to somehow, an out of sync password in AD and the member server.
You might be correct. I just noticed that the AD administrator's password
had
expired. I went into AD and set it to never expire so I was able to
login again. I am wondering if that has anything to do with this problem?

If you are correct, how do I get the systemkey on the member server back
in sync with AD?
>> There is no keytab on the member servers.
> Ok, can you post your smb.conf
> Because without it is a guessing game as of this point.
Sorry for not doing that from the beginning. Here it is:

[global]
     security = ADS
     workgroup = SAMDOM
     realm = SAMDOM.MYDOMAIN.com.COM

     winbind use default domain = yes
     winbind expand groups = 4
     winbind refresh tickets = Yes
     winbind offline logon = yes

     idmap config * : backend = tdb
     idmap config * : range = 3000-7999

     idmap config SAMDOM:backend = ad
     idmap config SAMDOM:schema_mode = rfc2307
     idmap config SAMDOM:unix_nss_info = yes
     idmap config SAMDOM:range = 10000-999999
     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no
     username map = /etc/samba/user.map
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes
     log file = /var/log/samba/%m.log
     log level = 2
     deadtime = 5

[accounting]
     comment = Accounting Share
     path = /home/samba/accounting
     readonly = no

There are other shares but they are all configured the same way as above.

Regards,

-- 
Tom			me at tdiehl.org

>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
>>>> Diehl via samba
>>>> Verzonden: donderdag 12 oktober 2017 7:01
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Samba 4.6.2 member server errors
>>>>
>>>> Hi,
>>>>
>>>> I have 2 samba AD DC's running 4.7.0 and 2 member servers
>>>> running 4.6.2.
>>>>
>>>> Everything seems to be working OK except that I see the
>>>> following errors
>>>> over and over again in the winbind log on one of the
>> member servers:
>>>>
>>>> [2017/10/12 00:53:52.351095,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:52.871160,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>> [2017/10/12 00:53:54.588468,  2]
>>>> ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>>>>    check_pac_checksum: PAC Verification failed: Decrypt
>>>> integrity check failed (-1765328353)
>>>>
>>>> Can someone tell me what this means and if I should
>>>> troubleshoot this further?
>>>>
>>>> My Google foo has not been helpful.
>>
>>
>
>
>

On Fri, 13 Oct 2017, Rowland Penny via samba wrote:
> On Fri, 13 Oct 2017 11:45:43 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
>> Hai,
>>
>> I'll explain a bit.
>>
>>> There is no keytab on the member servers.
>
> Oh yes there is ;-)
Seems reasonable. :-)
> You only need an explicit keytab if something else requires it e.g.
> squid, Samba uses a keytab in memory.
OK, please educate me, how do I reset it?

I tried restarting everything and even re-joining the member server to
the domain. No joy. I am obviously missing something.
>
>> Ok, can you post your smb.conf
>> Because without it is a guessing game as of this point.
>
> It always helps if the smb.conf is posted.
I already sent it in reply to Louis's request. If you need it again
let me know.

Also in case it is useful below is what I have in /etc/krb5.conf:

[libdefaults]
     default_realm = SAMDOM.MYDOMAIN.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

The weird thing about all of this is everything is working. Other than
the log messages, the only thing not normal is that winbind is constantly
running which has the machine's load higher than normal.

Regards,

-- 
Tom			me at tdiehl.org