samba - Oct 2017 - Samba 4.6.2 member server errors

On Mon, 16 Oct 2017, Rowland Penny via samba wrote:
> On Mon, 16 Oct 2017 10:40:44 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> Hi Rowland,
>>
>>
>> On Sun, 15 Oct 2017, Rowland Penny via samba wrote:
>>
>>> On Sun, 15 Oct 2017 13:38:13 -0400 (EDT)
>>> me at tdiehl.org wrote:
>>>
>>>> Yes I understand, however, there are 2 things I am concerned
about.
>>>>
>>>> When the errors are spewing, winbind never goes to sleep and
the
>>>> load on the server runs somewhere between 6-8 constantly (as
shown
>>>> by top.). Even when there is no one in the office and hence no
>>>> files being served I still see the high load.
>>>>
>>>> When the errors stop (This happens intermittently) winbind will
>>>> sleep and the load settles down to < 1.
>>>>
>>>> The other thing that concerns me is that I am wondering if this
is
>>>> an indication that something more serious is about to break. It
is
>>>> one thing for me to see things in the background and entirely
>>>> something else for it to impact the users. :-)
>>>>
>>>> Suggestions?
>>>>
>>>> Regards,
>>>>
>>>
>>> If nothing is connecting, then winbind shouldn't be doing much,
so
>>> if it is, you need to find out why.
>>>
>>> Check the Samba logs on the DCs, is there anything relevant showing
>>> at the time that winbind is overloading on the domain member
>>> Raise the log levels on the DCs and domain members and see if
>>> anything pops out.
>>
>> I ran the logging up to level 10 on the DC's and the file server.
>> The DC's do not show anything significant, at least not that I can
>> tell. There is so much info there I might be missing something.
>>
>> On the file server I see the following at level 10:
>>
>> [2017/10/16 10:11:21.392833,  6, pid=1440, effective(0, 0), real(0,
>> 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
>> accepted socket 44 [2017/10/16 10:11:21.392850, 10, pid=1440,
>> effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
>> process_request: Handling async request 58214:GETPWNAM [2017/10/16
>> 10:11:21.392857,  3, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>> getpwnam kmg\mb-shop9-17$ [2017/10/16 10:11:21.392868,  1, pid=1440,
>> effective(0, 0), real(0,
>> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName
>> domain                   : * domain                   : 'KMG'
>> name                     : * name                     :
>> 'MB-SHOP9-17$' flags                    : 0x00000008 (8)
[2017/10/16
>> 10:11:21.392899,  1, pid=1440, effective(0, 0), real(0,
>> 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName out: struct
>> wbint_LookupName type                     : *
>> type                     : SID_NAME_USER (1)
>> sid                      : * sid                      :
>> S-1-5-21-3052942767-4183929206-737583365-1617
>> result                   : NT_STATUS_OK [2017/10/16 10:11:21.392926,
>> 10, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind]
../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
>> SID 0: S-1-5-21-3052942767-4183929206-737583365-1617 [2017/10/16
>> 10:11:21.392939, 10, pid=1440, effective(0, 0), real(0,
>> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
>> Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>> value=[-1:N] [2017/10/16 10:11:21.392946, 10, pid=1440, effective(0,
>> 0), real(0,
>> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>> Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3052942767-4183929206-737583365-1617]:
>> id=[4294967295], endptr=[:N] [2017/10/16 10:11:21.392955,  5,
>> pid=1440, effective(0, 0), real(0, 0),
>> class=winbind]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>> Could not convert sid S-1-5-21-3052942767-4183929206-737583365-1617:
>> NT_STATUS_NO_SUCH_USER [2017/10/16 10:11:21.392963, 10, pid=1440,
>> effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
>> wb_request_done[58214:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2017/10/16
>> 10:11:21.392982, 10, pid=1440, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
>> process_request: Handling async request 58217:PAM_AUTH_CRAP
>> [2017/10/16 10:11:21.912764,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912829,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912865,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912935,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.912976,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913011,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913047,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913079,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913124,  2, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
>> check_pac_checksum: PAC Verification failed: Decrypt integrity check
>> failed (-1765328353) [2017/10/16 10:11:21.913139,  5, pid=1440,
>> effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Decrypt integrity
>> check failed [2017/10/16 10:11:21.913203,  5, pid=1440, effective(0,
>> 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913243,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913281,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913316,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913353,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913392,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913431,  5, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:347(kerberos_decode_pac) PAC
>> Decode: Failed to verify the service signature: Invalid argument
>> [2017/10/16 10:11:21.913475,  3, pid=1440, effective(0, 0), real(0,
>> 0)] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found
>> account name from PAC: MB-RECEPTION-17$ []
>>
>> I do not know if it is important or not but these machines were just
>> joined to the domain within the last week or so.
>>
>> I see many of these for different machines.
>>
>> Please let me know what you think.
>>
>> Regards,
>>
>>
>
> It seems to be treating computers as users (I could be barking up the
> wrong tree here), can you post the contents
> of /etc/hosts, /etc/hostname, /etc/resolv.conf and /etc/nsswitch.conf
> from the domain member
Here you go:

(vfs1 pts6) # cat /etc/resolv.conf 
search kmg.mydomain.com mydomain.com
nameserver 172.30.0.7
nameserver 10.224.135.7
(vfs1 pts6) #

The 2 name server ip addresses are the 2 dc's.

(vfs1 pts6) # cat /etc/hosts

127.0.0.1    localhost localhost.localdomain 
172.30.0.8    vfs1.kmg.mydomain.com vfs1
(vfs1 pts6) #

(vfs1 pts6) # cat /etc/hostname
vfs1.kmg.mydomain.com
(vfs1 pts6) #

(vfs1 pts6) # cat /etc/nsswitch.conf
passwd:     files winbind
shadow:     files 
group:      files winbind

hosts:      files dns myhostname

bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

(vfs1 pts6) #

Sorry for the delay getting back to you. I was out for a few days.

Regards,

-- 
Tom			me at tdiehl.org

On Fri, 20 Oct 2017 17:00:01 -0400 (EDT)
me at tdiehl.org wrote:
> On Mon, 16 Oct 2017, Rowland Penny via samba wrote:
> > It seems to be treating computers as users (I could be barking up
> > the wrong tree here), can you post the contents
> > of /etc/hosts, /etc/hostname, /etc/resolv.conf
> > and /etc/nsswitch.conf from the domain member
> 
> Here you go:
> 
> # cat /etc/resolv.conf 
> search kmg.mydomain.com mydomain.com
> nameserver 172.30.0.7
> nameserver 10.224.135.7
>
I would remove 'mydomain.com' from the search line.
I also take it that '10.224.135.7' is a DC in the
'kmg.mydomain.com',
if it isn't, remove this nameserver.
> 
> The 2 name server ip addresses are the 2 dc's.
> 
> # cat /etc/hosts
> 
> 127.0.0.1    localhost localhost.localdomain 
> 172.30.0.8    vfs1.kmg.mydomain.com vfs1
I would remove 'localhost.localdomain', there is no such thing as
'localdomain'
> 
> 
># cat /etc/hostname
> vfs1.kmg.mydomain.com
The hostname should just be 'vfs1', it shouldn't be the FQDN.
> 
> # cat /etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files 
> group:      files winbind
> 
> hosts:      files dns myhostname
I would remove 'myhostname'
> 
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> 
> netgroup:   files sss
> 
> publickey:  nisplus
> 
> automount:  files
> aliases:    files nisplus
> 
I would remove the two 'sss' instances
> 
> Sorry for the delay getting back to you. I was out for a few days.
No problem

Rowland

On Fri, 20 Oct 2017, Rowland Penny via samba wrote:
> On Fri, 20 Oct 2017 17:00:01 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> On Mon, 16 Oct 2017, Rowland Penny via samba wrote:
>>> It seems to be treating computers as users (I could be barking up
>>> the wrong tree here), can you post the contents
>>> of /etc/hosts, /etc/hostname, /etc/resolv.conf
>>> and /etc/nsswitch.conf from the domain member
>>
>> Here you go:
>>
>> # cat /etc/resolv.conf
>> search kmg.mydomain.com mydomain.com
>> nameserver 172.30.0.7
>> nameserver 10.224.135.7
>>
>
> I would remove 'mydomain.com' from the search line.
Done
> I also take it that '10.224.135.7' is a DC in the
'kmg.mydomain.com',
> if it isn't, remove this nameserver.
Yes, 10.224.135.7 is a DC.
>
>>
>> The 2 name server ip addresses are the 2 dc's.
>>
>> # cat /etc/hosts
>>
>> 127.0.0.1    localhost localhost.localdomain
>> 172.30.0.8    vfs1.kmg.mydomain.com vfs1
>
> I would remove 'localhost.localdomain', there is no such thing as
> 'localdomain'
Done
>
>>
>>
>> # cat /etc/hostname
>> vfs1.kmg.mydomain.com
>
> The hostname should just be 'vfs1', it shouldn't be the FQDN.
>
>>
>> # cat /etc/nsswitch.conf
>> passwd:     files winbind
>> shadow:     files
>> group:      files winbind
>>
>> hosts:      files dns myhostname
>
> I would remove 'myhostname'
Done
>
>>
>> bootparams: nisplus [NOTFOUND=return] files
>> ethers:     files
>> netmasks:   files
>> networks:   files
>> protocols:  files
>> rpc:        files
>> services:   files sss
>>
>> netgroup:   files sss
>>
>> publickey:  nisplus
>>
>> automount:  files
>> aliases:    files nisplus
>>
>
> I would remove the two 'sss' instances
Done

I did net cache flush and rebooted. No change. Still getting the kerberos
errors and winbind not going to sleep when no one is in the office.

I am wondering if I were to remove the member server from the domain, delete
the tdb and ldb databases and then rejoin the domain if that would help.

Is there a db that tracks the kerberos information that I could reset?

Besides the added work and the downtime, is there a down side to doing this?
If I understand correctly all of the important information is stored in
the DC's. Is this correct?

I have the following in the smb.conf on the member servers:

idmap config * : backend = tdb 
idmap config * : range = 3000-7999

idmap config KMG:backend = ad 
idmap config KMG:schema_mode = rfc2307 
idmap config KMG:unix_nss_info = yes 
idmap config KMG:range = 10000-999999

Any other suggestions?

Regards,

-- 
Tom			me at tdiehl.org