Am 2017-12-04 um 18:07 schrieb Stefan G. Weichinger via
samba:> On 12/04/2017 02:15 PM, Rowland Penny via samba wrote:
>
>> Possibly, if, by using the old config, Samba is ignoring the 'idmap
>> config DOMAIN' lines and putting everything into the '*'
domain, then
>> you may (probably would) have more than your original set up allowed.
>> If this fixes it, you have found another bug ;-)
>> It should work with the old lines.
>
> I now changed that parameter, edited the range down to 2000-2999 again
> and restarted services. We can connect OK, fine. We test some things now.
>
> Can I somehow check how many of those IDs are used right now?
> Somehow monitor if this change fixed it?
>
> Last time it took a week to crash again, I would prefer to be able to
> know things earlier.
The DM gave up again today. No more gid-related stuff inside the logs,
had to kill the daemons to get the shares up again.
I increased loglevel to 2 and see in
# tail winbindd.log
[2017/12/06 13:12:50.216478, 2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)
[2017/12/06 13:12:50.216523, 2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)
[2017/12/06 13:12:50.216566, 2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)
This is a gentoo linux DM, and their samba-ebuild pulls in mit-krb5 for
samba per default.
Unfortunately that mit-krb5 package is still at 1.14.2 while 1.15.2 is
available.
I assume I should upgrade that and reinstall samba-4.6.11 after?
Could it somehow be the case that the kerberos-ticket between DM and DC
runs out after X hours or so?
Just guessing ...
I also consider downgrading samba to 4.5.15. At another site with about
the same setup we don't face any problems.
Stefan