Hi Louis, it happens on the AC-DC nodes on Debian 10, running with BIND9_DLZ backend... dpkg -l |grep bind9 ii bind9 1:9.11.5.P4+dfsg-5.1 amd64 Internet Domain Name Server ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64 DNS lookup utility (deprecated) ii bind9utils 1:9.11.5.P4+dfsg-5.1 amd64 Utilities for BIND ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 amd64 BIND9 Shared Library used by BIND smb.conf: # Global parameters [global] netbios name = DC3 realm = AD.EXAMPLE.NET server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = AD interfaces = IP bind interfaces only = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log level = 1 auth_audit:2@/var/log/samba/auth-audit.log ldap server require strong auth = no tls verify peer = no_check tls enabled = yes tls keyfile = /path/key.pem tls certfile = /path/fullcert.pem tls cafile = /etc/ssl/certs/ca-certificates.crt [sysvol] path = /var/lib/samba/sysvol read only = yes [netlogon] path = /var/lib/samba/sysvol/ad.example.net/scripts read only = yes Best regards Daniel Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle via samba:> Hai, > > I might be handy to tell us a bit more. > > Like AD-DC or member. > content smb.conf ? > If AD-DC, are you running with or without bind. > with bind? show : dpkg -l |grep bind9 > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > Obernitz, Daniel via samba > > Verzonden: woensdag 22 april 2020 14:18 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] pad length mismatch error message > > > > Hi, > > > > I found the following error message in the log.samba: > > > > [2020/04/20 16:32:33.168921, 1] > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer) > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length > > mismatch. Calculated 44 got 0 > > > > It happens on all nodes on different times, but unfortunately > > I have no specific situation or action which causes this. > > > > We are currently using Samba version 4.12.1-SerNet-Debian-5.buster. > > > > Do you have any idea what could cause this so I can try to > > replicate it? > > > > Best regards > > Daniel > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6098 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20200422/751fe459/smime.bin>
On Wed, 2020-04-22 at 14:49 +0200, von Obernitz, Daniel via samba wrote:> Hi Louis, > > it happens on the AC-DC nodes on Debian 10, running with BIND9_DLZ > backend...> > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > > Obernitz, Daniel via samba > > > Verzonden: woensdag 22 april 2020 14:18 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] pad length mismatch error message > > > > > > Hi, > > > > > > I found the following error message in the log.samba: > > > > > > [2020/04/20 16:32:33.168921, 1] > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer) > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length > > > mismatch. Calculated 44 got 0 > > > > > > It happens on all nodes on different times, but unfortunately > > > I have no specific situation or action which causes this.Thanks for reporting this. Firstly, don't worry about 'attr' packages or how Bind9 or DNS is configured etc, this is an error in our core RPC server, and not something that is able to be configured (neither at build nor runtime). A client, and we don't include enough information in the message as to which, so you will need to turn up the log level, is sending an RPC packet that we don't like the end of. In particular, we expected 44 bytes of authentication trailer (the authentication data in RPC is not in a header, but a trailer at the end of the packet), probably enough to contain the signature for the packet, but the client sent nothing. We need to work out why that was, and if it matters.> > > We are currently using Samba version 4.12.1-SerNet-Debian- > > > 5.buster.Thanks. This may have been caused by a recent rework of our RPC server.> > > Do you have any idea what could cause this so I can try to > > > replicate it? > > > > > > Best regards > > > Daniel > > >Once you work out what client is changing this, then send me a network capture and matching Samba log (use "debug hires timestamp = Yes", "log level = 4") and I'll add it to my backlog to look into. If you are able to trigger it on demand, and have time, please do confirm if this is Samba 4.12 regression by trying Samba 4.11. Thanks for reporting this and I hope we can figure it out together. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Hi Andrew,> Thanks for reporting this. Firstly, don't worry about 'attr' packages > or how Bind9 or DNS is configured etc, this is an error in our core RPC > server, and not something that is able to be configured (neither at > build nor runtime). > > A client, and we don't include enough information in the message as to > which, so you will need to turn up the log level, is sending an RPC > packet that we don't like the end of. > > In particular, we expected 44 bytes of authentication trailer (the > authentication data in RPC is not in a header, but a trailer at the end > of the packet), probably enough to contain the signature for the > packet, but the client sent nothing. > > We need to work out why that was, and if it matters. >Thanks for the clarification and explanation what's causing this in general. I will keep monitoring and looking for the client to replicate it.> Once you work out what client is changing this, then send me a network > capture and matching Samba log (use "debug hires timestamp = Yes", "log > level = 4") and I'll add it to my backlog to look into. If you are > able to trigger it on demand, and have time, please do confirm if this > is Samba 4.12 regression by trying Samba 4.11.We have updated to Samba 4.12. last friday and I checked the old logs before that. The error message also appeared with Samba 4.11, which we had before. Best regards Daniel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6098 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20200423/659c06e1/smime.bin>