samba - Jun 2023 - winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently

Hi,
I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
required the Samba version to be upgraded from 4.7.6 to 4.15.13.
Post the upgrade, winbind authentication fails
with  NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
restarting the smb service but comes back after some time. There were no
isses with the setup before the upgrade.
Tried clearing the cached tdb files as well but the issue still come back
after some time.

Logs (replaced domain, username and workstation values):
[2023/05/31 17:00:23.634152, 3]
../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
Got user=[<user>] domain=[<domain>]
workstation=[<workstation>] len1=24
len2=262
[2023/05/31 17:00:23.634173, 5]
../../source3/auth/auth_util.c:123(make_user_info_map)
Mapping user [<domain>]\[<user>] from workstation
[<workstation>]
[2023/05/31 17:00:23.634179, 5]
../../source3/auth/user_info.c:64(make_user_info)
attempting to make a user_info for <user> (<user>)
[2023/05/31 17:00:23.634184, 5]
../../source3/auth/user_info.c:72(make_user_info)
making strings for <user>'s user_info struct
[2023/05/31 17:00:23.634192, 5]
../../source3/auth/user_info.c:117(make_user_info)
making blobs for <user>'s user_info struct
[2023/05/31 17:00:23.634198, 3]
../../source3/auth/auth.c:200(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[<domain>]\[<user>]@[<workstation>] with the new password
interface
[2023/05/31 17:00:23.634204, 3]
../../source3/auth/auth.c:203(auth_check_ntlm_password)
check_ntlm_password: mapped user is:
[<domain>]\[<user>]@[<workstation>]
[2023/05/31 17:00:23.634209, 5] ../../lib/util/util.c:722(dump_data)
[0000] F6 7D 2D B1 0B 86 57 D7 .}-...W.
[2023/05/31 17:00:23.634224, 4]
../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2023/05/31 17:00:23.634235, 4] ../../source3/smbd/uid.c:561(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2023/05/31 17:00:23.634240, 4]
../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2023/05/31 17:00:23.634245, 5]
../../libcli/security/security_token.c:52(security_token_debug)
Security token: (NULL)
[2023/05/31 17:00:23.634249, 5]
../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2023/05/31 17:00:23.639376, 4]
../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2023/05/31 17:00:23.639388, 5]
../../source3/auth/auth.c:258(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [<user>] FAILED
with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
[2023/05/31 17:00:23.639406, 2]
../../source3/auth/auth.c:344(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [<user>] -> [<user>]
FAILED
with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
[2023/05/31 17:00:23.639427, 2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [<domain>]\[<user>] at [Wed, 31 May 2023
17:00:23.639416 UTC] with [NTLMv2] status [NT_STATUS_RPC_SEC_PKG_ERROR]
workstation [<workstation>] remote host [ipv4:127.0.0.1:41710] mapped to
[<domain>]\[<user>]. local host [ipv4:127.0.0.138:1445]
{"timestamp": "2023-05-31T17:00:23.639487+0000",
"type": "Authentication",
"Authentication": {"version": {"major": 1,
"minor": 2}, "eventId": 4625,
"logonId": "0", "logonType": 3,
"status": "NT_STATUS_RPC_SEC_PKG_ERROR",
"localAddress": "ipv4:127.0.0.138:1445",
"remoteAddress": "ipv4:
127.0.0.1:41710", "serviceDescription": "SMB2",
"authDescription": null,
"clientDomain": "<domain>", "clientAccount":
"<user>", "workstation":
"<workstation>", "becameAccount": null,
"becameDomain": null, "becameSid":
null, "mappedAccount": "<user>",
"mappedDomain": "<domain>",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration":
6683}}
[2023/05/31 17:00:23.639520, 5]
../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
auth3_check_password_send: Checking NTLMSSP password for
<domain>\<user>
failed: NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
[2023/05/31 17:00:23.639533, 4]
../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2023/05/31 17:00:23.639547, 5]
../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done)
ntlmssp_server_auth_done: Checking NTLMSSP password for
<domain>\<user>
failed: NT_STATUS_RPC_SEC_PKG_ERROR
[2023/05/31 17:00:23.639556, 5]
../../auth/gensec/gensec.c:534(gensec_update_done)
gensec_update_done: ntlmssp[0x55b8d9521400]: NT_STATUS_RPC_SEC_PKG_ERROR
[2023/05/31 17:00:23.639564, 3]
../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_RPC_SEC_PKG_ERROR
[2023/05/31 17:00:23.639571, 5]
../../auth/gensec/gensec.c:534(gensec_update_done)
gensec_update_done: spnego[0x55b8d94e1fd0]: NT_STATUS_RPC_SEC_PKG_ERROR


Below is the configuration:
security = ads
server role = member server
auth methods = winbind
idmap config * : backend = tdb
idmap config * : range = 10000-24999999
winbind enum users = yes
winbind enum groups = yes
usershare allow guests = no
map untrusted to domain = Yes
allow trusted domains = no

On 01/06/2023 22:51, Bharath Bheemarasetti via samba
wrote:
> Hi,
> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
> required the Samba version to be upgraded from 4.7.6 to 4.15.13.
> Post the upgrade, winbind authentication fails
> with  NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
> restarting the smb service but comes back after some time. There were no
> isses with the setup before the upgrade.
> Tried clearing the cached tdb files as well but the issue still come back
> after some time.
> 
> Logs (replaced domain, username and workstation values):
> [2023/05/31 17:00:23.634152, 3]
> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
> Got user=[<user>] domain=[<domain>]
workstation=[<workstation>] len1=24
> len2=262
> [2023/05/31 17:00:23.634173, 5]
> ../../source3/auth/auth_util.c:123(make_user_info_map)
> Mapping user [<domain>]\[<user>] from workstation
[<workstation>]
> [2023/05/31 17:00:23.634179, 5]
> ../../source3/auth/user_info.c:64(make_user_info)
> attempting to make a user_info for <user> (<user>)
> [2023/05/31 17:00:23.634184, 5]
> ../../source3/auth/user_info.c:72(make_user_info)
> making strings for <user>'s user_info struct
> [2023/05/31 17:00:23.634192, 5]
> ../../source3/auth/user_info.c:117(make_user_info)
> making blobs for <user>'s user_info struct
> [2023/05/31 17:00:23.634198, 3]
> ../../source3/auth/auth.c:200(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [<domain>]\[<user>]@[<workstation>] with the new password
interface
> [2023/05/31 17:00:23.634204, 3]
> ../../source3/auth/auth.c:203(auth_check_ntlm_password)
> check_ntlm_password: mapped user is:
[<domain>]\[<user>]@[<workstation>]
> [2023/05/31 17:00:23.634209, 5] ../../lib/util/util.c:722(dump_data)
> [0000] F6 7D 2D B1 0B 86 57 D7 .}-...W.
> [2023/05/31 17:00:23.634224, 4]
> ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2023/05/31 17:00:23.634235, 4] ../../source3/smbd/uid.c:561(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2023/05/31 17:00:23.634240, 4]
> ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2023/05/31 17:00:23.634245, 5]
> ../../libcli/security/security_token.c:52(security_token_debug)
> Security token: (NULL)
> [2023/05/31 17:00:23.634249, 5]
> ../../source3/auth/token_util.c:873(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2023/05/31 17:00:23.639376, 4]
> ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2023/05/31 17:00:23.639388, 5]
> ../../source3/auth/auth.c:258(auth_check_ntlm_password)
> auth_check_ntlm_password: winbind authentication for user [<user>]
FAILED
> with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
> [2023/05/31 17:00:23.639406, 2]
> ../../source3/auth/auth.c:344(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [<user>] ->
[<user>] FAILED
> with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
> [2023/05/31 17:00:23.639427, 2]
> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> Auth: [SMB2,(null)] user [<domain>]\[<user>] at [Wed, 31 May
2023
> 17:00:23.639416 UTC] with [NTLMv2] status [NT_STATUS_RPC_SEC_PKG_ERROR]
> workstation [<workstation>] remote host [ipv4:127.0.0.1:41710] mapped
to
> [<domain>]\[<user>]. local host [ipv4:127.0.0.138:1445]
> {"timestamp": "2023-05-31T17:00:23.639487+0000",
"type": "Authentication",
> "Authentication": {"version": {"major": 1,
"minor": 2}, "eventId": 4625,
> "logonId": "0", "logonType": 3,
"status": "NT_STATUS_RPC_SEC_PKG_ERROR",
> "localAddress": "ipv4:127.0.0.138:1445",
"remoteAddress": "ipv4:
> 127.0.0.1:41710", "serviceDescription": "SMB2",
"authDescription": null,
> "clientDomain": "<domain>",
"clientAccount": "<user>", "workstation":
> "<workstation>", "becameAccount": null,
"becameDomain": null, "becameSid":
> null, "mappedAccount": "<user>",
"mappedDomain": "<domain>",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
> "netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration":
> 6683}}
> [2023/05/31 17:00:23.639520, 5]
> ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
> auth3_check_password_send: Checking NTLMSSP password for
<domain>\<user>
> failed: NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
> [2023/05/31 17:00:23.639533, 4]
> ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2023/05/31 17:00:23.639547, 5]
> ../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done)
> ntlmssp_server_auth_done: Checking NTLMSSP password for
<domain>\<user>
> failed: NT_STATUS_RPC_SEC_PKG_ERROR
> [2023/05/31 17:00:23.639556, 5]
> ../../auth/gensec/gensec.c:534(gensec_update_done)
> gensec_update_done: ntlmssp[0x55b8d9521400]: NT_STATUS_RPC_SEC_PKG_ERROR
> [2023/05/31 17:00:23.639564, 3]
> ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)
> gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
> NT_STATUS_RPC_SEC_PKG_ERROR
> [2023/05/31 17:00:23.639571, 5]
> ../../auth/gensec/gensec.c:534(gensec_update_done)
> gensec_update_done: spnego[0x55b8d94e1fd0]: NT_STATUS_RPC_SEC_PKG_ERROR
> 
> 
> Below is the configuration:
> security = ads
> server role = member server
> auth methods = winbind
> idmap config * : backend = tdb
> idmap config * : range = 10000-24999999
> winbind enum users = yes
> winbind enum groups = yes
> usershare allow guests = no
> map untrusted to domain = Yes
> allow trusted domains = no
A couple of things possible, from 4.8.0 winbind must be running and your 
smb.conf is, to be blunt, rubbish. You need to set the workgroup, you 
need to have idmap config lines for the workgroup, the 'winbind enum' 
lines only slow things down and 'map untrusted to domain' has been
removed.

It might help if you started by reading this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and then follow one of the pages it links to.

Rowland

A couple of things possible, from 4.8.0 winbind must be running and your
smb.conf is, to be blunt, rubbish. You need to set the workgroup, you
need to have idmap config lines for the workgroup, the 'winbind enum'
lines only slow things down and 'map untrusted to domain' has been
removed.

Winbind is running and the workgroup was set as well. I omitted some
lines from the smb.conf shared previously as I wasn't sure if they
were relevant or not. I've added the full content below. Also share is
being accessed by a windows client which is part of the domain and it
does work fine for a few hours after restarting the smbd and winbind
services. Does 'winbind enum' have any relation to that?

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS
mentions turning off 'winbind enum' can cause some problems

*Configuration:*

netbios name = clustF994DF
realm = <domain>

bind interfaces only = yes
interfaces = 127.0.0.138 lo:138

workgroup = <workgroup>
security = ads
server role = member server

auth methods = winbind

idmap config * : backend = tdb
idmap config * : range = 10000-24999999

winbind enum users = yes
winbind enum groups = yes
usershare allow guests = no

map untrusted to domain = Yes
allow trusted domains = no
server string = %h
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
smb ports = 1445
pid directory = /var/run/samba

server min protocol = SMB2
strict sync = yes
sync always = no

smb encrypt = auto

aio read size = 1
aio write size = 1

smb2 max read = 1048576
smb2 max write = 1048576
smb2 max trans = 1048576

socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760

usershare owner only = no

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

machine password timeout = 0

nt acl support = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

log level = 5
max log size = 1000

*Share configuration:*

  path = <path>

  guest ok = no

  writeable = no

  browseable = no

  valid users =
"<domain>\<user>","+<domain>\<user
group>"

  force user = root

On Fri, Jun 2, 2023 at 3:21?AM Bharath Bheemarasetti <
bharath.bheemarasetti at gmail.com> wrote:
> Hi,
> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
> required the Samba version to be upgraded from 4.7.6 to 4.15.13.
> Post the upgrade, winbind authentication fails
> with  NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
> restarting the smb service but comes back after some time. There were no
> isses with the setup before the upgrade.
> Tried clearing the cached tdb files as well but the issue still come back
> after some time.
> <trimmed the log lines>
>
> Below is the configuration:
> security = ads
> server role = member server
> auth methods = winbind
> idmap config * : backend = tdb
> idmap config * : range = 10000-24999999
> winbind enum users = yes
> winbind enum groups = yes
> usershare allow guests = no
> map untrusted to domain = Yes
> allow trusted domains = no
>