Bharath Bheemarasetti
2023-Jun-01 21:51 UTC
[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
Hi, I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which required the Samba version to be upgraded from 4.7.6 to 4.15.13. Post the upgrade, winbind authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on restarting the smb service but comes back after some time. There were no isses with the setup before the upgrade. Tried clearing the cached tdb files as well but the issue still come back after some time. Logs (replaced domain, username and workstation values): [2023/05/31 17:00:23.634152, 3] ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth) Got user=[<user>] domain=[<domain>] workstation=[<workstation>] len1=24 len2=262 [2023/05/31 17:00:23.634173, 5] ../../source3/auth/auth_util.c:123(make_user_info_map) Mapping user [<domain>]\[<user>] from workstation [<workstation>] [2023/05/31 17:00:23.634179, 5] ../../source3/auth/user_info.c:64(make_user_info) attempting to make a user_info for <user> (<user>) [2023/05/31 17:00:23.634184, 5] ../../source3/auth/user_info.c:72(make_user_info) making strings for <user>'s user_info struct [2023/05/31 17:00:23.634192, 5] ../../source3/auth/user_info.c:117(make_user_info) making blobs for <user>'s user_info struct [2023/05/31 17:00:23.634198, 3] ../../source3/auth/auth.c:200(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [<domain>]\[<user>]@[<workstation>] with the new password interface [2023/05/31 17:00:23.634204, 3] ../../source3/auth/auth.c:203(auth_check_ntlm_password) check_ntlm_password: mapped user is: [<domain>]\[<user>]@[<workstation>] [2023/05/31 17:00:23.634209, 5] ../../lib/util/util.c:722(dump_data) [0000] F6 7D 2D B1 0B 86 57 D7 .}-...W. [2023/05/31 17:00:23.634224, 4] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2023/05/31 17:00:23.634235, 4] ../../source3/smbd/uid.c:561(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2023/05/31 17:00:23.634240, 4] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2023/05/31 17:00:23.634245, 5] ../../libcli/security/security_token.c:52(security_token_debug) Security token: (NULL) [2023/05/31 17:00:23.634249, 5] ../../source3/auth/token_util.c:873(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2023/05/31 17:00:23.639376, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2023/05/31 17:00:23.639388, 5] ../../source3/auth/auth.c:258(auth_check_ntlm_password) auth_check_ntlm_password: winbind authentication for user [<user>] FAILED with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1 [2023/05/31 17:00:23.639406, 2] ../../source3/auth/auth.c:344(auth_check_ntlm_password) check_ntlm_password: Authentication for user [<user>] -> [<user>] FAILED with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1 [2023/05/31 17:00:23.639427, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [<domain>]\[<user>] at [Wed, 31 May 2023 17:00:23.639416 UTC] with [NTLMv2] status [NT_STATUS_RPC_SEC_PKG_ERROR] workstation [<workstation>] remote host [ipv4:127.0.0.1:41710] mapped to [<domain>]\[<user>]. local host [ipv4:127.0.0.138:1445] {"timestamp": "2023-05-31T17:00:23.639487+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_RPC_SEC_PKG_ERROR", "localAddress": "ipv4:127.0.0.138:1445", "remoteAddress": "ipv4: 127.0.0.1:41710", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "<domain>", "clientAccount": "<user>", "workstation": "<workstation>", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "<user>", "mappedDomain": "<domain>", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 6683}} [2023/05/31 17:00:23.639520, 5] ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send) auth3_check_password_send: Checking NTLMSSP password for <domain>\<user> failed: NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1 [2023/05/31 17:00:23.639533, 4] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2023/05/31 17:00:23.639547, 5] ../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done) ntlmssp_server_auth_done: Checking NTLMSSP password for <domain>\<user> failed: NT_STATUS_RPC_SEC_PKG_ERROR [2023/05/31 17:00:23.639556, 5] ../../auth/gensec/gensec.c:534(gensec_update_done) gensec_update_done: ntlmssp[0x55b8d9521400]: NT_STATUS_RPC_SEC_PKG_ERROR [2023/05/31 17:00:23.639564, 3] ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_RPC_SEC_PKG_ERROR [2023/05/31 17:00:23.639571, 5] ../../auth/gensec/gensec.c:534(gensec_update_done) gensec_update_done: spnego[0x55b8d94e1fd0]: NT_STATUS_RPC_SEC_PKG_ERROR Below is the configuration: security = ads server role = member server auth methods = winbind idmap config * : backend = tdb idmap config * : range = 10000-24999999 winbind enum users = yes winbind enum groups = yes usershare allow guests = no map untrusted to domain = Yes allow trusted domains = no
Rowland Penny
2023-Jun-02 06:40 UTC
[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
On 01/06/2023 22:51, Bharath Bheemarasetti via samba wrote:> Hi, > I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which > required the Samba version to be upgraded from 4.7.6 to 4.15.13. > Post the upgrade, winbind authentication fails > with NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on > restarting the smb service but comes back after some time. There were no > isses with the setup before the upgrade. > Tried clearing the cached tdb files as well but the issue still come back > after some time. > > Logs (replaced domain, username and workstation values): > [2023/05/31 17:00:23.634152, 3] > ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth) > Got user=[<user>] domain=[<domain>] workstation=[<workstation>] len1=24 > len2=262 > [2023/05/31 17:00:23.634173, 5] > ../../source3/auth/auth_util.c:123(make_user_info_map) > Mapping user [<domain>]\[<user>] from workstation [<workstation>] > [2023/05/31 17:00:23.634179, 5] > ../../source3/auth/user_info.c:64(make_user_info) > attempting to make a user_info for <user> (<user>) > [2023/05/31 17:00:23.634184, 5] > ../../source3/auth/user_info.c:72(make_user_info) > making strings for <user>'s user_info struct > [2023/05/31 17:00:23.634192, 5] > ../../source3/auth/user_info.c:117(make_user_info) > making blobs for <user>'s user_info struct > [2023/05/31 17:00:23.634198, 3] > ../../source3/auth/auth.c:200(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [<domain>]\[<user>]@[<workstation>] with the new password interface > [2023/05/31 17:00:23.634204, 3] > ../../source3/auth/auth.c:203(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [<domain>]\[<user>]@[<workstation>] > [2023/05/31 17:00:23.634209, 5] ../../lib/util/util.c:722(dump_data) > [0000] F6 7D 2D B1 0B 86 57 D7 .}-...W. > [2023/05/31 17:00:23.634224, 4] > ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 > [2023/05/31 17:00:23.634235, 4] ../../source3/smbd/uid.c:561(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 1 > [2023/05/31 17:00:23.634240, 4] > ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 > [2023/05/31 17:00:23.634245, 5] > ../../libcli/security/security_token.c:52(security_token_debug) > Security token: (NULL) > [2023/05/31 17:00:23.634249, 5] > ../../source3/auth/token_util.c:873(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2023/05/31 17:00:23.639376, 4] > ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2023/05/31 17:00:23.639388, 5] > ../../source3/auth/auth.c:258(auth_check_ntlm_password) > auth_check_ntlm_password: winbind authentication for user [<user>] FAILED > with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1 > [2023/05/31 17:00:23.639406, 2] > ../../source3/auth/auth.c:344(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [<user>] -> [<user>] FAILED > with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1 > [2023/05/31 17:00:23.639427, 2] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > Auth: [SMB2,(null)] user [<domain>]\[<user>] at [Wed, 31 May 2023 > 17:00:23.639416 UTC] with [NTLMv2] status [NT_STATUS_RPC_SEC_PKG_ERROR] > workstation [<workstation>] remote host [ipv4:127.0.0.1:41710] mapped to > [<domain>]\[<user>]. local host [ipv4:127.0.0.138:1445] > {"timestamp": "2023-05-31T17:00:23.639487+0000", "type": "Authentication", > "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, > "logonId": "0", "logonType": 3, "status": "NT_STATUS_RPC_SEC_PKG_ERROR", > "localAddress": "ipv4:127.0.0.138:1445", "remoteAddress": "ipv4: > 127.0.0.1:41710", "serviceDescription": "SMB2", "authDescription": null, > "clientDomain": "<domain>", "clientAccount": "<user>", "workstation": > "<workstation>", "becameAccount": null, "becameDomain": null, "becameSid": > null, "mappedAccount": "<user>", "mappedDomain": "<domain>", > "netlogonComputer": null, "netlogonTrustAccount": null, > "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, > "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": > 6683}} > [2023/05/31 17:00:23.639520, 5] > ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send) > auth3_check_password_send: Checking NTLMSSP password for <domain>\<user> > failed: NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1 > [2023/05/31 17:00:23.639533, 4] > ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2023/05/31 17:00:23.639547, 5] > ../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done) > ntlmssp_server_auth_done: Checking NTLMSSP password for <domain>\<user> > failed: NT_STATUS_RPC_SEC_PKG_ERROR > [2023/05/31 17:00:23.639556, 5] > ../../auth/gensec/gensec.c:534(gensec_update_done) > gensec_update_done: ntlmssp[0x55b8d9521400]: NT_STATUS_RPC_SEC_PKG_ERROR > [2023/05/31 17:00:23.639564, 3] > ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step) > gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: > NT_STATUS_RPC_SEC_PKG_ERROR > [2023/05/31 17:00:23.639571, 5] > ../../auth/gensec/gensec.c:534(gensec_update_done) > gensec_update_done: spnego[0x55b8d94e1fd0]: NT_STATUS_RPC_SEC_PKG_ERROR > > > Below is the configuration: > security = ads > server role = member server > auth methods = winbind > idmap config * : backend = tdb > idmap config * : range = 10000-24999999 > winbind enum users = yes > winbind enum groups = yes > usershare allow guests = no > map untrusted to domain = Yes > allow trusted domains = noA couple of things possible, from 4.8.0 winbind must be running and your smb.conf is, to be blunt, rubbish. You need to set the workgroup, you need to have idmap config lines for the workgroup, the 'winbind enum' lines only slow things down and 'map untrusted to domain' has been removed. It might help if you started by reading this wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and then follow one of the pages it links to. Rowland
Bharath Bheemarasetti
2023-Jun-03 07:39 UTC
[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
A couple of things possible, from 4.8.0 winbind must be running and your smb.conf is, to be blunt, rubbish. You need to set the workgroup, you need to have idmap config lines for the workgroup, the 'winbind enum' lines only slow things down and 'map untrusted to domain' has been removed. Winbind is running and the workgroup was set as well. I omitted some lines from the smb.conf shared previously as I wasn't sure if they were relevant or not. I've added the full content below. Also share is being accessed by a windows client which is part of the domain and it does work fine for a few hours after restarting the smbd and winbind services. Does 'winbind enum' have any relation to that? https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#WINBINDENUMUSERS mentions turning off 'winbind enum' can cause some problems *Configuration:* netbios name = clustF994DF realm = <domain> bind interfaces only = yes interfaces = 127.0.0.138 lo:138 workgroup = <workgroup> security = ads server role = member server auth methods = winbind idmap config * : backend = tdb idmap config * : range = 10000-24999999 winbind enum users = yes winbind enum groups = yes usershare allow guests = no map untrusted to domain = Yes allow trusted domains = no server string = %h dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d smb ports = 1445 pid directory = /var/run/samba server min protocol = SMB2 strict sync = yes sync always = no smb encrypt = auto aio read size = 1 aio write size = 1 smb2 max read = 1048576 smb2 max write = 1048576 smb2 max trans = 1048576 socket options = TCP_NODELAY SO_RCVBUF=10485760 SO_SNDBUF=10485760 usershare owner only = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes machine password timeout = 0 nt acl support = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes log level = 5 max log size = 1000 *Share configuration:* path = <path> guest ok = no writeable = no browseable = no valid users = "<domain>\<user>","+<domain>\<user group>" force user = root On Fri, Jun 2, 2023 at 3:21?AM Bharath Bheemarasetti < bharath.bheemarasetti at gmail.com> wrote:> Hi, > I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which > required the Samba version to be upgraded from 4.7.6 to 4.15.13. > Post the upgrade, winbind authentication fails > with NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on > restarting the smb service but comes back after some time. There were no > isses with the setup before the upgrade. > Tried clearing the cached tdb files as well but the issue still come back > after some time. > <trimmed the log lines> >> Below is the configuration: > security = ads > server role = member server > auth methods = winbind > idmap config * : backend = tdb > idmap config * : range = 10000-24999999 > winbind enum users = yes > winbind enum groups = yes > usershare allow guests = no > map untrusted to domain = Yes > allow trusted domains = no >
Maybe Matching Threads
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently