Still pursuing my strange problem with windows clients randomly (2 or 3 a day on a network of about 200 pc's) ?not allowing logins until reboot. Nailing down some best practises in an attempt to fix. My best guess is that it's a Kerberos issue --sensitive to time sync and DNS. -- Installed chrony instead of ntpsec (seems to perform as advertised) -- (Today) moved to BIND9_DLZ instead of SAMBA_INTERNAL for dns services. (long ago I switched to SAMBA _INTERNAL from BIND9_DLZ because the Debian version of named did not include dlopen and had to be recompiled every time)? So now the windows eventlog complains that it can't update RR's because of a system error instead of a security problem (PROGRESS!?). The DC shows variations on the following in the log ? "ERROR: auth_data_only pad length mismatch. Client sent a longer BIND packet than expected by 44 bytes (pkt_trailer->length=2084 - auth_length=2040) = 44 auth_pad_length=0"? I notice that there's lots of mention of this from 2020 on and one of the emails points to WIP list with the latest post as of October 9 of this year. Is there any further action on this? Do I switch to nonsecure updates? Is it likely improve the original problem with windows 10 clients needing reboot to login?
Correction: the WIP list is at the bottom of the related bugzilla report: https://bugzilla.samba.org/show_bug.cgi?id=14356 On Fri, 2023-11-03 at 08:51 -0700, Ray Klassen via samba wrote:> Still pursuing my strange problem with windows clients randomly (2 or > 3 > a day on a network of about 200 pc's) ?not allowing logins until > reboot. > > Nailing down some best practises in an attempt to fix. My best guess > is > that it's a Kerberos issue --sensitive to time sync and DNS. > > -- Installed chrony instead of ntpsec (seems to perform as > advertised) > > -- (Today) moved to BIND9_DLZ instead of SAMBA_INTERNAL for dns > services. (long ago I switched to SAMBA _INTERNAL from BIND9_DLZ > because the Debian version of named did not include dlopen and had to > be recompiled every time)? > ?So now the windows eventlog complains that it can't update RR's > because of a system error instead of a security problem (PROGRESS!?). > The DC shows variations on the following in the log ? > > "ERROR: auth_data_only pad length mismatch. Client sent a longer BIND > packet than expected by 44 bytes (pkt_trailer->length=2084 - > auth_length=2040) = 44 auth_pad_length=0"? > > I notice that there's lots of mention of this from 2020 on and one of > the emails points to WIP list with the latest post as of October 9 of > this year. Is there any further action on this? Do I switch to > nonsecure updates? Is it likely improve the original problem with > windows 10 clients needing reboot to login? > > >
Reasonably Related Threads
- Debian Jessie joining AD as member fails with "The object name is not found."
- Debian Jessie joining AD as member fails with "The object name is not found."
- Cannot join Ubuntu12.04 Samba 4.1.17 to domain
- net ads testjoin OK, net rpc testjoin fails
- Debian Jessie joining AD as member fails with "The object name is not found."