samba - Oct 2024 - net ads extremely slow when dns server configured in resolv.conf

On Fri, 18 Oct 2024 15:00:38 +0000 (UTC)
Rodrigo Antunes via samba <samba at lists.samba.org> wrote:
> Hi,?
> 
> 
> First of all, my problem is a lot similar to this:
> https://lists.samba.org/archive/samba/2017-February/206248.html
> 
> I have a freeradius server (10.1.0.13) that authenticate wifi users
> against AD?(10.1.0.3). 10.1.0.13 is domain joined and has 10.1.0.3 as
> it's DNS server.
> 
> The problem:?
> When 10.1.0.3 has no internet connection, users most of the time
> can't authenticate. When it has, everything works as it should.
> 
> The "fix":
> If I use no DNS servers at all and put a fixed entry (10.1.0.3
> mydomain.com) in 10.1.0.13's /etc/hosts everything works as it
> should. Although this solves the main problem this creates other
> unrelated problems, so the freeradius server needs to work with the
> right DNS server configured.
> 
> 
> 
> When the problem happens all the domain related commands (wbinfo, net
> ads, nltm_auth) are extremely slow and sometimes succeds and
> sometimes don't. I have run 'net ads info' in debug and found
this:
> 
> --
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5?
> 
> (hangs for a lot of time)
> 
> gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were
> supplied, or the credentials were unavailable or inaccessible.:
> unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may
> retry after a kinit. Failed to start GENSEC client mech gse_krb5:
> NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request:
> NT_STATUS_INTERNAL_ERROR ads_sasl_spnego_gensec_bind(KRB5) failed
> with: An internal error occurred., calling kinit
> kerberos_kinit_password: as MYFRSERVER$@MYDOMAIN.COM using
> [MEMORY:net_ads] as ccache and config
> [/var/run/samba/smb_krb5/krb5.conf.ADM]
> 
> (then tries again)
> 
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> --
> 
> But I have noticed that the same messages appears when everything is
> working, except that there is no hangs.
> 
> Any ideas?
> 
> 
> Samba Version 4.2.10-Debian
> 
Please tell me that is typo before we go anywhere, tell me that you are
not still using Samba 4.2.10 and presumably Debian Jessie.

Rowland

Yes, it is?Samba 4.2.10 and Debian Jessie.

Is this a know bug of that version?



Em sexta-feira, 18 de outubro de 2024 ?s 12:15:26 BRT, Rowland Penny via samba
<samba at lists.samba.org> escreveu:





On Fri, 18 Oct 2024 15:00:38 +0000 (UTC)
Rodrigo Antunes via samba <samba at lists.samba.org> wrote:
> Hi,?
> 
> 
> First of all, my problem is a lot similar to this:
> https://lists.samba.org/archive/samba/2017-February/206248.html
> 
> I have a freeradius server (10.1.0.13) that authenticate wifi users
> against AD?(10.1.0.3). 10.1.0.13 is domain joined and has 10.1.0.3 as
> it's DNS server.
> 
> The problem:?
> When 10.1.0.3 has no internet connection, users most of the time
> can't authenticate. When it has, everything works as it should.
> 
> The "fix":
> If I use no DNS servers at all and put a fixed entry (10.1.0.3
> mydomain.com) in 10.1.0.13's /etc/hosts everything works as it
> should. Although this solves the main problem this creates other
> unrelated problems, so the freeradius server needs to work with the
> right DNS server configured.
> 
> 
> 
> When the problem happens all the domain related commands (wbinfo, net
> ads, nltm_auth) are extremely slow and sometimes succeds and
> sometimes don't. I have run 'net ads info' in debug and found
this:
> 
> --
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5?
> 
> (hangs for a lot of time)
> 
> gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were
> supplied, or the credentials were unavailable or inaccessible.:
> unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may
> retry after a kinit. Failed to start GENSEC client mech gse_krb5:
> NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request:
> NT_STATUS_INTERNAL_ERROR ads_sasl_spnego_gensec_bind(KRB5) failed
> with: An internal error occurred., calling kinit
> kerberos_kinit_password: as MYFRSERVER$@MYDOMAIN.COM using
> [MEMORY:net_ads] as ccache and config
> [/var/run/samba/smb_krb5/krb5.conf.ADM]
> 
> (then tries again)
> 
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> --
> 
> But I have noticed that the same messages appears when everything is
> working, except that there is no hangs.
> 
> Any ideas?
> 
> 
> Samba Version 4.2.10-Debian
> 
Please tell me that is typo before we go anywhere, tell me that you are
not still using Samba 4.2.10 and presumably Debian Jessie.

Rowland




-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba