Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)

663 views
Skip to first unread message

L.P.H. van Belle via samba

unread,
Oct 19, 2016, 3:10:02 AM10/19/16
to
Hai,

 

I had some users today that couldnt login.

Windows stopped at the “Welcome” screen.  

 

Now, i checked the logs and i noticed a change in winbind.

i noticed 2 logs files with increase a 1000% in size.  log.winbindd-idmap and log.wb-NTDOM

 

 

Before ( samba 4.4.5 ) log.winbindd-idmap

[2016/09/30 11:32:37.040567,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/09/30 11:33:17.967227,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/05 16:18:58.799428,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/12 13:31:55.689930,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/18 15:35:41.931491,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/19 01:39:57.249786,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The caontext has expired: Success]

( the last line was and restart of winbind.)

 

after ( 4.4.6 ) log.winbindd-idmap

[2016/10/18 15:35:41.931491,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/19 01:39:57.249786,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The context has expired: Success]

[2016/10/19 01:39:57.255431,  0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)

  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.

[2016/10/19 01:44:56.909360,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The context has expired: Success]

 

Before ( samba 4.4.5 ) log.wb-NTDOM

  gss_init_sec_context failed with [ The context has expired: Success]

[2016/10/12 13:31:55.689792,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/12 13:32:05.276839,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/13 00:32:19.370114,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The context has expired: Success]

[2016/10/18 15:35:41.931396,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/18 15:35:54.299672,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=0)

[2016/10/19 01:36:08.441464,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The context has expired: Success]

 

after ( 4.4.6 ) log.wb-NTDOM

[2016/10/19 01:36:08.441464,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The context has expired: Success]

[2016/10/19 01:36:08.446288,  0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)

  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.

[2016/10/19 01:36:08.510460,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The context has expired: Success]

[2016/10/19 01:36:08.510540,  0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)

  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.

[2016/10/19 01:36:39.285046,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)

  gss_init_sec_context failed with [ The context has expired: Success]

[2016/10/19 01:36:39.285142,  0] ../source3/libads/sasl.c:785(ads_sasl_spnego_bind)

  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.

 

 

fix was very simple.

 

turned of the pc.

restarted winbind on this server and these users could login again.  

I did not update my DC’s, since i’ve seen more about this on the mailing list.

 

The server in question is a samba member server, and this server contains the profiles and users home folders.

Debian Jessie, samba/winbind 4.4.6

 

The strange thing here.

About 60 users logged in ok and 3 not.

This is the first time this happend since im running 4.2 and up.

so im very sure this is a bug.

 

Anyone, is this a known bug

and if so any patch i can test?

Or anything i can do else to help debug this if there is no patch?

 

 

 

 

Greetz,

 

Louis

 

 

 

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle via samba

unread,
Oct 19, 2016, 3:30:03 AM10/19/16
to
I review a few other servers, all 4.4.5 works fine.
The few i test now with 4.4.6 all the same errors in the logs.

The smb.conf of this setup.
P.S.
This server is accessed only by windows clients so this is why all the shares have : acl_xattr:ignore system acl = yes


[global]
workgroup = NTDOM
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = MEMBER1

# Prio member server1. LVL-1/4 (user homes and profiles)
# set master browser for the network.
# preffered + domain master = guarantee master browser ( man smb.conf )
preferred master = yes
domain master = yes
host msdfs = no

interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
dns proxy = yes

server signing = mandatory
ntlm auth = no

# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/keyfile.key.pem
tls certfile = /etc/ssl/local/certs/certfile.cert.pem
tls cafile = /etc/ssl/certs/company-ca.pem

## map id's outside to domain to tdb files.
idmap config * :backend = tdb
idmap config * :range = 2000-9999

## map ids from the domain the range may not overlap !
idmap config NTDOM : backend = ad
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# renew the kerberos ticket
winbind refresh tickets = yes

# Use home directory and shell information from AD
winbind nss info = rfc2307

winbind trusted domains only = no
winbind use default domain = yes

# Global, defaults No.
# show users with id/getent
winbind enum users = yes
winbind enum groups = yes

# enable offline logins
winbind offline logon = yes

# check depth of nested groups,
# ! slows down you samba, if to much groups depth ( min 4 )
winbind expand groups = 4

# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping

# disable usershares creating, when set empty no error log messages.
usershare path =

# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes

######## SHARE DEFINITIONS ################
[profiles]
# windows profiles
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes

[users]
# Users homes
browseable = yes
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes

[public]
# Distribtion share
browseable = yes
path = /home/samba/public
read only = no
acl_xattr:ignore system acl = yes


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: woensdag 19 oktober 2016 9:02
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected
> bug)


>
> Hai,
>
>
>
> I had some users today that couldnt login.
>

> Windows stopped at the ?Welcome? screen.

> I did not update my DC?s, since i?ve seen more about this on the mailing

L.P.H. van Belle via samba

unread,
Oct 19, 2016, 7:30:03 AM10/19/16
to
Fixed by reverting to 4.4.5.

If you have to do this also, make sure ALL samba related packages are downgraded. (tevent talloc ldb tdb samba winbind etc.. )


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> via samba

> Verzonden: woensdag 19 oktober 2016 9:23
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] auth problems with samba 4.4.6 (winbind)

MORILLO Jordi via samba

unread,
Oct 20, 2016, 3:20:03 AM10/20/16
to
Yes I have also the same bug:
https://bugzilla.samba.org/show_bug.cgi?id=12369
I downgrade to 4.4.5

-----Message d'origine-----
De : samba [mailto:samba-...@lists.samba.org] De la part de L.P.H. van Belle via samba
Envoyé : mercredi 19 octobre 2016 09:23
À : sa...@lists.samba.org
Objet : Re: [Samba] auth problems with samba 4.4.6 (winbind) *(suppected bug)
0 new messages