Hi everyone

After almost 2 days up-time with Samba 4, it failed again. This time it simply will not restart.

The krb5.conf had got corrupted. I replaced it with this one from /usr/local/samba/private

/etc/krb5.conf
[libdefaults]
    default_realm = HH3.SITE
    dns_lookup_realm = false
    dns_lookup_kdc = true

It starts up OK:
samba -i -d 3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
samba version 4.0.0alpha18-GIT-bfc7481 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'nbench' for type 1 registered
PROCESS_MODEL 'single' registered
PROCESS_MODEL 'standard' registered
PROCESS_MODEL 'onefork' registered
PROCESS_MODEL 'prefork' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'server' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'fixed_challenge' registered
AUTH backend 'unix' registered
SHARE backend [classic] registered.
SHARE backend [ldb] registered.
ldb_wrap open of privilege.ldb
samba: using 'standard' process model
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'backupkey' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'eventlog6' registered
DCERPC endpoint server 'dnsserver' registered
WARNING: no socket to connect to
ldb_wrap open of secrets.ldb
ldb_wrap open of idmap.ldb
Calling DNS name update script
Calling SPN name update script
kccsrv_partition[DC=hh3,DC=site] loaded
kccsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
kccsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
kccsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
dreplsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
dreplsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
dreplsrv_partition[DC=hh3,DC=site] loaded
dreplsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
dreplsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
kccsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
Completed SPN update check OK
Completed DNS update check OK
Registered HH3<00> with 192.168.1.3 on interface 192.168.1.255
Registered HH3<03> with 192.168.1.3 on interface 192.168.1.255
Registered HH3<20> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<1b> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<1c> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<00> with 192.168.1.3 on interface 192.168.1.255


And this works:

 kinit [email protected]
Password for [email protected]:
Warning: Your password will expire in 40 days on Tue Jan 31 23:40:57 2012

Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:39949 for krbtgt/[email protected]
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- [email protected]
Kerberos: Looking for ENC-TS pa-data -- [email protected]
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected] Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:33899 for krbtgt/[email protected]
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- [email protected]
Kerberos: Looking for ENC-TS pa-data -- [email protected]
Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2011-12-22T22:19:54 starttime: unset endtime: 2011-12-23T08:19:54 renew till: 2011-12-23T22:19:47 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok

Then this fails:

 wbinfo -u
Error looking up domain users

Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:58803 for krbtgt/[email protected]
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:49440 for krbtgt/[email protected]
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- [email protected]
Kerberos: Looking for ENC-TS pa-data -- [email protected]
Kerberos: Failed to decrypt PA-DATA -- [email protected] (enctype arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- [email protected]
Wrong username or password: kinit for [email protected] failed (Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

And this:

 wbinfo -i Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user Administrator

ldb_wrap open of secrets.ldb
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:38518 for krbtgt/[email protected]
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:53444 for krbtgt/[email protected]
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- [email protected]
Kerberos: Looking for ENC-TS pa-data -- [email protected]
Kerberos: Failed to decrypt PA-DATA -- [email protected] (enctype arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- [email protected]
Wrong username or password: kinit for [email protected] failed (Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

Any ideas anyone?
Thanks
Steve





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to