Bug 10264 - Unrecoverable winbind failure: "key length too large"
Summary: Unrecoverable winbind failure: "key length too large"
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-11-12 16:54 UTC by Andy Ross
Modified: 2013-12-24 12:26 UTC (History)
2 users (show)

See Also:

patch for master (1.31 KB, patch)
2013-11-13 14:23 UTC, Guenther Deschner
obnox: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Ross 2013-11-12 16:54:01 UTC
The AD server did ... something and winbind (4.0.9 as packaged by Fedora 19) failed:

    Nov 11 10:43:47 ajross-mobl2 winbindd[15677]: [2013/11/11 10:43:47.637385,  0, pid=15677, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4069(cache_traverse_validate_fn)
    Nov 11 10:43:47 ajross-mobl2 winbindd[15677]:   cache_traverse_validate_fn: key length too large: (1174) > (1024)
    Nov 11 10:43:47 ajross-mobl2 winbindd[15677]: 

This would occur on every restart, and authentication would not
complete.  As far as I can tell, the kerberos environment was working
correctly and klist showed active tickets; it was just a winbind

Since the message seemed to indicate it was just validating a cache, I
found some "/var/lib/samba/winbind_cache.tdp*" files, deleted them,
and restarted the service.  Winbind came right up and operated fine
after that.

It seems to me like a cache validation glitch should be a recoverable
situation and not a permanent failure.
Comment 1 Guenther Deschner 2013-11-12 22:00:20 UTC
Can you share that particular winbind_cache.tdb file - maybe offline ? So we can work on a fix.
Comment 2 Guenther Deschner 2013-11-13 14:14:42 UTC
Ok, got the cache file. Fix to follow.
Comment 3 Guenther Deschner 2013-11-13 14:23:23 UTC
Created attachment 9413 [details]
patch for master
Comment 4 Michael Adam 2013-11-13 16:43:41 UTC
Comment on attachment 9413 [details]
patch for master

patch pushed to autobuild with review
Comment 5 Guenther Deschner 2013-11-14 13:24:53 UTC
Karolin, please cherrypick 944e9fbc20f125b52e047484dca1792d75561ed9 to 4-1
Comment 6 Guenther Deschner 2013-11-14 13:26:45 UTC
and 4-0 as well, please. Thanks!
Comment 7 David Woodhouse 2013-11-14 13:29:35 UTC
Hm, why is Andy the only one of my users to see this? Under what circumstances would it trigger? Should I be building an updated Fedora package with this patch for our internal repo, before everyone else comes knocking at my door...?
Comment 8 Karolin Seeger 2013-11-15 10:36:11 UTC
Pushed to autobuild-v4-1-test and autobuild-v4-0-test.
Comment 9 Guenther Deschner 2013-11-15 12:09:58 UTC
David can you open a (very brief) bug about this in fedora land, so we can provide you a fix there too ?
Comment 10 David Woodhouse 2013-11-15 12:23:45 UTC
Comment 11 Karolin Seeger 2013-11-18 09:41:27 UTC
(In reply to comment #8)
> Pushed to autobuild-v4-1-test and autobuild-v4-0-test.

Pushed to v4-1-test and v4-0-test.
Closing out bug report.