Created attachment 12555 [details] gss_init_sec_context failed with [ The context has expired: Success] Hi I'm using samba as an AD Domain Member. After a fresh install of 4.4.6 everything works like expected. But after 10 hours it seems as if winbind is not able to refresh tickets. Logins after 10 hours with "smbclient ... -d8" usually takes about 20 seconds hanging at NTLMSSP_NEGOTIATE_KEY_EXCH. During the next 5 minutes login is fine, but then again it takes 20 seconds. Restarting winbindd resolves the problem for the next 10 hours. In the correlated log.wb-MyDOMAIN at level 10 I see I see entries like: gss_init_sec_context failed with [ The context has expired: Success] /source3/libads/sasl.c:785(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. Attached you will find the whole bunch of logs. For testing I compiled samba 4.4.6 using --with-system-mitkrb5 (version 1.14.4) which works fine. Another test with version 4.5.0 and embedded heimdal build however shows the same problem mentioned above. The samba version I used before upgrading was 4.2.14 and it was working OK. Any help would be appreciated. Regards Klaus
Can you check if 4.4.5 doesn't have the problem? If so I assume the patches from bug #12007 are the problem.
Same problem here since I upgrade from 4.4.5 to 4.4.6. I've just downgraded 1 of my member server to 4.4.5... Will see in 10 hours if problem occurs.
Will be checked with a fresh install of 4.4.5. Results tomorrow.
(In reply to klaus.braun from comment #3) I was able to reproduce the problem. I'm pretty sure that 4.4.5 doesn't have that problem. The problem is that heimdal doesn't seem to do an implicit krb5_cc_destroy() on kinit
Created attachment 12560 [details] Possible patches for master
Comment on attachment 12560 [details] Possible patches for master I believe you probably attached the wrong patch?
Here is detailed log of winbind process after 10 hours (debug level 9): get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 10.14.76.201:389 check_negative_conn_cache returning result 0 for domain pr.educationetformation.fr server 10.14.76.201 ads_try_connect: sending CLDAP request to 10.14.76.201 (realm: pr.educationetformation.fr) Successfully contacted LDAP server 10.14.76.201 sitename_fetch: Returning sitename for pr.educationetformation.fr: "SaintEtienneDuRouvray" ads_dc_name: using server='DC113.PR.EDUCATIONETFORMATION.FR' IP=10.14.76.201 ads_try_connect: sending CLDAP request to 10.14.76.201 (realm: pr.educationetformation.fr) Successfully contacted LDAP server 10.14.76.201 Connected to LDAP server dc113.pr.educationetformation.fr KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gss_init_sec_context failed with [ The context has expired: Success] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. ads_connect for domain PR failed: An internal error occurred. Finished processing child request 59
(In reply to Jordi MORILLO from comment #2) 4.4.5 is running perfectly after 10 hours. I have downgraded all my member servers
(In reply to klaus.braun from comment #3) Same here. No such Problems when using 4.4.5
Same Problems here. Sernet-Packages Samba AD-Domain-Controller Samba Domain-Member (File-Server) Since 4.4.6 (last week) problems as described. No probs before! log.winbindd-idmap gss_init_sec_context failed with [ The context has expired: Success] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. ads_connect for domain ds failed: An internal error occurred. ADS uninitialized: An internal error occurred. log.winbindd trustdom_list_done: Could not receive trustdoms
Created attachment 12565 [details] Patches for v4-5-test
Created attachment 12566 [details] Patches for v4-4-test
Created attachment 12567 [details] Patches for v4-3-test These are regression fixes for changes already in v4-3-test (scheduled for the last 4.3 maintenance release)
(In reply to Stefan Metzmacher from comment #12) Thanks. Is in test for 4.4.6. Results tomorrow.
Re-assigning to Karolin for integration in 4.5.next, 4.4.next, 4.3.next.
(In reply to Klaus Braun from comment #14) Works for 4.4.6. Thanks again.
(In reply to Jeremy Allison from comment #15) Pushed to autobuild-v4-{5,4,3}-test.
(In reply to Karolin Seeger from comment #17) Pushed to all branches. Closing out bug report. Thanks!