Bug 13157 - Winbindd refuses new logins after "Bad SMB2 signature for message"
Winbindd refuses new logins after "Bad SMB2 signature for message"
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.7.2
x64 FreeBSD
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-21 15:48 UTC by Peter Eriksson
Modified: 2017-11-21 16:45 UTC (History)
1 user (show)

See Also:


Attachments
smb.conf file (2.86 KB, text/plain)
2017-11-21 15:48 UTC, Peter Eriksson
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Eriksson 2017-11-21 15:48:09 UTC
Created attachment 13799 [details]
smb.conf file

Every now and then the Winbindd processes on our pretty busy six Samba fileservers (around 200-400 users per server) seems to stop responding - causing Samba to refuse new SMB connections. Today we saw it happen on two different servers at 12:09, and then one a third on at 14:47...

The timing seems to happen at the same time as we in the "log.smbd" file see the following errors:

> # egrep -A5 'signing' /var/samba/logs/log.smbd
> [2017/11/21 14:47:22.282388,  0] ../libcli/smb/smb2_signing.c:171(smb2_signing_check_pdu)
>  Bad SMB2 signature for message
> [2017/11/21 14:47:22.282480,  0] ../lib/util/util.c:515(dump_data)
>   [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
> [2017/11/21 14:47:22.282522,  0] ../lib/util/util.c:515(dump_data)
>   [0000] C8 AA BD 98 1C CD D4 F7   47 B8 79 B6 EF 90 6D AF   ........ G.y...m.

Killing and restarting winbindd seems to allow the smbd processes to allow new connections again. Refuses both username+password & Kerberos-authenticated connections.

Operating System: 
  FreeBSD 11.1

Hardware: 
  Dell PowerEdge 730xd with 256GB RAM, 10Gbps Ethernet and ~140TB of ZFS storage

Joined with a Windows 2012 AD domain (6 AD servers) with around 100k users and many groups. winbind users & groups enumeration is disabled.

Attaching our smb.conf file. Had a quick look into the libcli/smb/smb2_signing.c file but could really see anything obviously wrong...