If the netlogon/schannel credentials get out of sync between client (winbindd on a member) and server (dc), we may get stuck in getting NT_STATUS_RPC_SEC_PKG_ERROR over and over again for authentications. I don't know how this can happen in real life, but we had a customer hitting this... We were able to reproduce this by changing a samba dc to avoid the TDB_CLEAR_IF_FIRST flag on schannel_store.tdb. With that I used this: # killall samba # cat /var/lib/samba/private/schannel_store.tdb.orig > /var/lib/samba/private/schannel_store.tdb # bin/samba If the related tdb entry is wiped instead, the dc will already NAK the dcerpc bind and that is handled correctly by winbind, but getting NT_STATUS_RPC_SEC_PKG_ERROR from LogonSamLogonEx is not handled correctly.
This bug was referenced in samba master: cb59fd43bbf758e4bad774cfc19ef87b157052c2 4ad5a35a3f67860aa7a1345efcfc92fe40578e31 0cb6de4b1d5410f3699172952be81c6eb75c2c86 b317b10dffd99d1add3ff0b85b958edd9639abc8 50e771c12f84f9268c2e9ddeef0965f79f85de3d
Created attachment 17972 [details] Patches for v4-18-test
Created attachment 17973 [details] Patches for v4-17-test
Pushed to autobuild-v4-{18,17}-test.
This bug was referenced in samba v4-18-test: 3b2f3cf8a26a6b766c01f0bb73d8b71ed9afc1b1 156bafb22e4eea0ff5a287d1e75850ad34d2858e 12043529bc1df793cc76823c289e4241821c535a ddd6169918e80a4c7da82e4a64d73396de1e282c 9b25d90175603414a6c5a335d254d117ec76524f
This bug was referenced in samba v4-17-test: 62507b112e64c0f3bda36c7a31a457c75a8a2ece 0afed23bcd2b18e811a3d63c45699e85ba3c9835 38a9e17d02f2d53bcd643ed255b1fa2861f40ce0 b5b4fd3ee23a23a806b321377f0fc77fff635ac0 65f35a5bf327efc1eb7a4968bfb55935872d500b
Closing out bug report. Thanks!
This bug was referenced in samba v4-17-stable (Release samba-4.17.9): 62507b112e64c0f3bda36c7a31a457c75a8a2ece 0afed23bcd2b18e811a3d63c45699e85ba3c9835 38a9e17d02f2d53bcd643ed255b1fa2861f40ce0 b5b4fd3ee23a23a806b321377f0fc77fff635ac0 65f35a5bf327efc1eb7a4968bfb55935872d500b
This bug was referenced in samba v4-18-stable (Release samba-4.18.6): 3b2f3cf8a26a6b766c01f0bb73d8b71ed9afc1b1 156bafb22e4eea0ff5a287d1e75850ad34d2858e 12043529bc1df793cc76823c289e4241821c535a ddd6169918e80a4c7da82e4a64d73396de1e282c 9b25d90175603414a6c5a335d254d117ec76524f