Samba4 AD DC randomly dies, error: "Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6".

Bug #1357471 reported by Thiago Martins on 2014-08-15
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Undecided
Unassigned

Bug Description

Hello!

I'm using Samba4 AD DC, from Ubuntu 14.04.1, it works almost flawlessly but, almost everyday, it dies.

The error log begins to show:

"Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6"

Then, the replication stops working, the domain stops responding and Windows guests do not authenticate, it becomes really messy.

Here is the workaround:

---
rm /var/log/samba/* ; service samba-ad-dc restart
---

More info:

https://lists.samba.org/archive/samba/2014-May/181193.html

Issue: "samba" process uses excessive CPU time and generates high IO Wait. log.samba has many entries stating "Did not manage to negotiate mandetory feature SIGN for dcerpc":
http://ghanima.net/doku.php?id=wiki:ghanima:healthandsecurity:samba4

Thanks!
Thiago

Thiago Martins (martinx) wrote :

Guys,

It is impossible to use Samba 4.1.6 from Ubuntu 14.04.1 as an AD DC in production.

This is happening all the time:

http://i.imgur.com/wDqOsy6.png

I think that if you restart any Domain Controller, it will trigger this error on others DCs. Because I just restart my PDC (ubuntu-ad-1) and all BDCs dies.

I just build an Ubuntu PPA Archive to provide Samba 4.1.11 for Trusty: http://launchpad.net/~martinx/+archive/ubuntu/ig - I'll test it today.

Ubuntu needs a much, far much more serious Q.A. Team.

Thiago Martins (martinx) wrote :

Hey guys!

This problem still persist on Samba 4.1.11 from my PPA.

Seems to be a upstream problem.

Jelmer Vernooij (jelmer) wrote :

Thiago,

Please don't subscribe me to bug email. I am only involved in the Debian packaging of Samba and upstream, not in the Ubuntu packaging.

Please make sure that all replication servers have their time in sync..

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Stefan Metzmacher (metze) wrote :

See https://bugzilla.samba.org/show_bug.cgi?id=11164, there're fixes at least for the error messages
attached to that bug.

Marco van Zwetselaar (zwets) wrote :

My two Samba AD DCs run in an environment with frequent network interruptions due to power cuts. It seems that even very brief network interruptions trigger this issue, which then doesn't resolve itself when connectivity is restored.

After most network interruptions, the following three messages repeat in log.samba every 5 seconds, and 'sudo samba-tool drs showrepl' shows failures. A 'sudo service samba-ad-dc restart' is required to get everything working again.
- "Update failed: Miscellaneous failure (see text): Matching credential (GC/{other-dc}.{domain}/{domain}@{DOMAIN}) not found"
- "Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6"
- "Failed to bind to uuid {uuid-1} for {uuid-1}@ncacn_ip_tcp:{uuid-2}._msdcs.{domain}[1024,seal,krb5] NT_STATUS_ACCESS_DENIED.

In a country with on average 12 powercuts *per day*, which despite a huge arsenal of stabilisers and UPS-es do cause brief network interruptions, you can imagine that this issue is a major pain in the behind :-/

Jorge Albarenque (jorgito1412) wrote :

I can confirm that applying the patch provided in https://bugzilla.samba.org/show_bug.cgi?id=11164 does not fix the issue.

The "Did not manage to negotiate..." error message is gone but the other message "Failed to bind..." still spams the logs and replication is broken as per "samba-tool drs showrepl".

I can also confirm that what triggers this are network connectivity interruptions between the DCs. After connectivity is restored, replication is not reestablished until Samba is restarted

Jorge Albarenque (jorgito1412) wrote :

I recently compiled and installed Samba v4.3.1 on Debian Jessie (from the experimental repo) and I can confirm that this problem seems to have been resolved (at least on that version, although probably since on v4.2.x)

Joshua Powers (powersj) wrote :

Trusty updates has 4.3.11 now, given the above comment moving to incomplete.

If you disagree or have additional details please add them below and then change the bug status back to New.

Changed in samba (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.