[Samba] Winbind eventually locks "forever" if one of ActiveDirectory refuses all connections
Andrew Tranquada
andrew.tranquada at gmail.com
Fri Mar 26 08:56:00 MDT 2010
I see this was created as bug 7259 but I did not see anything in the mailing
list about this problem.
Does anyone else have a problem like this? Is there something in my
configuration that is incorrect?
We have two domain controllers, and if we reboot either one of them, winbind
hangs, and we cannot lookup any ids, and since logins are requiring group
lookups, it makes logging in as a local user hang, effectively locking us
out of the box. If we continue to try as a local user we can eventually get
in, but it is less than ideal and scares everyone when you cannot log in.
Not rebooting the AD servers is not an option, we do keep our boxes patched
with updates.
What appears to happen is that rebooting one of the AD servers causes
winbind to get some kind of error, and stop listening on /tmp/.winbind/pipe
when we do an lsof of /tmp/.winbind/pipe
and then strace -p any of the winbind processes,none of them are looking (in
their select) at the file descriptor(s) listed by lsof. So it seems that
when one ad server is restarted, winbind does not like it and errors, and
stops listening on that pipe, and when any communication happens (sid-uid
lookups), since no one is responding on that pipe/socket, it hangs.
This is with samba 3.4.5
our samba config:
netbios name = nimdev-afs1
workgroup = <redacted>
security = ads
realm = <redacted>
kerberos method = system keytab
idmap backend = hash
idmap uid = 4000-100000000
idmap gid = 4000-100000000
winbind enum users = yes
winbind enum groups = yes
auth methods = winbind
template shell = /bin/bash
template homedir = /home/%U
winbind normalize names = yes
winbind use default domain = yes
allow trusted domains = no
winbind cache time = 3600
What more information can I provide that would be helpful?
Thank you
--
Andrew Tranquada
More information about the samba
mailing list