[Samba] Problem with samba as a member of AD with a trusted domain

Fri Apr 13 09:17:05 MDT 2012

First, I am not sure if this is a problem with samba or a misconfiguration somewhere along the way in AD. Unfortunately, I am a little peon on a large campus who is trying to use samba, so I have to figure out how to make samba work with what is in place.

I am using samba 3.5.8 on Ubuntu 11.04

Here is the issue, I have gotten Samba/Winbind to successfully communicate with AD and perform authentication and all that jazz. Then I started getting email messages about sending 700,000 requests a day to our dns servers. So I started digging deeper. It appears that when winbindd starts up and searches the UMROOT domain, it finds a trusted domain (MPATHWAYS2). It then tries to track down MPATHWAYS2 and is unsuccessful, it receives a NT_STATUS_CONNECTION_REFUSED. Because it can't find the domain, it schedules a retry in 30 secs and then repeats the whole process. So every 30 seconds it is sending 500+ dns requests to the server. (isn't there a caching mechanism?). A small snippet from a tcpdump capture of the DNS requests is below.

I have found the variable 'winbind reconnect delay' which I can use to change the 30 secs into say 5 minutes, but it is only decreasing the number of requests, not really solving any problems. Is there any way for me to tell Samba not to look for MPATHWAYS2? 

a full debug dump of what is repeated every reconnect attempt is at http://pastebin.com/A3GvYWRp

Thanks,
Nathaniel

-------------- DNS requests (http://pastebin.com/wqsij79H for all 500+ entries) -------------
10:35:16.081633 IP 10.224.53.248.56483 > dns.umich.edu.domain: 20669+ AAAA? itcs-dc01.umich.edu. (50)
10:35:16.082452 IP 10.224.53.248.59121 > dns.umich.edu.domain: 6691+ AAAA? itcs-dc01.umich.edu. (50)
10:35:16.083343 IP 10.224.53.248.42311 > dns.umich.edu.domain: 43846+ A? itcs-dc01.umich.edu. (50)
10:35:16.084457 IP 10.224.53.248.40043 > dns.umich.edu.domain: 3355+ AAAA? itcs-dc02.umich.edu. (50)
10:35:16.085337 IP 10.224.53.248.42704 > dns.umich.edu.domain: 17221+ AAAA? itcs-dc02.umich.edu. (50)
10:35:16.086085 IP 10.224.53.248.44859 > dns.umich.edu.domain: 8613+ A? itcs-dc02.umich.edu. (50)
10:35:16.087147 IP 10.224.53.248.43603 > dns.umich.edu.domain: 29799+ AAAA? itcs-dc03.umich.edu. (50)
10:35:16.088032 IP 10.224.53.248.34606 > dns.umich.edu.domain: 36522+ AAAA? itcs-dc03.umich.edu. (50)
10:35:16.088833 IP 10.224.53.248.34569 > dns.umich.edu.domain: 37501+ A? itcs-dc03.umich.edu. (50)
10:35:16.089942 IP 10.224.53.248.43461 > dns.umich.edu.domain: 14302+ AAAA? itcs-dc04.umich.edu. (50)
10:35:16.091454 IP 10.224.53.248.36589 > dns.umich.edu.domain: 41996+ AAAA? itcs-dc04.umich.edu. (50)
10:35:16.092592 IP 10.224.53.248.57894 > dns.umich.edu.domain: 38619+ A? itcs-dc04.umich.edu. (50)
10:35:16.096440 IP 10.224.53.248.38878 > dns.umich.edu.domain: 48760+ SRV? _kerberos-master._tcp.UMICH.EDU. (62)

-------------- cat /etc/samba/smb.conf --------------
[global]
	workgroup = UMROOT
	realm = UMICH.EDU
	netbios name = TRI-BIO-PROFILE
	server string = Biosciences Profile Server
	interfaces = eth1, localhost
	bind interfaces only = Yes
	security = ADS
	allow trusted domains = No
	map to guest = Bad User
	password server = itcs-dc01.umich.edu itcs-dc02.umich.edu itcs-dc03.umich.edu
	restrict anonymous = 2
	client NTLMv2 auth = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	smb ports = 139
	name resolve order = lmhosts wins host
	dns proxy = No
	wins server = 141.213.143.150, 141.213.238.150
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap uid = 10000-60000
	idmap gid = 10000-60000
	template shell = /bin/bash
	winbind reconnect delay = 300
	winbind enum users = Yes
	winbind enum groups = Yes

[ProfileStore]
	comment = Users profiles
	path = /shares/profiles
	read only = No
	create mask = 0600
	strict locking = No

---
Nathaniel Madura
Engineer in Research
UMTRI - Biosciences Division
2901 Baxter Rd
Ann Arbor, MI 48109
W: 734-936-1109 F: 734-647-3330
nmadura at umich.edu