Winbindd hangs (from today CVS)
sbawa at tabmaster.com
Mon Jan 21 15:35:10 GMT 2002
I want to get an IPSec implementation for remote access with Samba. What
IPSec package are you using for the client and server? Free S/Wan maybe?
From: samba-technical-admin at lists.samba.org
[mailto:samba-technical-admin at lists.samba.org]On Behalf Of Tim Potter
Sent: Monday, January 21, 2002 5:24 PM
To: Jason Haar
Cc: Samba-Technical (E-post)
Subject: Re: Winbindd hangs (from today CVS)
On Tue, Jan 22, 2002 at 11:59:54AM +1300, Jason Haar wrote:
> [Before I forget. Having a /var/run/winbindd file containing the PID of
> winbindd would be REALLY good. As it is, if it hangs, how do you find the
> PID to kill when 'ps' is hanging 'cause winbindd has hung? :-)]
I run 'killall -9 winbindd' which is probably a linux-ism. Having a pid
file is a good idea though.
> I've been having very little luck with winbindd over the past couple of
> months, but have been ignoring it basically as an option. Now that I see
> next release of Samba is due out shortly, I thought it might be a good
> to mention the problems I have - as there may be something to fix.
> We run a *very* distributed WAN - with Trusted NT domains spread all over
> the world over Frame-Relay and IPSEC VPN links. As such the
> of our WAN is... well... dodgy at best WRT Windows. (things like LDAP,
> SMTP work fine - but we find that RPC based applications *really* don't
> the kind of erratic packet loss that is experienced over VPN links)
> i.e. our Unix systems work fine over VPN - Windows, not so well...
Winbindd basically does lots of windows rpc calls so it is probably
suffering the same problems.
> Anyway, I think this "dodginess" is bringing out the worst in winbindd.
> I compiled and installed Samba-3.0alpha from CVS this morning (and
> yesterday, and ....), it runs OK for a while - really slow - but it runs.
> Running "winbindd -i -d9" and making a getent-style query shows it running
> off trying to talk to every Domain Controller on our WAN - which will take
> MINUTES to finish. The getent app will sit there for a few minutes, then
> stuff will flow through.
> I tried setting WINBINDD_DOMAIN, but that appears to only affect what the
> client returns - not what winbindd does?
Yes. I wonder if there should be a more formal way of limiting the number
of trusted domains winbindd contacts? It would certinaly make situations
like this more useful.
> Anyway, after some period of slowly working, it stops working :-(
Hmm - the new caching code tridge has committed to the HEAD branch in CVS
is quite aggressive so once the cache is populated with user/group lists
there should be little contact with domain controllers. Of course you
will get delays when it needs to refresh the cache so it doesn't really
solve the problem.
> "/usr/local/samba/bin/wbinfo -p" just hangs, and "winbindd -i" is
> all sorts of things - but it looks to be working to me (logs aren't full
> socket errors or access denied or the likes...)
> Can someone tell me what to look for, I've got a saved 21Mb logfile that
> contain something... :-)
Can you mail me the URL and I'll take a look? Compressed logfiles are
much nicer. (-:
> Here's my winbind config entries:
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
Try setting enum users and enum groups to no. This will give you most
of the functionality of winbindd but without needing to transfer large
user lists over the network.
More information about the samba-technical