Strange behaviour of winbind on samba 3.5.4 on RHEL5

Fri Mar 11 01:25:42 MST 2011

Hi,

First: I'm relatively new to samba...
I upgraded an existing samba server 3.0.3 on RHEL5 x86_64 to 3.5.4. The 
samba server is a domain member (only one domain, no trusted domains) 
with Windows 2003 domain controllers and is configured with kerberos.
It is an english linux system with a german windows domain.
# locale
LANG=en_US.iso885915

After starting nmb, winbind and smb all seems to work well. After some 
time (sometimes after some minutes or some hours) the command 'getent 
group' shows strange characters, e.g.: 
"THEDOMAIN+schema-admins:*:10017:�1{,{,,,1{,,{,,2{,2{,,,,THEDOMAIN+smi,THEDOMAIN+ztr" 
and in the logs following entries are found:

==> log.wb-THEDOMAIN <==
[2011/03/11 08:53:39.621522,  1, effective(0, 0), real(0, 0)] 
winbindd/winbindd_ads.c:126(ads_cached_connection)
   ads_connect for domain THEDOMAIN failed: No logon servers

==> log.0.0.0.0 <==
[2011/03/11 08:53:39.621722,  1, effective(0, 0), real(0, 0)] 
winbindd/winbindd_util.c:289(trustdom_recv)
   Could not receive trustdoms

Here are some details from /etc/samba/smb.conf (names and ip addresses 
are changed):

[global]

# who am I
    workgroup           = THEDOMAIN
    netbios name       = MYHOSTNAME
    netbios aliases      = MYALIAS
    server string        = Server %L

# debugging
    debug level          = 2
    debug uid            = Yes
    log file             = /var/log/samba/log.%I
    max log size         = 50

# printing
    load printers        = no
    printcap name        = /etc/printcap

    #lock directory       = /etc/samba/database
    lock directory       = /etc/samba/lock
    state directory       = /etc/samba/state
    cache directory      = /etc/samba/cache
    guest account        = nobody

# security
#  kerberos setup
    realm                = THEREALM
    # for samba 3.0
    #use kerberos keytab  = yes
    # for samba 3.5
    kerberos method      = secrets and keytab
    password server        = DC01 DC02 DC03
    #password server     = *
    security                     = ADS
    encrypt passwords    = yes
    invalid users              = root daemon bin sys adm uucp nuucp lpd 
imnadm ipsec lp snapp invscout
    domain master        = no
    map to guest            = Never
    unix extensions         = no
#   nt pipe support      = no

# communication
    unix charset            = LOCALE
#   character set        = iso8859-15
    hide dot files            = no
    deadtime                 = 15
    keepalive                 = 30
    os level                     = 2
    interfaces                 = 1.1.1.1 1.1.1.2
    bind interfaces only = yes
    name resolve order   = wins lmhosts bcast
    wins server          = 1.2.3.4 2.3.4.5
    dns proxy            = no
    time offset          = 0
    smb ports            = 445
# winbind
    winbind separator    = +
    winbind uid          = 10000-20000
    winbind gid          = 10000-20000
    winbind cache time   = 15
    winbind enum users   = yes
    winbind enum groups  = yes
    winbind refresh tickets = yes
    template homedir     = /smbshare1/%U
    template shell       = /bin/false

    follow symlinks      = no
    NT acl support       = no
    create mask          = 0777
    map archive          = yes
    map hidden           = yes
    map system           = yes
    fstype                    = NTFS
    browseable           = no
    guest ok               = no

excerpt from /etc/krb5.conf:

[libdefaults]
  default_realm = THEREALM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  ticket_lifetime = 10h
  forwardable = true
  proxyable = true

[realms]
  THEREALM = {
   kdc = dc1.blabblub:88
   kdc = dc2.blablub:88
   kdc = dc3.blablub:88
   admin_server = dc1.blablub:464
   default_domain = THEDOMAIN
  }

[domain_realm]
  .blablub = THEREALM
  .domain.blablub = THEREALM
  .bla = THEREALM

If you need more information, please let me know. Thanks for help in 
advance.

Bye Tobias von der Krone