Winbind, Windows 2003 DC, NT_STATUS_IO_TIMEOUT

Kenny Dinh kdinh at peaxy.net
Wed Jul 1 19:18:54 CEST 2015 

Hi all,

My environment is running SAMBA 4.1.13, and the DC is running Windows 2003
Srv.  The system running SAMBA (kdinh-hf) is joined to a domain named
"REPUBLIC".  The domain controller hosting republic is
republicdc.republic.windc.

After leaving samba idle for a long period of time ( >15 minutes), running
"wbinfo --user-groups" returned NT_STATUS_IO_TIMEOUT.
>From the logs, it showed LIST_TRUSTDOM --> trusted_domains(), is being
processed every 300 seconds, via the default of "winbindd cache timeout".

In the normal case, winbindd_ads.c's trusted_domains() calls
dcerpc_netr_DsrEnumerateDomainTrusts() (F1).  When F1 returns
NT_STATUS_IO_TIMEOUT, this status is propagated back to winbindd_cache.c's
trusted_domains().  As a result, set_domain_offline() is called to cleanup
and re-establish connection to the domain controller.  The named pipe
\netlogon is cleaned up during invalidate_cm_connetion().  The next attempt
to process trusted_domains() will try to establish connection to \netlogon
named pipe.

In the attached log files, the tail of each log showed execution of the
above operation.  Both logs showed it was going through the exact same
path.  However, in the success_s log, connection to \netlogon named pipe
was successfully established.  Subsequent operations continue
successfully.  In the failure_s log, the \netlogon named pipe creation
failed with NT_STATUS_IO_TIMEOUT.

It was not very clear from the winbind code, so I was hoping someone from
the list could shed some lights on the following questions:


   1. The creation of connection to \netlogon was being sent via
   smb1cli_req_send().  Is the open connection to \netlogon named pipe done on
   top of an existing smb connection?  If this is the case, when I get
   STATUS_IO_TIMEOUT, which code path I need to call to re-establish the
   underlying smb connection?
   2. Is it a normal expectation to get NT_STATUS_IO_TIMEOUT from the
   domain controller during opening a connection to \netlogon named pipe?  If
   so, what would be a logical explanation for such a behavior.  I ask this
   question because I expect success if I try to open a new connection to
   \netlogon named pipe.

Thanks,
~Kenny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: failure_s
Type: application/octet-stream
Size: 186293 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150701/c3d43969/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: success_s
Type: application/octet-stream
Size: 868629 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150701/c3d43969/attachment-0003.obj>

More information about the samba-technical mailing list