[Samba] "Insufficient system resources.." Winbindd throttles PDC's SAM?

Ron Creamer ron at pageworks.com
Wed Mar 20 10:23:03 GMT 2002 

Cross Posting to comp.protocols.smb

Here's the scenario:

RH 7.2 server running Samba 2.2.3a with winbindd. Our PDC is NT 4 based.
Samba server uses "security = domain", "password server = *".

o I am able to join server to the domain.
o wbinfo -t works. So does wbinfo -g and wbinfo -u (initially).
o Server successfully logs samba clients on and maps them to the UNIX
accounts.
o Samba life is good

I don't know if it is because of all the mapping going on or what, but
after about 4-6 hours. I get the following symptoms:

o wbinfo -u or wbinfo -t produces "Error looking up domain users"
o wbinfo -t still says "secret is good"
o /var/log/samba/smbd.log shows nothing important
o /var/log/samba/winbindd shows: [timestamp]
nsswitch/winbindd_group.c:winbindd_getgrent(736) could not lookup domain
group MYDOMAIN+mygroup
o "getent group" and "getent password" fail to get my winbindd (NT
Domain) accounts
o I log on to the PDC (NT4 sp6a + latest patches) and try to run "User
Manager for Domains". I get the following error: "Insufficient system
resources exist to complete the requested service." "Do you want to
select another domain to administer"?
o netstat -a shows about 35 STREAM connections to /tmp/.winbindd/pipe
o I need to restart the PDC (not samba) and all is fine. Or, if I kill
off winbindd and restart it (leaving PDC alone).. all is well

Microsoft Knowledgebase article Q191634 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q191634

"When a user logs on to a domain in which group policies are
implemented, a \PIPE\samr connection is established with the PDC to
verify group membership for this user. After the verification process,
the \PIPE\samr connection is not released. These \PIPE\samr connections
eventually exceed the limit of 2,048. 

After this limit is reached, no new processes requiring security account
manager (SAM) access can connect to the PDC until you restart the
computer. Server Manager and User Manager for Domains require a
connection to the PDC for domain administration. Their failure to make
this connection results in the preceding error message."

They claim upgrade to service pack 4 (I'm running 6a). It didn't help.

Is samba's winbindd not releasing the pipe connections it no longer
needs on the PDC?

It's not a large network. Only about 25 users, of which only 8-10 are
accessing samba.

'Tis quite inconvenient to restart the PDC every few hours ;)

Has anybody seen this? Any help would be appreciated.

-Ron

More information about the samba mailing list