[Samba] winbind trouble under load?

Samba Samba /pers samba at skola.skelleftea.se
Tue Oct 1 12:13:00 GMT 2002


We have a large W2K domain with numerous terminalservers at the local
sites. Those sites also have a linux-2.2.20 server with samba-2.2.5.
The samba is used to store the profiles for both the terminalservers
and for the windows 2000/xp clients.

I use winbind and have joined the server to the domain without problem. I
can set rights on directories and so on. However from time to time when the
users login to the W2K terminalserver they get a popup-message:

"
Windows cant locate your roaming profile and is attempting to log you on
with your local profile. Changes to the profile will not be propagated to
the server.

DETAIL - The specified network password is not correct.  
"

However since the user can login there is nothing wrong with their
password. One of
my teories is that there is something wrong when samba tries to auth the
user to
the W2K domain. Either it has lost the connection (and can't reconnect
automatically)
or there is some other error. The user does get a logon but are of course
missing their
profiles and such. Since this is a school environment the users login much
at the same
time and another idea I have is that the problem seems to show up when
many users
login at the same time.

I have tried both samba-2.2.5 and currently samba-2.2.6cvs (020926). The
problem still persists. This is leading me to the maillist in search for
an answer.

I have disable the "winbind enum user/groups" since if I enable them
winbind goes
into a nonresponsive state, probably due to that we have 10K users and
more.

Im also testing to let samba create the users profile directory but that
didn't effect
the problem.

Samba also seems to loose the ability to lookup the users name in the
domain and display the
as this:

drwx------    4 10283     SKOLA\Do     4096 Aug 22 23:30 dla0826

instead of:
drwx------    4 SKOLA\dla0826     SKOLA\Do     4096 Aug 22 23:30 dla0826

I have enclosed all my logs and the configuration.

This is turning into a major problem with the users and if I cant get this
fixed then my only other option is to move the profiles back to the
windows2000 fileservers. However that option would leave me with needing
to transfer the profiles over the WAN to the users site.

smb.conf (from testparm)
root at ka-proxy /var/log/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[tftp$]"
Processing section "[installZone]"
Processing section "[profiler$]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[datasal]"
No path in service datasal - using /tmp
Processing section "[bravo]"
No path in service bravo - using /tmp
Processing section "[media]"
No path in service media - using /tmp
Processing section "[axet]"
No path in service axet - using /tmp
Processing section "[orion]"
No path in service orion - using /tmp
Loaded services file OK.
WARNING: You have some share names that are longer than 8 chars
These may give errors while browsing or may not be accessible
to some older clients
Press enter to see a dump of your service definitions
# Global parameters
[global]
	coding system = 
	client code page = 850
	code page directory = /etc/samba/codepages
	workgroup = SKOLA
	netbios name = 
	netbios aliases = 
	netbios scope = 
	server string = Trustix Samba Server
	interfaces = br0
	bind interfaces only = No
	security = DOMAIN
	encrypt passwords = Yes
	update encrypted = No
	allow trusted domains = Yes
	hosts equiv = 
	min passwd length = 5
	map to guest = Never
	null passwords = No
	obey pam restrictions = No
	password server = *
	smb passwd file = /etc/samba/smbpasswd
	root directory = 
	pam password change = No
	passwd program = /usr/bin/passwd
	passwd chat = *new*password* %n\n *new*password* %n\n *changed*
	passwd chat debug = No
	username map = 
	password level = 0
	username level = 0
	unix password sync = No
	restrict anonymous = No
	lanman auth = Yes
	use rhosts = No
	ssl = No
	ssl hosts = 
	ssl hosts resign = 
	ssl CA certDir = 
	ssl CA certFile = 
	ssl server cert = 
	ssl server key = 
	ssl client cert = 
	ssl client key = 
	ssl egd socket = 
	ssl entropy file = 
	ssl entropy bytes = 256
	ssl require clientcert = No
	ssl require servercert = No
	ssl ciphers = 
	ssl version = ssl2or3
	ssl compatibility = No
	admin log = No
	log level = 0
	syslog = 1
	syslog only = No
	log file = /var/log/samba/log.%I
	max log size = 5000
	timestamp logs = Yes
	debug hires timestamp = No
	debug pid = No
	debug uid = No
	protocol = NT1
	large readwrite = No
	max protocol = NT1
	min protocol = CORE
	read bmpx = No
	read raw = Yes
	write raw = Yes
	nt smb support = Yes
	nt pipe support = Yes
	nt status support = Yes
	announce version = 4.9
	announce as = NT
	max mux = 50
	max xmit = 65535
	name resolve order = wins host lmhosts bcast
	max packet = 65535
	max ttl = 259200
	max wins ttl = 518400
	min wins ttl = 21600
	time server = No
	unix extensions = No
	change notify timeout = 60
	deadtime = 0
	getwd cache = Yes
	keepalive = 300
	lpq cache time = 10
	max smbd processes = 0
	max disk size = 0
	max open files = 10000
	name cache timeout = 660
	read size = 16384
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	stat cache size = 50
	use mmap = Yes
	total print jobs = 0
	load printers = No
	printcap name = /etc/printcap
	disable spoolss = No
	enumports command = 
	addprinter command = 
	deleteprinter command = 
	show add printer wizard = Yes
	os2 driver map = 
	strip dot = No
	mangling method = hash
	character set = 
	mangled stack = 50
	stat cache = Yes
	domain admin group = 
	domain guest group = 
	machine password timeout = 604800
	add user script = 
	delete user script = 
	logon script = 
	logon path = \\%N\%U\profile
	logon drive = 
	logon home = \\%N\%U
	domain logons = No
	os level = 32
	lm announce = Auto
	lm interval = 60
	preferred master = True
	local master = Yes
	domain master = False
	browse list = Yes
	enhanced browsing = Yes
	dns proxy = Yes
	wins proxy = No
	wins server = 193.180.x.z
	wins support = No
	wins hook = 
	kernel oplocks = Yes
	lock spin count = 3
	lock spin time = 10
	oplock break wait time = 0
	add share command = 
	change share command = 
	delete share command = 
	config file = 
	preload = 
	lock dir = /var/cache/samba
	pid directory = /var/run
	default service = 
	message command = 
	dfree command = 
	valid chars = 
	remote announce = 
	remote browse sync = 
	socket address = 0.0.0.0
	homedir map = auto.home
	time offset = 0
	NIS homedir = No
	source environment = 
	panic action = 
	hide local users = No
	winbind uid = 10000-40000
	winbind gid = 10000-40000
	template homedir = /dev/null
	template shell = /bin/false
	winbind separator = \
	winbind cache time = 15
	winbind enum users = No
	winbind enum groups = No
	winbind use default domain = No
	comment = 
	path = 
	alternate permissions = No
	username = 
	guest account = nobody
	invalid users = 
	valid users = 
	admin users = 
	read list = 
	write list = 
	printer admin = @"SKOLA\Support",@"SKOLA\Administrators"
	force user = 
	force group = 
	read only = Yes
	create mask = 0744
	force create mode = 00
	security mask = 0777
	force security mode = 00
	directory mask = 0755
	force directory mode = 00
	directory security mask = 0777
	force directory security mode = 00
	force unknown acl user = 00
	inherit permissions = No
	inherit acls = No
	guest only = No
	guest ok = No
	only user = No
	hosts allow = 
	hosts deny = 
	status = Yes
	nt acl support = Yes
	profile acls = No
	block size = 1024
	max connections = 0
	min print space = 0
	strict allocate = No
	strict sync = No
	sync always = No
	write cache size = 0
	max print jobs = 1000
	printable = No
	postscript = No
	printing = bsd
	print command = lpr -r -P%p %s
	lpq command = lpq -P%p
	lprm command = lprm -P%p %j
	lppause command = 
	lpresume command = 
	queuepause command = 
	queueresume command = 
	printer name = 
	use client driver = No
	default devmode = No
	printer driver = 
	printer driver file = /etc/samba/printers.def
	printer driver location = 
	default case = lower
	case sensitive = No
	preserve case = Yes
	short preserve case = Yes
	mangle case = No
	mangling char = ~
	hide dot files = Yes
	hide unreadable = No
	delete veto files = No
	veto files = 
	hide files = 
	veto oplock files = 
	map system = No
	map hidden = No
	map archive = Yes
	mangled names = Yes
	mangled map = 
	browseable = Yes
	blocking locks = Yes
	csc policy = manual
	fake oplocks = No
	locking = Yes
	oplocks = Yes
	level2 oplocks = Yes
	oplock contention limit = 2
	posix locking = Yes
	strict locking = No
	share modes = Yes
	copy = 
	include = 
	exec = 
	preexec close = No
	postexec = 
	root preexec = 
	root preexec close = No
	root postexec = 
	available = Yes
	volume = 
	fstype = NTFS
	set directory = No
	wide links = Yes
	follow symlinks = Yes
	dont descend = 
	magic script = 
	magic output = 
	delete readonly = No
	dos filemode = No
	dos filetimes = No
	dos filetime resolution = No
	fake directory create times = No
	vfs object = 
	vfs options = 

[profiler$]
	path = /samba/profiler
	valid users = @"SKOLA\KA Personal", @"SKOLA\KA Elev", @"SKOLA\KA Diverse"
	admin users = @"SKOLA\Domain Admins"
	read only = No
	directory mask = 0700
	browseable = No
	exec = /usr/local/bin/crehome.sh %U

-----------------
/usr/local/bin/crehome.sh
#!/bin/sh

# 1.0.1 (2002-09-23)

SMBUSER=$1

if [ ! -d /samba/profiler/$SMBUSER ]; then
  echo creating $SMBUSER >> /tmp/crehome.txt
  mkdir /samba/profiler/$SMBUSER >> /tmp/crehome.txt
  mkdir /samba/profiler/$SMBUSER/nt >> /tmp/crehome.txt
  mkdir /samba/profiler/$SMBUSER/ts >> /tmp/crehome.txt
  chgrp -R "SKOLA\Domain Users" /samba/profiler/$SMBUSER >>
/tmp/crehome.txt
  chmod 700 /samba/profiler/$SMBUSER >> /tmp/crehome.txt
  echo "-----------------" >> /tmp/crehome.txt
fi


-----------------

Error on terminalserver:

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1000
Date:		2002-10-01
Time:		09:26:03
User:		SKOLA\llu0731
Computer:	KA-WTS01
Description:
Windows cannot locate your roaming profile and is attempting to log you on
with your local profile. Changes to the profile will not be propagated to
the server. 

DETAIL - The specified network password is not correct.  

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1000
Date:		2002-10-01
Time:		09:26:04
User:		NT AUTHORITY\SYSTEM
Computer:	KA-WTS01
Description:
Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you
log off. 

....

"The specified network password is not correct" is however bullshit.

-------------------

Error on W2K DC

Event Type:	Error
Event Source:	Srv
Event Category:	None
Event ID:	2006
Date:		2002-09-30
Time:		12:28:58
User:		N/A
Computer:	DC01
Description:
The server received an incorrectly formatted request from \\193.180.x.y
Data:
0000: 00 00 34 00 02 00 7c 00   ..4...|.
0008: 00 00 00 00 d6 07 00 c0   ....Ö..À
0010: 00 00 00 00 01 20 98 c0   ..... ?À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: b3 06 00 00 ff 53 4d 42   ³...ÿSMB
0030: 25 00 00 00 00 08 01 c0   %......À
0038: 00 00 00 00 00 00 00 00   ........
0040: 00 00 00 00 00 d0 6d 38   .....Ðm8
0048: 02 50 01 00 10 00 00 48   .P.....H
0050: 00 00 00 48 00 00 00 00   ...H....
0058: 00 00 00 00               ....    

-------------------

/var/log/samba/log.winbind (earlier errors not related in time to the
login troubles)

[2002/09/30 01:01:31, 0] lib/util_sock.c:read_socket_with_timeout(300)
  read_socket_with_timeout: timeout read. read error = Connection reset by
peer.
[2002/09/30 01:01:31, 0] rpc_client/cli_pipe.c:rpc_api_pipe(359)
  cli_pipe: return critical error. Error was SUCCESS - 0
[2002/09/30 01:25:31, 0] lib/util_sock.c:read_socket_with_timeout(300)
  read_socket_with_timeout: timeout read. read error = Connection reset by
peer.
[2002/09/30 01:25:31, 0] rpc_client/cli_pipe.c:rpc_api_pipe(359)
  cli_pipe: return critical error. Error was SUCCESS - 0
[2002/09/30 07:51:59, 0] lib/util_sock.c:read_socket_with_timeout(300)
  read_socket_with_timeout: timeout read. read error = Connection reset by
peer.
[2002/09/30 07:51:59, 0] rpc_client/cli_pipe.c:rpc_api_pipe(359)
  cli_pipe: return critical error. Error was SUCCESS - 0

-------------------

/var/log/samba/log.193.180.x.y (the terminalserver)

[2002/10/01 13:21:50, 0] smbd/sec_ctx.c:initialise_groups(244)
  Unable to initgroups. Error was Input/output error

The logs are full of those message. However I think the are due to
the fact that I have winbind enum groups = no in /etc/samba/smb.conf

-------------------

Any log i missed?

=====================================================
Janåke Rönnblom
SKERIA Utveckling AB (Teknous)
Assistentgatan 23
931 77 Skelleftea (Sweden)
-----------------------------------------------------
Phone  : +46-910-585424
Mobile : 070-3970743
Fax    : +46-910-585499
URL    : http://skeria.skelleftea.se
-----------------------------------------------------





More information about the samba mailing list