[Samba] winbind timeouts

Gerald (Jerry) Carter jerry at samba.org
Fri Aug 8 06:11:18 GMT 2003

Hash: SHA1

On 4 Aug 2003, Chris Douglass wrote:

> Hello,
> I have tried posting to comp.protocols.smb with no luck. Please help.
> I am running:
> Slackware 9.0 (x86)
> kernel 2.4.21
> samba 3.0b3
> MIT kerberos5 v1.2.7
> I am testing samba 3.0b3 as part of migrating my site to Active
> Directory. Compiles/installs OK. When winbindd is started, it looks for
> the list of trusted domains and then queries those domains for
> user/group info. When I have the samba3b3 box joined to an NT4 domain,
> it takes about 15 minutes to get this info from all domains.  (roughly
> 60000+ user accounts in many domains.)
> When the machine is joined to the AD domain, though, it gets list of
> IP's for each domain on servers it can try to get the user/group data
> from. Many of the IP addresses it is obtaining are bad in almost every
> domain it contacts (cannot nslookup, ping, traceroute, or query WINS
> with any results). Winbindd just sits there until it times out, then
> tries the next one. The problem is that it takes many HOURS of waiting
> to get a full list generated so that I can run 'getent passwd'. Then I
> have to start the wait all over again so that 'getent group' works also.
> Once winbindd is queried, the test box is useless from the network until
> it's done (including plain Linux stuff like ssh)
>  Everyting is fine at this point until I restart winbindd, then the
> whole thing starts over again.

you have a DNS or name server problem.  Fix that.

> These are my questions:
> I thought that winbindd was supposed to cache all this info. Why doesn't
> it read the cache when it's restarted instead of getting new
> information?

It does cache,  on disk cache works well but does not contain everything.
failed connection caches are in memory so they are reset upon restart.
Once we get a connection we hold onto it as along as possible.

> Is there something that can be done to tell winbindd not to try to query
> servers that aren't actually up? 

Fix your name service.

> Where is this list of IP's coming from? Are these a bunch of dead
> accounts being reported from some Server Manager on a PDC? 

Are you using security = ads?  Probably from a SRV record in DNS for 
_ldap._tcp.<your domain>

cheers, jerry
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/


More information about the samba mailing list