[Samba] winbind timeouts
ALLEN.C.DOUGLASS at saic.com
Fri Aug 8 10:12:05 GMT 2003
From: Gerald (Jerry) Carter
To: Chris Douglass
Cc: samba at lists.samba.org
Sent: 8/7/2003 11:11 PM
Subject: Re: [Samba] winbind timeouts
-----BEGIN PGP SIGNED MESSAGE-----
On 4 Aug 2003, Chris Douglass wrote:
>> I have tried posting to comp.protocols.smb with no luck. Please help.
>> I am running:
>> Slackware 9.0 (x86)
>> kernel 2.4.21
>> samba 3.0b3
>> MIT kerberos5 v1.2.7
>> I am testing samba 3.0b3 as part of migrating my site to Active
>> Directory. Compiles/installs OK. When winbindd is started, it looks
>> the list of trusted domains and then queries those domains for
>> user/group info. When I have the samba3b3 box joined to an NT4 domain,
>> it takes about 15 minutes to get this info from all domains. (roughly
>> 60000+ user accounts in many domains.)
>> When the machine is joined to the AD domain, though, it gets list of
>> IP's for each domain on servers it can try to get the user/group data
>> from. Many of the IP addresses it is obtaining are bad in almost every
>> domain it contacts (cannot nslookup, ping, traceroute, or query WINS
>> with any results). Winbindd just sits there until it times out, then
>> tries the next one. The problem is that it takes many HOURS of waiting
>> to get a full list generated so that I can run 'getent passwd'. Then I
>> have to start the wait all over again so that 'getent group' works
>> Once winbindd is queried, the test box is useless from the network
>> it's done (including plain Linux stuff like ssh)
>> Everyting is fine at this point until I restart winbindd, then the
>> whole thing starts over again.
> you have a DNS or name server problem. Fix that.
Since posting I have come to this conclusion also. My local domains are no
problem. Another IT dept is in charge of corporate wide DNS, and does not
allow AD zones to be replicated upstream. Therefore AD DC's have an A
record (authoritative) at the Corporate DNS servers, but no SRV records. I'm
planning on fixing this by slaving zones from the other AD sites.
Unfortunately the real problem domain is NT4.
>> These are my questions:
>> I thought that winbindd was supposed to cache all this info. Why
>> it read the cache when it's restarted instead of getting new
>It does cache, on disk cache works well but does not contain
>failed connection caches are in memory so they are reset upon restart.
>Once we get a connection we hold onto it as along as possible.
>> Is there something that can be done to tell winbindd not to try to
>> servers that aren't actually up?
>Fix your name service.
>> Where is this list of IP's coming from? Are these a bunch of dead
>> accounts being reported from some Server Manager on a PDC?
>Are you using security = ads? Probably from a SRV record in DNS for
Yes I am; but the offending domain is not AD.
With an NT4 domain, this would be WINS only, right? I have 4 corporate wide
WINS servers available to me. If I do 'net lookup dc <PROBLEM_NT4_DOMAIN>' I
get a list of 24 IP's. Almost 1/2 of them have no entry in DNS, and 'wbinfo
-I' also show no hostname. Barring a bad master browse list, where else can
this come from?
> Hewlett-Packard ------------------------- http://www.hp.com
> SAMBA Team ---------------------- http://www.samba.org
> GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
> "You can never go home again, Oatman, but I guess you can shop there."
--John Cusack - "Grosse Point Blank" (1997)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
-----END PGP SIGNATURE-----
More information about the samba