[Samba] Authentication stops working after approx 5 mins -getent passwd fixes it for 5-10 mins

Mon Oct 3 07:18:25 GMT 2005

Hi,       

I'm running Redhat Enterprise WS 4. with kernel 2.6.9-11. Also I have the 
following:       

[root at itbsjb1 samba]# rpm -qa |grep samba       
system-config-samba-1.2.21-1       
samba-common-3.0.10-1.4E       
samba-swat-3.0.10-1.4E       
samba-3.0.10-1.4E       
samba-client-3.0.10-1.4E       

smb.conf:       
[root at itbsjb1 samba]# cat smb.conf       
# Samba config file created using SWAT       
# from 127.0.0.1 (127.0.0.1)       
# Date: 2005/09/30 15:27:17       

# Global parameters       
[global]       
               workgroup = PCM       
               realm = PCM.PUK.AC.ZA       
               server string = ITBSJB se SAMBA       
               security = ADS       
               password server = dc1-nt.pcm.puk.ac.za db-win1.pcm.puk.ac.za       
               log file = /var/log/samba/%m.log       
               max log size = 50       
               socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192       
               dns proxy = No       
               ldap ssl = no       
               idmap uid = 16777216-33554431       
               idmap gid = 16777216-33554431       
               winbind separator = +       
               cups options = raw       

[printers]       
               comment = All Printers       
               path = /var/spool/samba       
               printable = Yes       
               browseable = No       

[Cabinet]       
               path = /mnt/usb/Cabinet       
               valid users = PCM+itbsjb, PCM+admin       
               #valid users = @PCM+Domain Admins       
               write list = PCM+admin, PCM+itbsjb       
               #write list = @PCM+Domain Admins       
               read only = No       

nsswitch.conf looks like this:       
[root at itbsjb1 etc]# cat nsswitch.conf       
#       
# /etc/nsswitch.conf       
#       
# An example Name Service Switch config file. This file should be       
# sorted with the most-used services at the beginning.       
#       
# The entry '[NOTFOUND=return]' means that the search for an       
# entry should stop if the search in the previous entry turned       
# up nothing. Note that if the search failed due to some other reason       
# (like no NIS server responding) then the search continues with the       
# next entry.       
#       
# Legal entries are:       
#       
#       nisplus or nis+         Use NIS+ (NIS version 3)       
#       nis or yp               Use NIS (NIS version 2), also called YP       
#       dns                     Use DNS (Domain Name Service)       
#       files                   Use the local files       
#       db                      Use the local database (.db) files       
#       compat                  Use NIS on compat mode       
#       hesiod                  Use Hesiod for user lookups       
#       [NOTFOUND=return]       Stop searching if not found so far       
#       

# To use db, put the db in front of files for entries you want to be       
# looked up first in the databases       
#       
# Example:       
#passwd:    db files nisplus nis       
#shadow:    db files nisplus nis       
#group:     db files nisplus nis       

passwd:     files winbind       
shadow:     files       
group:      files winbind       

#hosts:     db files nisplus nis dns       
hosts:      files dns       

# Example - obey only what nisplus tells us...       
#services:   nisplus [NOTFOUND=return] files       
#networks:   nisplus [NOTFOUND=return] files       
#protocols:  nisplus [NOTFOUND=return] files       
#rpc:        nisplus [NOTFOUND=return] files       
#ethers:     nisplus [NOTFOUND=return] files       
#netmasks:   nisplus [NOTFOUND=return] files       

bootparams: nisplus [NOTFOUND=return] files       

ethers:     files       
netmasks:   files       
networks:   files       
protocols:  files       
rpc:        files       
services:   files       

netgroup:   files       

publickey:  nisplus       

automount:  files       
aliases:    files nisplus       

My problem is that I can log in from my Active Directory to the Cabinet 
share using the itbsjb and admin account. This works for a while (appros 
5-10 mins) and then stops working. Any login from any remote machine just 
fails authentication.       

In the winbind.log I find:       
[2005/09/30 15:32:50, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)       
         user 'admin' does not exist       
[2005/09/30 15:32:50, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)       
         user 'ADMIN' does not exist       

In the remotehost's log I get:       
[2005/09/30 15:29:17, 0] auth/auth_util.c:make_server_info_info3(1134)       
         make_server_info_info3: pdb_init_sam failed!       
[2005/09/30 15:32:48, 0] auth/auth_util.c:make_server_info_info3(1134)       
         make_server_info_info3: pdb_init_sam failed!       
[2005/09/30 15:32:50, 0] auth/auth_util.c:make_server_info_info3(1134)       
         make_server_info_info3: pdb_init_sam failed!       

However, If I run the getent passwd command it lists local and domain users 
like this:       
[root at itbsjb1 samba]# getent passwd |grep admin       
PCM+it3admin:*:16777220:16777216:it3admin:/home/PCM/it3admin:/bin/false       
PCM+avadmin:*:16777232:16777216:avadmin:/home/PCM/avadmin:/bin/false       
PCM+admin:*:16777370:16777216:Admin:/home/PCM/admin:/bin/false       

Once I run the getent authentication starts working again and I can login 
for 5 or 10 mins before it stops working again. Rerunning the getent passwd 
command fixes it time and time again, but only temporarely.       

The Active directory is very big with thousends of users. My thoughts are 
that the query works as long as its in the cache. Upon expiry it tries to 
auth from ad but times out causing a logon failure. The getent command 
places the account in the cache which causes it to work again till it 
expires once again.       

Anybody ideas to a permanent fix someone?       

Regards       
Stef Bezuidenhout       