[Samba] Authentication stops working after approx 5 mins -getent passwd fixes it for 5-10 mins

Stef Bezuidenhout ITBSJB at puknet.puk.ac.za
Fri Sep 30 14:04:11 GMT 2005 

Hi, 
 
I'm running Redhat Enterprise WS 4. with kernel 2.6.9-11. Also I have the following: 
 
[root at itbsjb1 samba]# rpm -qa |grep samba 
system-config-samba-1.2.21-1 
samba-common-3.0.10-1.4E 
samba-swat-3.0.10-1.4E 
samba-3.0.10-1.4E 
samba-client-3.0.10-1.4E 
 
smb.conf: 
[root at itbsjb1 samba]# cat smb.conf 
# Samba config file created using SWAT 
# from 127.0.0.1 (127.0.0.1) 
# Date: 2005/09/30 15:27:17 
 
# Global parameters 
[global] 
        workgroup = PCM 
        realm = PCM.PUK.AC.ZA 
        server string = ITBSJB se SAMBA 
        security = ADS 
        password server = dc1-nt.pcm.puk.ac.za db-win1.pcm.puk.ac.za 
        log file = /var/log/samba/%m.log 
        max log size = 50 
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
        dns proxy = No 
        ldap ssl = no 
        idmap uid = 16777216-33554431 
        idmap gid = 16777216-33554431 
        winbind separator = + 
        cups options = raw 
 
[printers] 
        comment = All Printers 
        path = /var/spool/samba 
        printable = Yes 
        browseable = No 
 
[Cabinet] 
        path = /mnt/usb/Cabinet 
        valid users = PCM+itbsjb, PCM+admin 
        #valid users = @PCM+Domain Admins 
        write list = PCM+admin, PCM+itbsjb 
        #write list = @PCM+Domain Admins 
        read only = No 
 
nsswitch.conf looks like this: 
[root at itbsjb1 etc]# cat nsswitch.conf 
# 
# /etc/nsswitch.conf 
# 
# An example Name Service Switch config file. This file should be 
# sorted with the most-used services at the beginning. 
# 
# The entry '[NOTFOUND=return]' means that the search for an 
# entry should stop if the search in the previous entry turned 
# up nothing. Note that if the search failed due to some other reason 
# (like no NIS server responding) then the search continues with the 
# next entry. 
# 
# Legal entries are: 
# 
#       nisplus or nis+         Use NIS+ (NIS version 3) 
#       nis or yp               Use NIS (NIS version 2), also called YP 
#       dns                     Use DNS (Domain Name Service) 
#       files                   Use the local files 
#       db                      Use the local database (.db) files 
#       compat                  Use NIS on compat mode 
#       hesiod                  Use Hesiod for user lookups 
#       [NOTFOUND=return]       Stop searching if not found so far 
# 
 
# To use db, put the db in front of files for entries you want to be 
# looked up first in the databases 
# 
# Example: 
#passwd:    db files nisplus nis 
#shadow:    db files nisplus nis 
#group:     db files nisplus nis 
 
passwd:     files winbind 
shadow:     files 
group:      files winbind 
 
#hosts:     db files nisplus nis dns 
hosts:      files dns 
 
# Example - obey only what nisplus tells us... 
#services:   nisplus [NOTFOUND=return] files 
#networks:   nisplus [NOTFOUND=return] files 
#protocols:  nisplus [NOTFOUND=return] files 
#rpc:        nisplus [NOTFOUND=return] files 
#ethers:     nisplus [NOTFOUND=return] files 
#netmasks:   nisplus [NOTFOUND=return] files 
 
bootparams: nisplus [NOTFOUND=return] files 
 
ethers:     files 
netmasks:   files 
networks:   files 
protocols:  files 
rpc:        files 
services:   files 
 
netgroup:   files 
 
publickey:  nisplus 
 
automount:  files 
aliases:    files nisplus 
 
My problem is that I can log in from my Active Directory to the Cabinet share using the itbsjb and admin account. This works for a while (appros 5-10 mins) and then stops working. Any login from any remote machine just fails authentication. 
 
In the winbind.log I find: 
[2005/09/30 15:32:50, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) 
  user 'admin' does not exist 
[2005/09/30 15:32:50, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) 
  user 'ADMIN' does not exist 
 
In the remotehost's log I get: 
[2005/09/30 15:29:17, 0] auth/auth_util.c:make_server_info_info3(1134) 
  make_server_info_info3: pdb_init_sam failed! 
[2005/09/30 15:32:48, 0] auth/auth_util.c:make_server_info_info3(1134) 
  make_server_info_info3: pdb_init_sam failed! 
[2005/09/30 15:32:50, 0] auth/auth_util.c:make_server_info_info3(1134) 
  make_server_info_info3: pdb_init_sam failed! 
 
However, If I run the getent passwd command it lists local and domain users like this: 
[root at itbsjb1 samba]# getent passwd |grep admin 
PCM+it3admin:*:16777220:16777216:it3admin:/home/PCM/it3admin:/bin/false 
PCM+avadmin:*:16777232:16777216:avadmin:/home/PCM/avadmin:/bin/false 
PCM+admin:*:16777370:16777216:Admin:/home/PCM/admin:/bin/false 
 
Once I run the getent authentication starts working again and I can login for 5 or 10 mins before it stops working again. Rerunning the getent passwd command fixes it time and time again, but only temporarely. 
 
The Active directory is very big with thousends of users. My thoughts are that the query works as long as its in the cache. Upon expiry it tries to auth from ad but times out causing a logon failure. The getent command places the account in the cache which causes it to work again till it expires once again. 
 
Anybody ideas to a permanent fix someone? 
 
Regards 
Stef Bezuidenhout

More information about the samba mailing list