[Samba] Authentication stops working after approx 5 mins -getent
passwd fixes it for 5-10 mins
Stef Bezuidenhout
ITBSJB at puknet.puk.ac.za
Fri Sep 30 14:04:11 GMT 2005
Hi,
I'm running Redhat Enterprise WS 4. with kernel 2.6.9-11. Also I have the following:
[root at itbsjb1 samba]# rpm -qa |grep samba
system-config-samba-1.2.21-1
samba-common-3.0.10-1.4E
samba-swat-3.0.10-1.4E
samba-3.0.10-1.4E
samba-client-3.0.10-1.4E
smb.conf:
[root at itbsjb1 samba]# cat smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/09/30 15:27:17
# Global parameters
[global]
workgroup = PCM
realm = PCM.PUK.AC.ZA
server string = ITBSJB se SAMBA
security = ADS
password server = dc1-nt.pcm.puk.ac.za db-win1.pcm.puk.ac.za
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = +
cups options = raw
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[Cabinet]
path = /mnt/usb/Cabinet
valid users = PCM+itbsjb, PCM+admin
#valid users = @PCM+Domain Admins
write list = PCM+admin, PCM+itbsjb
#write list = @PCM+Domain Admins
read only = No
nsswitch.conf looks like this:
[root at itbsjb1 etc]# cat nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the db in front of files for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
My problem is that I can log in from my Active Directory to the Cabinet share using the itbsjb and admin account. This works for a while (appros 5-10 mins) and then stops working. Any login from any remote machine just fails authentication.
In the winbind.log I find:
[2005/09/30 15:32:50, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'admin' does not exist
[2005/09/30 15:32:50, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'ADMIN' does not exist
In the remotehost's log I get:
[2005/09/30 15:29:17, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
[2005/09/30 15:32:48, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
[2005/09/30 15:32:50, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
However, If I run the getent passwd command it lists local and domain users like this:
[root at itbsjb1 samba]# getent passwd |grep admin
PCM+it3admin:*:16777220:16777216:it3admin:/home/PCM/it3admin:/bin/false
PCM+avadmin:*:16777232:16777216:avadmin:/home/PCM/avadmin:/bin/false
PCM+admin:*:16777370:16777216:Admin:/home/PCM/admin:/bin/false
Once I run the getent authentication starts working again and I can login for 5 or 10 mins before it stops working again. Rerunning the getent passwd command fixes it time and time again, but only temporarely.
The Active directory is very big with thousends of users. My thoughts are that the query works as long as its in the cache. Upon expiry it tries to auth from ad but times out causing a logon failure. The getent command places the account in the cache which causes it to work again till it expires once again.
Anybody ideas to a permanent fix someone?
Regards
Stef Bezuidenhout
More information about the samba
mailing list