[Samba] Samba 3.0.31 stills fails to read and write to socket.

Jose Santiago Oyervides joseoyervides at gmail.com
Fri Aug 1 17:50:48 GMT 2008 

Hi Jeremy,

I think i could be DNS resolution like you say, since this problem only
happens with accounts from other domains. I have had troubles in the past in
order to get DNS resolution to work, because this server also has a public
postfix server, so If I configured the internal DNS the external resolution
didn't work and viceversa, in order to cope with this issue I configured and
internal DNS server with both internal and external resolution and that
seemed to work.

If I ping the domain controllers from any another domain it responds very
fast, since I have all DC's in /etc/hosts and /etc/samba/lmhosts and in my
nsswitch.conf I have configured this:   hosts: files wins dns winbind and in
/etc/samba/smb.conf I have name resolve order=lmhosts wins bcast.

Would it help if I configured the Ip address in my krb5.conf for all domains
instead of their name? Why in /var/lib/samba/smb_krb5 is only created
krb5.conf.MYDOMAIN and not the file for the others domains? May be this has
somethng to do...
Regards,
Jose Santiago Oyervides.

On Fri, Aug 1, 2008 at 12:19 PM, Jeremy Allison <jra at samba.org> wrote:

> On Fri, Aug 01, 2008 at 10:46:54AM -0500, Jose Santiago Oyervides wrote:
> > Hi,
> > I recently upgraded my servers from 3.0.28 to 3.0.31 trying to solve the
> > winbind issue previously reported (Bug# 5551) but the issue is still
> > happening in my servers.
> >
> > I have an ftp server (vsftpd), configured to use pam_winbind with
> krb5_auth
> > and I see some random disconnects and my users cant login. My samba
> servers
> > are member of a Windows 2003 domain.
> >
> > The relevant lines on my log.wb-OTHERDOMAIN are saying that the write to
> the
> > socket failed because the connection was reset by peer, this happened
> also
> > on 3.0.28, i was hoping that 3.0.31 fix this issue.
> >
> > Im including my configuration and my log files. This happens only when
> > pam_winbind authenticates users of other domains, sometimes it gets fixed
> > itself because in my krb5.conf i have configured several domain
> controllers
> > for the other domains and it changes the connections to the next server,
> but
> > sometimes it gets stuck with one failed server and all my users cant
> login
> > for a while.
>
> This is your problem :
>
> config [/var/lib/samba/smb_krb5/krb5.conf.MYDOMAIN]
> [2008/07/31 10:03:55, 10]
> nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(580)
>  got TGT for accountXYZ at OTHERDOMAIN.FORREST.COM in
> MEMORY:winbindd_pam_ccache (valid until: Thu, 31 Jul 2008 20:03:57 CDT
> (1217552637), renewable till: Thu, 31 Jul 2008 20:03:57 CDT
> (1217552617))
> [2008/07/31 10:04:05, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610)
>  ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew
>
> Note the 30 second gap in timestamps.
>
> Looks like the call :
>
>        krb5_ret = cli_krb5_get_ticket(local_service,
>                                       time_offset,
>                                       &tkt,
>                                       &session_key_krb5,
>                                       0,
>                                       cc,
>                                       NULL);
>
> at line 604: in nsswitch/winbindd_pam.c is taking ages
> to contact a KDC. Do you have DNS resolution issues ?
>
> Jeremy.
>
>

More information about the samba mailing list