[Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)

admin at ateamonsite.com admin at ateamonsite.com
Wed Oct 14 16:02:41 MDT 2009 

Hi Jeremy,


> Sorry, didn't look too closely at your winbindd issue.
> winbindd will cache all information to allow disconnected
> operation (we made this work perfectly at SuSE), so there
> certainly shouldn't be a problem with a loss of connection to a DC.

I am sorry to report that I am in fact using SuSE, and this problem is very
easy to reproduce if I power off my AD domain, then wait (I guess) 10
minutes - then try and ssh to my Linux box. There is no way to log into the
box. 

If I am fortunate to have a terminal open already logged in, I cannot run
commands like "ls" or "man" "getfacl" or many others. The machine is
useless until I  "killall winbindd" then magically the system is back to
normal and commands are able to execute.
I looked at the init script for that version on SUSE for winbind and it is
running in cached mode.


If it helps to know, I have about 40000 user/group objects in the windows
2003 R2 AD (with 1 child domain) and I try and put as many acls as I can in
the filesystem permissions using setfacl for my cross platform filesystem
capability testing. I doubt this is the issue though, I just want you to be
informed in case some gotcha I dont know about exists for this scenerio.
I have a nice server with plenty of ram and cpu oomph and a nice RAID setup
so I doubt it is that either.


I am hoping some light can be shed on this issue, so here is my smb.conf
and system info:.



samba-3.2.7-11.2.1.x86_64
krb5-1.6.3-50.1.x86_64


openSUSE 11.0 (X86-64)
VERSION = 11.0




[global]
workgroup=qa2k3192
realm=QA2K3192.EDU
server string=HSA-PFX10101001 - 10.10.1.72
os level=24
domain master=no
local master=no
preferred master=yes
encrypt passwords=yes
level2 oplocks=yes
security=ads
password server=*
wins server=
inherit acls=yes
map acl inherit=yes
log file=/var/log/samba/log%m
dos filemode=yes
printing=BSD
printcap name = /dev/null
admin users = webadmin
username map = /etc/samba/smbusers
winbind enum users=no
winbind enum groups=no
map to guest = bad user
interfaces = eth2
disable spoolss = yes

idmap domains =  \
QA2K3192 \
QA2K3SUB192

#QA2K3192 S-1-5-21-937701456-36023052-1036737269
idmap config QA2K3192:backend = rid
idmap config QA2K3192:base_rid = 0
idmap config QA2K3192:range = 1000000 - 1999999

#QA2K3SUB192 S-1-5-21-3854371235-711543302-3856612158
idmap config QA2K3SUB192:backend = rid
idmap config QA2K3SUB192:base_rid = 0
idmap config QA2K3SUB192:range = 2000000 - 2999999

[company]
comment=foo
path=/cifs/company
writeable=yes
browseable=yes
hosts allow=
hosts deny=
inherit acls=yes
guest ok=no
force unknown acl user=no
valid users = @"QA2K3192\domain admins",@"QA2K3SUB192\domain
admins", at QA2K3192\ladies
write list = @"QA2K3192\domain admins",@"QA2K3SUB192\domain
admins", at QA2K3192\ladies
read list =




I desperately hope we can nail down this issue... it is giving me support
headaches when people change their networks then want to reconfigure the
samba server last.. catch 22!

.
Thank you again,
-Clayton






On Tue, 13 Oct 2009 21:14:30 -0700, Jeremy Allison <jra at samba.org> wrote:
> On Tue, Oct 13, 2009 at 08:10:56PM -0700, Clayton Hill wrote:
>> Thank you for the info Jeremy
>>
>> I think I will try EXT4 and see if I have better results then - also I  
>> agree with you about streams - I just think some of my more foolish  
>> clients wont.
>> Better just tell them "NO" firmly and then give them the example you  
>> gave - ;-)
> 
> Well I'm not saying we won't support streams in Samba,
> we'll just have to do it by layering meta-data over
> the filesystem. We already have 2 vfs modules that
> implement this.
> 
>> Any workaround for the winbind problem I have? This to me is a very  
>> serious problem and all I can think of for a solution is of making a  
>> script that would ping the DC and if the connection to the DC was gone, 

>> to kill winbind, then if the DC is back, start winbind back up.
>> IS this a good idea? It seems very very bad and hacky to me... I am  
>> hoping with all my fingers crossed that you have a better solution!
> 
> Sorry, didn't look too closely at your winbindd issue.
> winbindd will cache all information to allow disconnected
> operation (we made this work perfectly at SuSE), so there
> certainly shouldn't be a problem with a loss of connection to a DC.
> 
> Jeremy.

More information about the samba mailing list