[Samba] winbind craps out, NT_STATUS_PIPE_BROKEN

Jay Sullivan jpspgd at rit.edu
Tue Apr 26 08:20:23 MDT 2011 

Good morning, Samba list.  =)

I've been experiencing intermittent winbind failures over the past few weeks.  The symptom is that users that haven't connected in a while, and thus aren't in the winbind cache, are unable to connect to any shares.  I see a lot of NT_STATUS_PIPE_BROKEN in the logs when the failures occur, like this one from log.winbind:
###
[2011/04/26 09:20:54.671225,  5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-1060284298-1450960922-725345543-818338: NT_STATUS_PIPE_BROKEN
###

At the same time, this is from log.somehostname:
###
[2011/04/26 09:17:30.597274,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [coolusername] -> [coolusername] FAILED with error NT_STATUS_NO_SUCH_USER
###

A few minutes later, I restarted winbind and everything was groovy again.

Users that are still cached seem to work fine, sometimes for hours.  It's only _some_ new connections that exhibit this problem.  Restarting winbindd fixes the issue 100% of the time.  I've tried to figure out how to 'detect' when winbind has crapped out on me, but wbinfo -tp, and net ads testjoin all return what would be expected.  Most of the time, `id username` works fine, too, for users that are most certainly not cached.

I also see a lot of noise in the logs about "more than 200 winbind connections, cleaning up idle connections".  This particular server usually has at least 400 client connections all the time, and a good chunk of those are rather active (distributed renderfarm).  I see that smb.conf will recognize "winbind max clients" in 3.6.  I also understand that I could change WINBINDD_MAX_SIMULTANEOUS_CLIENTS and recompile a new winbindd, but that's not an option for me for a few weeks.

Output from uname -a:
Linux cias-files 2.6.32-5-amd64 #1 SMP Mon Mar 7 21:35:22 UTC 2011 x86_64 GNU/Linux

I'm using Samba 3.5.6 on Debian Squeeze in ADS mode joined to a 2008R2 domain.  I'm using the RID idmap backend.

Any thoughts on how I can further troubleshoot/debug this problem?  Do you think that the 200 clients thing is an issue for me?

Thanks!

~Jay

--
Jay Sullivan
CIAS::RIT
jay.sullivan at rit.edu<mailto:jay.sullivan at rit.edu>

More information about the samba mailing list