[Samba] Problem with samba as a member of AD with a trusted domain
Nathaniel Madura
nmadura at umich.edu
Fri Apr 13 09:17:05 MDT 2012
First, I am not sure if this is a problem with samba or a misconfiguration somewhere along the way in AD. Unfortunately, I am a little peon on a large campus who is trying to use samba, so I have to figure out how to make samba work with what is in place.
I am using samba 3.5.8 on Ubuntu 11.04
Here is the issue, I have gotten Samba/Winbind to successfully communicate with AD and perform authentication and all that jazz. Then I started getting email messages about sending 700,000 requests a day to our dns servers. So I started digging deeper. It appears that when winbindd starts up and searches the UMROOT domain, it finds a trusted domain (MPATHWAYS2). It then tries to track down MPATHWAYS2 and is unsuccessful, it receives a NT_STATUS_CONNECTION_REFUSED. Because it can't find the domain, it schedules a retry in 30 secs and then repeats the whole process. So every 30 seconds it is sending 500+ dns requests to the server. (isn't there a caching mechanism?). A small snippet from a tcpdump capture of the DNS requests is below.
I have found the variable 'winbind reconnect delay' which I can use to change the 30 secs into say 5 minutes, but it is only decreasing the number of requests, not really solving any problems. Is there any way for me to tell Samba not to look for MPATHWAYS2?
a full debug dump of what is repeated every reconnect attempt is at http://pastebin.com/A3GvYWRp
Thanks,
Nathaniel
-------------- DNS requests (http://pastebin.com/wqsij79H for all 500+ entries) -------------
10:35:16.081633 IP 10.224.53.248.56483 > dns.umich.edu.domain: 20669+ AAAA? itcs-dc01.umich.edu. (50)
10:35:16.082452 IP 10.224.53.248.59121 > dns.umich.edu.domain: 6691+ AAAA? itcs-dc01.umich.edu. (50)
10:35:16.083343 IP 10.224.53.248.42311 > dns.umich.edu.domain: 43846+ A? itcs-dc01.umich.edu. (50)
10:35:16.084457 IP 10.224.53.248.40043 > dns.umich.edu.domain: 3355+ AAAA? itcs-dc02.umich.edu. (50)
10:35:16.085337 IP 10.224.53.248.42704 > dns.umich.edu.domain: 17221+ AAAA? itcs-dc02.umich.edu. (50)
10:35:16.086085 IP 10.224.53.248.44859 > dns.umich.edu.domain: 8613+ A? itcs-dc02.umich.edu. (50)
10:35:16.087147 IP 10.224.53.248.43603 > dns.umich.edu.domain: 29799+ AAAA? itcs-dc03.umich.edu. (50)
10:35:16.088032 IP 10.224.53.248.34606 > dns.umich.edu.domain: 36522+ AAAA? itcs-dc03.umich.edu. (50)
10:35:16.088833 IP 10.224.53.248.34569 > dns.umich.edu.domain: 37501+ A? itcs-dc03.umich.edu. (50)
10:35:16.089942 IP 10.224.53.248.43461 > dns.umich.edu.domain: 14302+ AAAA? itcs-dc04.umich.edu. (50)
10:35:16.091454 IP 10.224.53.248.36589 > dns.umich.edu.domain: 41996+ AAAA? itcs-dc04.umich.edu. (50)
10:35:16.092592 IP 10.224.53.248.57894 > dns.umich.edu.domain: 38619+ A? itcs-dc04.umich.edu. (50)
10:35:16.096440 IP 10.224.53.248.38878 > dns.umich.edu.domain: 48760+ SRV? _kerberos-master._tcp.UMICH.EDU. (62)
-------------- cat /etc/samba/smb.conf --------------
[global]
workgroup = UMROOT
realm = UMICH.EDU
netbios name = TRI-BIO-PROFILE
server string = Biosciences Profile Server
interfaces = eth1, localhost
bind interfaces only = Yes
security = ADS
allow trusted domains = No
map to guest = Bad User
password server = itcs-dc01.umich.edu itcs-dc02.umich.edu itcs-dc03.umich.edu
restrict anonymous = 2
client NTLMv2 auth = Yes
syslog = 0
log file = /var/log/samba/log.%m
smb ports = 139
name resolve order = lmhosts wins host
dns proxy = No
wins server = 141.213.143.150, 141.213.238.150
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-60000
idmap gid = 10000-60000
template shell = /bin/bash
winbind reconnect delay = 300
winbind enum users = Yes
winbind enum groups = Yes
[ProfileStore]
comment = Users profiles
path = /shares/profiles
read only = No
create mask = 0600
strict locking = No
---
Nathaniel Madura
Engineer in Research
UMTRI - Biosciences Division
2901 Baxter Rd
Ann Arbor, MI 48109
W: 734-936-1109 F: 734-647-3330
nmadura at umich.edu
More information about the samba
mailing list